General Security Guidelines, Requirements and Recommendations
In addition to the guidelines for security threats and business security, you also need to comply with the following guidelines, requirements and recommendations.
You should comply with AML and anti-terrorist financing regulations, and relevant laws and regulations to conduct code-scanning payment business. For cross-border payment scenarios, you should also comply with local legal and regulatory requirements.
Whether directly generating or entrusting a third-party to generate the barcode, Acquirer should ensure that the code generation process conforms to local security regulations and industry standards.
For sanctioned regions and regions where local regulations and laws restrict code-scanning payment business, it is prohibited to conduct barcode related business without the approval of local regulator.
Identity and eligibility
Digital Wallets should verify their users identity by using authentication methods, including but not limited to password, biometrics, digital certificates, and so on.
Acquirers should verify their merchants identity and business qualifications to ensure that code-scanning payment services for merchants comply with local laws, regulations and regulatory requirements. The merchant must provide authentic business information, such as business licence and the code usage, to Acquirer for verification. In addition, for restricted or high-risk merchants, Acquirer should have the capability to manage the transaction authenticity, such as setting up a blacklist.
Risk management requirements
In order to identify and analyze risks, you need to meet with the following requirements:
- Establish a comprehensive risk management system to enhance risk analysis capabilities based on the risk rules and models, the results of which can directly affect the business process.
- Identify risks for abnormal behaviors such as batch or high-frequency login, by information, such as IP address, terminal device identifier, and take actions for verification.
- Locate information, such as the institution, account, and equipment by bar code values and carry out risk management based on the information in the transaction process.
In order to assess and dispose of risks, you need to meet with the following requirements:
- Evaluate and classify risks by a combination of qualitative and quantitative calculation methods.
- Set up risk disposal mechanism based on the risk assement to reduce the real-time risks such as transaction rejection, and privildege limitation.
- Set daily cumulative transaction limits according to the user authentication assurance level for the user and the merchant's risk level and transaction type for the merchant.
- Prevent transaction risks in the risk monitoring system, such as transaction blocking, and contacting customers for verification.
In addition, you are also recommended to provide code security education to users, which may contain the following information:
- Promote code-scanning payment security knowledge to customers to improve safety awareness of the customers.
- During the payment process, clearly disclose potential security risks and countermeasures to customers.
- Enhance education of protection and management of sensitive information such as transaction passwords and user bio-information.
- Disclose the risks of static bar codes and the countermeasures to merchants.