In recent years, government departments have issued a number of documents to support the integrated development of electronic payment and e-commerce. In particular, the Notice on Promoting the Development of E-Commerce-related Work issued by the National Development and Reform Commission and other departments on May 20, 2016, mentioned improving the e-commerce support system, promoting the innovative application of electronic payment, and vigorously developing mobile payment. On the one hand, as regulators have tightened supervision over payment institutions, many payment institutions have been fined, and payment licenses have entered a stock "shuffling period"; existing payment institutions should strictly abide by industry norms in conducting business. On the other hand, with the continuous expansion of electronic payment application scenarios, the security of electronic payment should also attract people's attention.
In a 2009 case involving a dispute over an online service contract between an e-commerce platform and a third-party payment platform, since the state had not yet formulated corresponding national standards or industry standards for payment business, it was impossible to determine whether all parties had fulfilled their security guarantees in the event of a hacker attack. Instead, the responsibilities of all parties were determined only based on the agreement between the two parties and the evidence provided by them. Finally, in the reasoning of the judgment, the court held that the e-commerce platform was responsible for properly keeping merchant IDs and passwords; the third-party payment platform had a duty of care and prudence for the security of its own system and information confidentiality, and was responsible for ensuring that the design and operation of the electronic payment business processing system could prevent the leakage of electronic payment transaction data. As for whether a hacker attack on the payment platform was caused by security vulnerabilities in the electronic payment platform, the burden of proof should be borne by the e-commerce platform (i.e., the merchant).
After analyzing this judicial precedent, the author found that the lack of clear industry standards for electronic payment at that time led to unclear responsibilities of all parties. However, subsequent national regulations on the online business of non-financial payment institutions have explicitly stipulated the security requirements for electronic payment. These stipulations are as follows:
1. Account Opening Verification
When opening a payment account for an entity, a payment institution shall require the entity to provide relevant supporting documents, and independently or entrust a cooperative institution to verify the customer's identity through face-to-face interaction. Alternatively, it may conduct multiple cross-verifications of the entity's basic information through at least three legally compliant and secure external channels in a non-face-to-face manner. In addition, payment institutions shall strengthen the monitoring of fund transactions involving the use of personal payment accounts for business activities and implement ongoing customer management. Furthermore, when opening payment accounts for entities or individuals, payment institutions shall sign agreements with them, specifying the daily cumulative transfer limits and transaction volumes between payment accounts, and between payment accounts and bank accounts. If these limits or volumes are exceeded, no further transfer business shall be processed.
2. Enhanced Account Monitoring
Payment institutions shall strengthen the monitoring of bank accounts and payment accounts, and establish and improve suspicious transaction monitoring models. Accounts and their fund transfers that exhibit suspicious transaction characteristics (such as centralized inflows and decentralized outflows) shall be classified as suspicious transactions. For accounts identified as suspicious, payment institutions shall verify the transaction details with the relevant entities or individuals. If the payment institution still deems the account suspicious after verification, it shall suspend all business of the account, submit a suspicious transaction report or a key suspicious transaction report in accordance with regulations, and promptly report to the local public security organ if the case involves illegal or criminal activities.
3. Transaction Authentication
Payment institutions may choose static passwords, securely authenticated digital certificates, electronic signatures, one-time passwords generated and transmitted through secure channels, or the customer's own fingerprints for transaction authentication.
4. Ensuring Transaction Information is Authentic, Complete, and Traceable
When a payment institution cooperates with a bank to conduct bank account payment or collection business, it shall store the following information to ensure the authenticity, completeness, traceability of transaction information, and consistency throughout the entire payment process: transaction channel, transaction terminal or interface type, transaction type, transaction amount, transaction time; name and code of the merchant that directly provides goods or services to customers, and the merchant category code set in accordance with national and financial industry standards; name of the paying/receiving customer, account number of the paying/receiving payment account, or the name of the bank where the bank account is opened and the account number; customer identity verification and transaction authorization information for the paying customer; identification marks for effective transaction tracing; and for transfer businesses of entities with a single transaction amount exceeding 50,000 yuan, the purpose and reason for the payment.
In conclusion, in response to potential security issues in electronic payment, China has established and improved a number of regulatory documents on security protection mechanisms. However, with the increase in electronic payment application scenarios, payment institutions should gradually improve electronic payment risk management mechanisms, establish electronic payment disaster recovery mechanisms, and use innovative technologies and service models to enhance the security level of the entire electronic payment system.
