Alipay+ DocsAlipay+ Docs

Security Guidelines

Risks to UPM and mitigations


Security risks to UPM are categorized according to the lifecycle of the Payment Codes, including the following stages:

  • Code generation and storage
  • Transaction processing
  • Message transmission

The following figure depicts the security-risk stages of the Payment Codes lifecycle:


Figure 1. Security risks to UPM

Recommended countermeasures are provided to mitigate the risks identified in each stage.

Code generation and storage

Risk #1:

When a user displays the code on a mobile device, it can be captured and used without authorization by an attacker, malicious apps, or malicious merchants.

Recommended countermeasure:

Dynamic barcode and/or QR code should be used and it should be effective within a specific time period after being generated and can be automatically updated within a specific time frame.

Users should be prohibited from capturing screens in the app. For example, the app presents a warning message or a screen protection page to prevent users from capturing screens.

Risk #2:

The code value generation and verification processes are exposed to brute force attacks.

Recommended countermeasure:

To prevent brute force attacks, information about user account, device and merchant should be checked in the code value generation and verification processes.

Digital Wallet should have the capability to detect and combat robot automatic attacks, e.g., limiting the frequency of code-parsing requests.

Risk #3:

The payment Code is not associated with the User correctly so the payment transaction fails.

Recommended countermeasure:

Digital Wallet should ensure that the barcode and/or QR code generated for a User is associated with the User's payment account.

Risk #4:

Sensitive information is contained in the Payment Code and obtained by attackers and used for malicious purposes.

Recommended countermeasure:

The generated barcode or QR code should not contain sensitive information of the User and the payment account, including but not limited to User's mobile phone number and birthday.

Transaction processing

Risk #1:

User or Merchant attempts to make repeated payments because they are unsure whether the payment is successful.

Recommended countermeasure:

After the payment transaction is completed, both the merchant acceptance terminal and the user mobile terminal should display the payment result. If the payment fails, the reason for the failure should be displayed.

Message transmission

Risk #1:

“Man-in-the-middle” attack, that is, attackers modify transaction messages for malicious purposes.

Recommended countermeasures:

Security methods such as digital signature and encryption should be adopted to protect the sensitive information enclosed in the transaction message.

Security protocols and strong encryption algorithms should be adopted to secure transaction communication links. Security protocols should be updated to the latest stable versions timely.

Risk #2:

Replay attack, that is, attackers replay a previously successful transaction message and request to perform a payment transaction several times.

Recommended countermeasure:

The transaction message should contain dynamic parameters such as a random number, timestamp, or one-time session token, to prevent replay attacks.

Risks to MPM and mitigations


Security risks to MPM are categorized according to the lifecycle of the Collection Codes, including the following stages:

  • Code generation and presentation
  • Transaction processing
  • Message transmission (Communication)

The following figure depicts the security-risk stages of the Collection codes lifecycle:


Figure 2 Security risks to MPM

Recommended countermeasures are provided to mitigate the risks identified in each stage.

Code generation and presentation

For MPM, the security risks in this stage are targeted at the ACQP side, and countermeasures are recommended to ACQPs.

Transaction processing

Risk #1:

The Collection Code contains a malicious URL directing to a phishing website or some other kind of malicious website.

Recommended countermeasure:

MPPs shall be able to recognize illegitimate collection codes, reject them or prompt a warning message. For example, MPPs can maintain an allow list for legitimate Collection Code. The payment application should not visit the URL contained in the Collection Code unless it is in the allow list or confirmed by the users.

Message transmission (Communication)

Same as UPM.

Recommendations to both UPM and MPM


To conduct code-scanning payment business, MPPs should comply with AML (anti-money laundering) and CTF (counterterrorist financing) regulations, and other relevant laws and regulations.

Whether directly generating or entrusting a third party to generate the barcode or QR code, MPPs should ensure that the code generation process conforms to local security regulations and industry standards.

For cross-border payment scenarios, MPPs should also comply with relevant local legal and regulatory requirements.

For sanctioned regions and regions where local regulations and laws restrict code-scanning payment business, such business should not be conducted without the approval of the local regulators.

Identity and eligibility

MPPs should verify their users' identities by using authentication methods, including but not limited to passwords, biometrics, digital certificates, and so on.

Risk management

To identify risks, MPPs should take the following measures:

Enhance risk analysis capabilities based on risk rules and models.

  • Identify risks of abnormal behaviors such as batch or high-frequency login, and take action for verification.
  • Obtain information such as the institution, account, and equipment from the code values contained in the transaction process.

To assess and dispose of risks, MPPs should take the following measures:

  • Evaluate and classify risks by a combination of qualitative and quantitative calculation methods.
  • Set up risk disposal mechanisms, such as transaction rejection and privilege limitation, based on the risk assessment to reduce real-time risks.
  • Set daily cumulative transaction limits for the merchant according to the merchant's risk level and transaction type.
  • Prevent transaction risks in the risk monitoring system, such as transaction blocking, and contacting customers for verification.

Security education

MPPs are recommended to provide security education to their Users, such as:

  • Promote code-scanning payment security knowledge to improve awareness.
  • During the payment process, clearly disclose potential security risks and countermeasures.
  • Enhance the education on the protection and management of sensitive information such as passwords and user bio-information.