Decoding QR Codes: Are they useful for merchant payments in emerging markets?

April 24, 2017 | Mobile Money | Global | Anant Nautiyal

QR codes are increasingly being adopted by merchants

Recently, QR codes—or Quick Response codes—have been adopted by a growing number of players to facilitate retail payments.[1] There are broadly two ways[2] in which QR codes can be used for payments.

In the first case, a merchant is given a designated QR code by their acquirer that is linked to their bank account in the backend. Customers must scan the QR code using the camera on their smart device and then enter the amount to be paid and their individual PIN in order to complete the transaction. An example of this method is SnapScan.

In the second case, customers use a company’s interface (a website or app) to select a product, which generates a transaction-specific QR code for the customer. The customer then uses the QR code to collect their purchase in store. These transaction-specific QR codes can also be used to offer loyalty points. An example of this method is the Starbucks app.

But are they well suited for payments?

A QR code is the trademark for a type of matrix (i.e. two dimensional) barcode and the technology was originally invented in 1994 in Japan as a way to track automobile components on the Toyota production line at high speed. In this functionality, QR codes remain highly relevant and continue to be used today for tracking of inventory, shipping, logistics, etc.

But are QR codes well suited to the needs of merchant payment transactions? To answer this question, let us consider two factors often cited in favour of QR codes:

User Experience: There is a general impression that QR codes provide a smooth customer experience. It is true that QR codes can be a quick way to skip the step where a payer has to enter the payee’s account details. By scanning a merchant’s QR code, for example, a customer automatically captures information regarding the merchant’s till number or bank account. However, the payer still must enter the amount to be paid and their security PIN.[3] [4] What then is the value of introducing a new technology that requires significant customer behaviour change and doesn’t really reduce that many steps in the user’s experience?[5]

The answer to the question can be debated, but it would be fair to say that QR codes do not offer a clear advantage over many other channels of payment (such as NFC tags, companion cards or even STK) when it comes to user experience for payments.

Merchant Device: Another positive impression that seems to persist about QR codes is that they can be used by a merchant to accept funds without the need for an acceptance device. Again, this does not present the full picture. It is true that merchants can accept payments via QR codes without a special device when the customer is prepared to scan the code of the merchant (as in the SnapScan example). However, in instances where the customer generates their own transaction-specific QR code from the merchant website or app (as with the Starbucks app), the merchant does need to have special device to scan the QR code when the customer picks up their purchase. Hence the assertion that the merchant does not need an acceptance device for QR code payments is, at best, a half-truth.

Security: Beyond just considerations of user experience and merchant device, there are also serious concerns around the security of QR codes and their susceptibility to fraud. Last month in China for example, criminals reportedly managed to steal $13m by defrauding QR codes[6]. Fraud techniques can range from sophisticated hacking attempts to simply sticking a fraudulent QR code on top of a genuine one (as it is difficult to make it out from the eye whether a QR code really does belong to a particular merchant).

QR codes are not a silver bullet for emerging markets

QR codes can convey the appearance of being a tech-savvy payment channel, offering a smooth customer experience and a low merchant adoption barrier. However, as this blog has attempted to show, this is a skewed image. QR codes do offer some relative strengths over other means of payments, but they also raise some questions.

Providers should exercise caution when considering QR codes for payments in their markets, and bear in mind that a technology originally intended for tracking components on an automobile production line in a developed market need not necessarily offer a silver bullet to solve the challenges of payments in developing countries.

 

  Model 1: Customer Scans Code Model 2: Merchant Scans Code
Who has the code Merchant has a designated code (e.g. SnapScan). Customer has a designated code (e.g. Alipay) or generates a transaction specific code (e.g. Starbucks app).
What the code contains Merchant payment details (static). Customer payment details (static) + specific transaction details (dynamic).
Customer experience Scans merchant code à Enters amount to be paid + PIN à makes payment.

 

(–) Does not significantly reduce steps compared to other channels e.g. STK.

Generates own QR code à Presents to merchant for scanning à makes payment.

 

(+) Can be a very smooth experience as money taken directly from account.

Merchant device Merchant does not need a special device to accept funds as customer scans code.

 

(+)  Can be a cost effective way to acquire merchants.

Merchant needs a special device to scan individual QR codes generated by customers.

 

(–) Can pose a significant barrier for merchant acquisition.

Security (–) Could be compromised by hacking or simply sticking fraudulent QR code on top of genuine one. (–) Could be compromised by hacking or simply sticking fraudulent QR code on top of genuine one.

 

Notes: 

[1] Last month, the Government of India launched the Bharat QR code in its push towards a cashless economy. SnapScan claims to have “over 25,000 merchants and a vast user network across South Africa.” In 2015, 16% of all Starbucks transactions happened through its QR code-enabled app. Other examples abound.

[2] Variants of these two broad methods also exist e.g. Alipay customers can generate an individual QR code linked to their source of funds, which in-store merchants can scan to accept payments. However, the principle remains the same: QR codes contain either the merchant’s or the customer’s payment (and sometimes transaction) details, and must be scanned by the customer or the merchant respectively to enable a transaction.

[3] See this SnapScan promotional video for the steps involved: https://www.youtube.com/watch?v=UP4eyKQPZdg

[4] In addition, a customer wishing to pay via a QR code also needs: A smartphone with an app that can scan QR codes; a steady hand to scan the merchant QR code; a working internet connection; and of course sufficient ambient light to scan the code.

