Problems in the development of payment business

Today, please pass a specific case to see the regulatory loss in the payment business. In fact, in my article last year, I have mentioned this issue, and see it as a payment business development of the biggest hidden trouble.

Fast payment (including no card payment), as the most convenient way to pay the bank card, especially in the mobile Internet environment, in view of the lack of technical reserves of the early parties, almost become the only available way.

Compared to the traditional payment, fast payment is extremely simple on the user side, just enter a few key elements on the bank card, the card's main name and identification number, mobile phone number, you can open and pay, and present. Among them, the card elements are gradually reduced to only need card number, even the traditional credit card three elements are further omitted.

First of all, it has to be praised, it is a kind of progress and innovation. Under controllable risk, to the user to bring the greatest degree of convenience. What is controllable risk? Mainly based on the characteristics of the mobile era to make assumptions: mobile phones are carried, usually not casually lent to others, if lost can be quickly reported back. Under this assumption, the design of such a card, personal privacy (name and identity card), commonly used auxiliary equipment (mobile phone) three-dimensional separation of verification, the risk model is indeed established, the risk is not very small.

Of course, just think of the normal situation is not enough, but also to design the treatment of abnormal conditions, to the greatest extent possible to control the risk. So we see that most banks have put forward a more cautious payment limit and have a clear mandate and emphasis on risk in their agreements with users. In view of the bank's consistent characteristics, the user is usually required to bear the possible losses. It's not good, but it's reasonable. If you want to get a more convenient ability to pay, nature will pay some price.

Well, that's what the background describes. Back to the subject, let's talk about the natural deficiencies of the risk model. The key lies in the domestic information security environment is poor, identity card theft, mobile phone card is copied and so things really have become accustomed to, in the above wind control model, as long as the people stare, the loss is inevitable. There are a lot of cases online, I will not repeat.

Moreover, the credit cards discussed in the previous years have been stolen. Credit card in China such a breach of faith in the environment, the traditional three-factor verification, although very dangerous, but at least there are international treatment as a reference basis, but the domestic banks are accustomed to do, and delayed follow-up just. But now, the risk of quick payment goes well beyond credit cards, extended to debit cards, and creates completely different risk loopholes, which can only be solved by China's regulation. Everyone looked at the status quo, in addition to the alarm and the bank after the wrangling, basically can not rely on.

However, in my opinion, these are small things. More serious here

Fast payment, if the payment process is completely monitored by the bank, like the net silver jump, which is generally safe or secure, and the right and right is relatively easy to define clearly. But given the slowness of the banks in the mobile internet era and the fact that there are certain technical barriers that all banks can support and that businesses are willing to connect to one home, it is not realistic. Well, let's do it by UnionPay. In fact, UnionPay is also very positive, early integration of the bank launched the "No card payments", mobile internet is still a long-distance payment of the absolute main force, but when it comes to the risk of responsibility and counselling, and take that set of classic and old hair card, liquidation, receipts system, obvious on the responsibility to the receipt of a single bank, The receipt of a single bank to the merchant, but in fact the user problems will only be directly to the issuing bank, so a variety of entanglements ... Oh, no. In short, for a variety of reasons, UnionPay has been actively innovating for half a step, and has been justified to stop, completely ignoring the real needs of this new market.

So, the first to make fast payment of Alipay became the emerging mobile long-distance payment market, the biggest winner, how good AH: user-friendly, Merchants unified access, Alipay also willing to take responsibility (you dare to pay me to compensate). Next, is the micro-letter 5.0 after the micro-letter payment, but also by way of fast payment, quickly become a new strong competitor.

However, the payment process is stale. All sensitive information: Card number, name ID card, mobile phone number are in the payment of treasure, micro-letter environment fill in the input, even the mobile phone number of text verification are they to do, although there is a humble "user agreement" as the legal basis, but they are really so credible?

To put aside a person's preference, say the facts first:

1, Alipay, micro-credit payment (Tenpay) Information security protection technology, is not tested certification. Of course, there is no such testing certification body. But what I want to say is that their safety is entirely conscious, and there is no fair way or guarantee institution to do so. In fact, a period of time before the payment of treasure information leaks have been made numerous. They are now in another way to make up: property insurance, although the user's security "illusion" better, but did not solve the essence of the problem. Moreover, if you really apply for a "you dare pay Me", you will know how depressed.

2, Alipay, micro-letter payment is fully capable of without the consent of the user, direct deduction. Please note: I am talking about "ability", not what they have done now. I guess a lot of friends would have the same knowledge, for example, you are in the payment of fast payment of a lot of bank card binding, when Alipay to you suddenly text "whether willing to pay xxx", you answer is, the bank card is deducted money, or sound wave payment, you agree to pay, the bank card is deducted. Maybe you don't care, even think he is reasonable, but please think again, if it is from your Alipay account balance, balance treasure, the collection of deducted money, I think all can accept; but from your binding bank card, and if there is no money in the first card, will automatically be deducted from a rich card. Do you really think you have such a big mandate for Alipay?

3, if there is a company, with Alipay, micro-letter in-depth cooperation, it is entirely possible in all people do not know the situation, access to these sensitive information, and naturally have the ability to deduct from the user bank card fee, and no trace can be found.

Here, I do not want to talk about Alipay, micro-trust company is legitimate and reasonable, there is a good saying: the existence is reasonable. Moreover, there are so many people willing to do so, relative to banks, UnionPay, the majority of people may be more willing to actively disclose information to Alipay and micro-mail.

However, this is actually the problem of regulatory loss, such payment behavior, there are so many, so big hidden dangers, and can cause huge financial losses. This kind of risk, cannot rely on the morals of a certain company, can't pass to the market and the user, but should be able to control in the initial circumstances, put forward the regulation of reasonable compliance and supervise the execution, help and protect such innovation can continue to develop.

Like what:

1. The process of collecting bank card information should be strictly stipulated and tested. The payment company shall not store this information, but only in an encrypted way to the issuing bank; When the account problem arises, the issuing bank undertakes the primary inquiry responsibility and is responsible for paying the Alipay company;

2, the mobile phone number of SMS verification, such a core verification mechanism, must not open to the payment company, must be verified by the bank itself. Or it can be entrusted to China UnionPay, or other fair third party institutions. The Bank shall record all verification information, and the regulator will check regularly to ensure that the bank has no unauthorized authorization.

That is what regulators should do.

Otherwise, as this pattern is completely prevalent and pervasive, and when there is no cure, once there is a concentrated outbreak (which is absolutely inevitable), the only thing regulators can do is to force the shutdown and condemn the paying company.