Jul 12, 2016 07:18 PM

Central Bank Issues New Guidelines to Improve Safety of Online Payments

(Beijing) – The central bank has tightened regulations governing third-party payment services, requiring them to conduct multiple identity checks on users and adopt a technology that can better prevent leaks of private bankcard information.

The People's Bank of China (PBOC) extended a deadline to November 1 for third-party payment services such as Alibaba's Alipay to provide at least two methods to verify a user's identity before making an online payment, the central bank said in a recent document viewed by Caixin that was distributed to banks and companies licensed to process online payments.

At present, when users make a payment through a third-party payment service, they need to enter a password and a one-time confirmation code sent to their mobile phones to verify their identity. The central bank issued a guideline in December telling these companies to start providing more than one method to verify a user's identity before July 1, but a Caixin reporter found that most services had not changed their authentication process even after the deadline had lapsed.

The new regulation also requires payment companies to use a technology called "tokenization" starting December 1. Earlier a user's bankcard information was held by a third-party payment service, but after this new security standard takes effect, China's bankcard association, or UnionPay, would embed credit or debit card information entered by users in a secure digital token, according to the document.

Market analysts say this approach is one of the most effective ways to protect personal information submitted when making online payments because a user's bank information has been encrypted and stored in a digital token instead of saving it on a computer or mobile phone.

This technology was developed by EMVCo, an organization established by credit card networks that set standards for the industry globally, and it is used by Apple Inc.'s third-party payment service called Apple Pay, which was rolled out in China in February.

Leaks involving payment data held by third-party platforms have been a concern for Chinese regulators. Information related to more than 10 million bankcards kept by a payment company was leaked in January 2015, causing losses of nearly 40 million yuan over the next six months after criminal groups used the account information to forge bankcards and withdraw money, central bank experts said in an internal report that Caixin has read. The report did not name the payment company.

In 2014, the central bank told Alipay and Tencent's Tenpay to suspend handling payments through quick response (QR) codes – a type of barcode that consists of black square dots that can be scanned using a phone's camera – on the grounds that this method was not safe.

However, Qiao Xin, an executive at state-owned telecom company China Potevio Co. Ltd., said whether or not QR technology is safe depends on the software used to encrypt the data.

So far, the central bank has issued 267 licenses to companies allowing them to offer third-party payment services.

If payment companies fail to meet requirements as per the deadlines given in the new guidelines, the PBOC will warn these companies and eventually revoke their licenses, the document said.

(Rewritten by Chen Na)

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code
Copyright © 2019 Caixin Global Limited. All Rights Reserved.