[5] Even in a relatively simple STK-based merchant payments service like Safaricom’s Lipa Na M-Pesa, entering the merchant’s till number takes just a few seconds. It is a behaviour many mobile money customer populations are deeply comfortable and familiar with.

[6] https://www.techinasia.com/fake-qr-code-scams-china

 

 

8 Responses to Decoding QR Codes: Are they useful for merchant payments in emerging markets?

  1. Mworekwa says:

    Great analysis. For some reason my doubts with QR codes have been affirmed. I used it for web whatsapp n for online transactions but it only made online experience more tedious. Thanx for the submission. I hope many more will read and appreciate ur efforts.

  2. Javier says:

    Recently I used a bitcoin payments provider that generated a transaction specific QR code containing all payment info. only confirmation was required.

    • Anant says:

      Hi Javier, thanks for sharing that experience with us!

      Indeed, we recognise that transaction-specific QR codes do often carry all the information needed for the payment, and only require authentication. This is what happens in the case of the Starbucks example we used in the blog, but also, say, when an airline generates an online boarding pass with a QR code on it. However, our point was that in such cases, the merchant (the Starbucks barista or the airlines check-in staff) must have a special device to scan the code before handing over the purchase to the customer. The broader point was that QR codes are not entirely without the need for merchants to invest in some acceptance hardware. Would you agree?

      Thank you for your comment!

  3. Mike says:

    Security is key to the adoption of QR codes. Making/copying/modifying QR codes is simple and cheap and so the QR code per se cannot be considered secure in any way but then neither can magnetic strip cards or 16-digit numbers. The key is authentication which MUST BE DONE ON YOUR OWN DEVICE – i.e my mobile phone, my PIN, my fingerprint. And notification must be immediate. The example cited of a merchant not needing anything more than a static QR code is incorrect. At a minimum he needs a mobile phone to receive a SMS notifying him of transaction completion – he cannot rely on the customer’s word for it. In cases where there is no authentication required (e.g. Starbucks) it is easily demonstrable that a screenshot of the barcode is all that is necessary – I sent a snapshot of mine to my wife when she forgot her card and not only could she use it on that occasion but on any subsequent occasion. Just as well too much coffee is bad for you 🙂

    • Anant says:

      Hi Mike,

      Thanks for your interest in our blog! You raise some valid points.

      Regarding your point on security, we agree that other payment instruments can have security loopholes as well, but that is precisely our point; QR codes are also vulnerable to security threats and sufficient attention should be paid to this aspect by payment service providers before adopting QR codes in their markets. Currently, we don’t think this is the case – QR codes appear to strike a more sophisticated image in the minds of many payment service providers than other payment channels, and we don’t think this channel is being subjected to the same degree of scrutiny on security that other payment channels usually are.

      You have mentioned that a customer must authenticate a QR code transaction on their own device, and I presume you mean to say that that gives them a degree of protection against fraud – but does it? In the example of QR code fraud we cited in the blog, it appears that lots of savvy Chinese customers authenticated payments on their own devices using their own PINs etc. – but all going to a fraudulent QR code which they simply couldn’t differentiate from a genuine one. In your own words, “making / copying / modifying QR codes is simple and cheap”, so we presume this behaviour can be replicated by criminals throughout the world without much trouble. We feel that payment service providers in emerging markets should guard against such threats. Would you agree?

      Regarding the story of you sharing your Starbucks QR code successfully with your wife, it was not immediately clear to us what the main thrust of the argument was there. If it was that a screenshot of the code was all that was necessary and your wife didn’t need her card at all to collect her coffee, we don’t doubt that and fully agree. However, if your point was that nothing else was required by the merchant to accept the transaction beyond your wife presenting the screenshot of her code, then we don’t recognise that experience. In our understanding, the barista must have had to scan your wife’s QR code with a smart device, underlining the fact that in cases where the customer presents a transaction-specific code to the merchant, the merchants must have a smart device to scan the code. The implication is that QR codes are not necessarily a payment channel that requires no investment in acceptance hardware by a merchant.

      Thanks again for your interest in our work!

  4. Hi Anant, thanks for the sharing. I work in the pos industry and I would like to address some of your points mentioned.

    1)price can actually be included by merchant whether they are scanning or dishing out a dynamic qr code with a pos system. Most convenient stores does that in China. So the workflow becomes: user standby with a qr code page. Merchant enters products and scans via pos system.

    2)since merchants should either 1)scan 2)use dynamic qr code, sticking their account qr code in store clearly isn’t a preferred option.

    Disclaimer: we also work with wechat/alipay integration in our mobile pos system.

    • Anant says:

      Hi Kwang,

      Thank you so much for your feedback! We really appreciate it.

      Indeed, we are aware of the customer experience you have described in point 1, whereby the payment amount can also be included in the QR code) – but it still sounds like the customer has to go through quite a few steps to make a payment. That was the main point we were trying to make – that in many emerging markets, there are already several USSD / STK based solutions that customers are deeply familiar with which allow them to pay for merchant purchases. What then is the value of replacing them with an entirely new customer experience that again entails several steps?

      However, we are eager to be educated on this! Could you perhaps direct us to a video online so that we can study the customer experience you have described in some more detail?

      Thank you for sharing your thoughts with us!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back
Contact GSMA Legal Email Preference Centre Copyright © 2017 GSMA. GSM and the GSM Logo are registered and owned by the GSMA.