Security considerations in the electronic payment process

In recent years, government departments have issued multiple documents to support the integrated development of electronic payment and e-commerce. In particular, the "Notice on Relevant Work on Promoting the Development of E-Commerce" issued by the National Development and Reform Commission and other departments on May 20, 2016 mentioned improving the e-commerce support system, promoting innovative applications of electronic payment, and vigorously developing mobile payment. On the one hand, as regulators have tightened their supervision of payment institutions, many payment institutions have been fined, and payment licenses have entered a "shuffle period". Existing payment institutions should strictly follow industry regulations to conduct business; on the other hand, as electronic payment application scenarios continue to expand, the security of electronic payment should also attract people's attention.

In a 2009 case involving a dispute over a network service contract between an e-commerce platform and a third-party payment platform, since the country has not yet formulated corresponding national standards and industry standards for the payment business, in the event of a hacker attack, it was impossible to determine whether the parties had fulfilled their security obligations. Instead, the parties' responsibilities were determined based only on the agreement between the two parties and the evidence provided by both parties. In the end, the court held in the reasons for the judgment that the electronic The business platform has the responsibility to properly keep the merchant number and password. The third-party payment platform has a serious and prudent obligation to ensure the security of its own system and information confidentiality. It has the responsibility to ensure that the design and operation of the electronic payment business processing system can avoid the leakage of electronic payment transaction data. As for whether hackers attack the payment platform due to security risks in the electronic payment platform, the e-commerce platform, that is, the merchant, should bear the burden of proof.

Analyzing this case, the author found that the responsibilities of all parties were unclear because no clear electronic payment industry standards were issued at the time. Subsequently, the country successively issued network business specifications for non-financial payment institutions, which clearly stipulated the security of electronic payments.
First, account opening review. When a payment institution opens a payment account for an unit, it should require the unit to provide relevant supporting documents, and verify the customer's identity in a face-to-face manner independently or by entrusting a cooperative agency, or conduct multiple cross-verification of the unit's basic information in a non-face-to-face manner through at least three legal and safe external channels, and strengthen the use of personal payments. Monitoring of fund transactions and continuous customer management for operational activities of the account. In addition, when a payment institution opens a payment account for an entity or individual, it shall sign an agreement with the entity and individual to agree on the daily cumulative transfer limit and number of transactions between the payment account and the payment account and the bank account. If the limit and number of transactions are exceeded, no further transfer business shall be performed.
Second, strengthen account monitoring. Payment institutions should strengthen the monitoring of bank accounts and payment accounts, establish and improve suspicious transaction monitoring models, and accounts and fund transfers that have suspicious transaction characteristics such as concentrated transfers in and dispersed transfers should be included in suspicious transactions. For accounts listed as suspicious transactions, payment The payment institution shall verify the transaction situation with the relevant units or individuals; if the payment institution still determines that the account is suspicious after verification, the payment institution shall suspend all operations in the account and submit a suspicious transaction report or a key suspicious transaction report in accordance with regulations; if it is suspected of illegal crimes, it shall be reported to the local public security agency in a timely manner
Third, transaction verification. Payment institutions can choose static passwords, securely certified digital certificates, electronic signatures, one-time passwords generated and transmitted through secure channels, and customer fingerprints for transaction verification.
Fourth, ensure that transaction information is authentic, complete, and traceable. If a payment institution cooperates with a bank to carry out bank account payment or collection business, it shall save the transaction channel, transaction terminal or interface type, transaction type, transaction amount, transaction time, as well as the name and code of the special merchant that directly provides goods or services to customers, and the merchant set up in accordance with national and financial industry standards. Category code; the name of the payment customer, the account number of the payment account or the name and account number of the bank where the bank account is opened; the identity verification and transaction authorization information of the payment customer; the identification of effective traceable transactions; the purpose and reason of payment for a single transfer of more than 50,000 yuan by the unit customer, etc., to ensure the authenticity, completeness, traceability and consistency of the transaction information throughout the payment process.

In short, based on the security issues that may arise in electronic payments, our country has established and improved a number of regulatory documents on security protection mechanisms. However, with the increase in electronic payment application scenarios, payment institutions should gradually improve electronic payment risk management mechanisms, establish electronic payment disaster backup mechanisms, etc., and improve the security level of the entire electronic payment system through innovative technologies and service models.