WELCOME TO XXX MALL!
In recent years, government departments have issued a number of documents to support the integrated development of electronic payment and e-commerce, especially the Notice on Promoting the Development of E-commerce issued by the National Development and Reform Commission and other departments on May 20, 2016, which mentioned improving the e-commerce support system, promoting the innovative application of electronic payment, and vigorously developing mobile payment. On the one hand, with the regulatory tightening of payment institutions, a number of payment institutions have been punished, payment licenses have entered the stock "reshuffle period", existing payment institutions should strictly follow the industry norms to carry out business; On the other hand, with the continuous expansion of electronic payment application scenarios, the security of electronic payment should also attract people's attention.
In 2009, in a dispute over a network service contract between an e-commerce platform and a third-party payment platform, because the state has not formulated corresponding national standards and industry standards for payment business, in the case of hacker attacks, it is impossible to determine whether the parties fulfill their security obligations, but only based on the agreement between the two parties and the evidence provided by the two parties to determine the responsibility of each party. In the final judgment, the court held that the e-commerce platform should be responsible for properly keeping the merchant number and password, the third-party payment platform should be responsible for the security and information confidentiality of its own system, and it should be responsible for ensuring that the design and operation of the electronic payment business processing system can avoid the disclosure of electronic payment transaction data. As for whether the hacker attack on the payment platform is due to the security risks of the electronic payment platform, the e-commerce platform, that is, the merchant, should bear the burden of proof.
After analyzing the case, the author found that because there was no clear electronic payment industry standard at that time, the responsibilities of all parties were unclear, and the security of electronic payment was clearly stipulated in the network business norms of non-financial payment institutions successively issued by the state.
First, account opening audit. When a payment institution opens a payment account for an entity, it shall require the entity to provide relevant supporting documents, independently or by entrusting a partner institution to verify the identity of the client in a face-to-face manner, or conduct multiple cross-verification of the basic information of the entity through at least three legitimate and secure external channels in a non-face-to-face manner. And strengthen the monitoring of fund transactions and ongoing customer management for the use of personal payment accounts for operational activities. In addition, when a payment institution opens a payment account for a unit or an individual, it shall sign an agreement with the unit or an individual to stipulate the daily cumulative transfer limit and number between the payment account and the payment account, and between the payment account and the bank account. If the limit and number are exceeded, the transfer business shall not be handled again.
Second, strengthen account monitoring. Payment institutions shall strengthen the monitoring of bank accounts and payment accounts, establish and improve suspicious transaction monitoring models, accounts and fund transfers with centralized transfer into decentralized transfer out of suspicious transactions, should be included in suspicious transactions. For the account listed in the suspicious transaction, the payment institution shall verify the transaction with the relevant unit or individual; If the payment institution still finds the account suspicious after verification, the payment institution shall suspend all the business of the account and submit the suspicious transaction report or key suspicious transaction report in accordance with the provisions; Those suspected of violating laws and crimes shall report to the local public security organ in a timely manner.
Third, transaction verification. Payment institutions can choose from static passwords, securely authenticated digital certificates, electronic signatures, as well as one-time passwords generated and transmitted through secure channels and the customer's own fingerprints for transaction verification.
Fourth, ensure that the transaction information is true, complete and traceable. Where a payment institution cooperates with a bank to make payment or receive payment on a bank account, it shall keep the transaction channel, transaction terminal or interface type, transaction type, transaction amount, transaction time, as well as the name, code and category code of the merchant directly providing commodities or services to the customer in accordance with the national and financial industry standards; The name of the receiving and payment customer, the account number of the receiving and payment payment account or the name and account number of the bank where the bank account is opened; Authentication and transaction authorization information of the paying customer; Effective traceability of transactions; The purpose and reason of payment of a single transfer business of more than 50,000 yuan for a unit customer to ensure the authenticity, integrity, traceability and consistency of the transaction information in the whole payment process.
In short, according to the security problems that may occur in electronic payment, China has established and improved a number of safety protection mechanisms, but with the increase of electronic payment application scenarios, payment institutions should gradually improve the risk management mechanism of electronic payment, establish a disaster backup mechanism of electronic payment, etc. Through innovative technologies and service models to improve the security level of the entire electronic payment system.
