Financial Services News South Africa

Can QR code payments co-exist in a tap-to-pay world?

Offering the right payment method to customers can sometimes mean the difference between whether they pay and convert with a business or whether they go to a competitor to shop somewhere else.
Source: Pexels

It's really important therefore for businesses to know the various payment mechanisms available to them, and the contexts in which they are used, and also how these mechanisms stack up against the odds out there.

"Knowing whether to adopt a tap-to-pay or scan-to-pay functionality at a point of sale is a strategic decision, one that has less to do with differences in technicality and more to do with trust," says Mike Bryer, Zapper's chief executive officer. He was speaking at The Payfast eCommerce Virtual Summit which ran from 14 March to 15 March 2023.

Understanding the security risks of the two payment methods, requires knowing how each payment method works. Bryer explains:

  • The tap to pay experience involves a debit or credit card being tokenised. The card token is made active by Apple or Android devices and requires biometric authentication, either a face ID or fingerprint, or a pin. Once the user of the phone enters the credentials or shows their face, the card is active and ready to transact.

    The token associated with that card is then transferred over the air to the trusted device which is the card machine or pin-entry device using near field communication (NFC), which aims to operate within a 4cm distance.

    Between the two devices the trusted device communicates with the banks that may then decide that a challenge response is required. This is if they are unsure of the location from which the transaction is happening, or the location itself seems unusual.

  • If we look at scan to pay, let's assume Visa/Mastercard is providing the tokenisation. The merchant and invoice details are transferred over the air to what we consider to be the trusted device - the mobile phone - using a camera and QR code, and the distance between the two could be anywhere between 4 to 40cm.

    At this point the card token is activated by Apple or Android's device security, as part of the payment experience using the same biometrics or pin, and finally the trusted device (which in this case is the mobile phone), will communicate with the banks. If they feel there is any risk associated with this particular transaction, they will require a challenge response, which in scan-to-pay transactions involves 3-D-Secure Authentication. In this case, banks place trust in the mobile phone device rather than placing trust in the card-acceptance device.

  • Assessing the risk profile

    "The question is which device should we trust?" asks Bryer. "Our own phones, over which we alone have control, or the mechanism's card-acceptance device, which in this entire value chain is handled by many individuals?

    In the case of the latter, there's software that's loaded on to the device which provides opportunities - from the moment the software's loaded until it's delivered to the merchant - for that software to be manipulated and changed, and likewise once it's in the store. One could take a different view on which is more trustworthy.

    "The security of a mobile phone is accepted by the banks as being high enough that they will allow you to transact on all of your accounts, irrespective of whether it's a credit card, or debit card linking to a transactional or savings account. Thus they have inherently communicated to us that the mobile phone can be trusted.

    "Also in the scan to pay transaction, the mobile device itself communicates certain identifiers which allows the service to determine what the device is and who's using it. So it carries a high degree of trust in the overall end to end transaction."

    "The issuing bank also has a fair amount of control, so if the bank is not entirely happy with a scan to pay transaction; there can be a second factor of authentication to ensure that this is the user to whom they issued this card. They are going to request a pin to be entered on to the device, or they're going to require some form of 3D secure response."

    The question is, does it really matter which device is sending through the details over to the banks? Is the risk profile of each really any different?

    "Considering identity theft can occur equally on both tap to pay and scan to pay, the risk profile of either method of payment is very similar if not identical," confirms Bryer.

    User experience trumps security concerns

    "At the end of the day, the real issue is user experience and the context in which the payment needs to be made," Bryer continues.

    He maps out different scenarios in which users may opt for one or other payment method:

    "If a user goes jogging and then joins up with friends afterwards for a cup of coffee, there's no doubt in my mind that tap to pay wins in this scenario, especially if he or she is wearing an Apple or Garmin watch.

    "That the service can be deployed onto wearables is the biggest advantage of tap to pay. This makes card payments not only extremely convenient, but it brings in the "cool" factor. I have no doubt that soon we will have embedded technology where we will be a doing a fist bump to pay the bill "

    "If a person is in a shopping mall scan to pay would work where a person wishes to pay for parking.

    "Aternatively if a business person is eating out at a restaurant with colleagues, he may make an ego-driven decision to tap to pay using his latest black credit card. Among friends at a restaurant, however, it may be quicker to scan a QR code on a bill, and then have access to additional value-adds.

    "In this instance, the scan-to-pay platform calculates the tip and offers the option of splitting the bill with your mates. It also works extremely well where discretion in inputting a promotional code is required.

    "From an e-commerce perspective, you definitely can't tap and pay when ordering from Takealot and making a credit-card payment, but you can scan to pay."

    Both methods of payment have a role to play in the payments landscape in SA, stresses Bryer. "At the end of the day, it makes it incredibly important for merchants to embrace both. There's a role for tap to pay and scan to pay to be applied in different contexts. And while there are risks involved in using both, implementing them will ensure your business sees an incremental growth in sales."

    About Katja Hamilton

    Katja is the Finance, Property and Healthcare Editor at Bizcommunity.

      Let's do Biz