EPC: Public consultation on the draft document “Standardization OF QR-CODES for MSCTS”
On February 16, 2022, the European Payments Council (“EPC”) launched an eight-week public consultation on a new draft document – see here – on the standardization of quick response (QR) codes for mobile-initiated (instant) transfers, aiming to standardize a payee and a QR code presented by the payer for all types of MSCT (person-to-person, consumer-to- business, business-to-business and business-to-consumer, while processing both instant transfers and SCT payments).
This consultation is open for comments until April 14, 2022 and all interested stakeholders are invited to participate by sending their comments using the dedicated questionnaire. available here. We strongly recommend that companies using or intending to use MSCT instruments review this document in detail and consider submitting comments.
MSCTS IN BRIEF
MSCTs are initiated directly (by the payer) or indirectly (by an IP service provider at the request of the payer) in accordance with PSD2, using a mobile device.
MSCT solutions are offered by so-called MSCT service providers which are service providers that offer or facilitate a payment service to a payer/payee on the basis of an SCT Instant or an SCT transaction. By way of example, an MSCT service provider could be a “PSP” payment service provider (for example, an account-operating payment service provider (“ASPSP”) or any party acting as a service provider payment initiation (“PISP”) pursuant to Directive 2015/2366 – “PSD2”) or a technical service provider supporting a PSP.
Euro MSCTs are based on the existing SCT Instant scheme or SCT scheme rules and in the so-called “inter-PSP space” and therefore use the existing payment infrastructure in this space.
They typically use an MSCT app or browser on the user’s device to initiate or at least authenticate and authorize the (instant) SCT transaction, as well as certain features of the payer’s device such as CDUVM support (a user verification method entered by or captured by the user on their device – for example a mobile code or biometric data on the mobile device), the screen of the mobile device and to display information transactions, etc.
In most cases of MSCT, Payor and Payee have different ASPSPs that are SCT Inst or SCT program participants, while the entities assuming the role of MSCT Service Provider are mostly separate entities that are different for payer and payee. Obviously, if the role of MSCT service provider were assumed by an ASPSP, the model would be simplified.
Alternatively, multiple PSPs (such as a PSD2-licensed PISP or a payment collection service provider that collects payment transactions on behalf of the merchant) could be involved between the payer/payee and their respective ASPSP. These models were studied in chapter 20 of the “EPC269-19v2.0 (2nd version)” (“MSCT IG”) – which must be published.
As illustrated above, the Payer’s MSCT Service Provider is linked to the Payer’s ASPSP and the Payee’s MSCT Service Provider may be linked to the Payee’s ASPSP (this link may include both technical and contractual).
The MSCT ecosystem involves other new stakeholders in the value chain than those described in the SCT Inst or SCT system rules, including a so-called Token Service Provider (“TSP”) which is a TTP involved if tokens are used in MSCT as placeholders for transaction data (including merchant/consumer IBAN, merchant/consumer ID, transaction amount or transaction ID of the merchant). The TSP manages the generation and issuance of tokens and maintains the established mapping of tokens to associated transaction data.
STANDARDIZATION OF QR-CODES FOR MSCTS
The EPC document specifies a minimum data set and QR code standard for MSCT, covering two modes:
- QR codes presented by the beneficiary;
- QR codes presented by the payer;
contribute to the interoperability of these means of payment.
The minimum set of data to be exchanged between payee and payer will rely on MSCT transaction capabilities depending on whether the data provided contains a token, a proxy, or all “plaintext” transaction data (e.g., plaintext in QR-code) .
In any case, for the development of a standardized QR code for MSCT, based on the ISO/IEC 18004 standard, the following four assumptions were followed:
- mobile wallets often support multiple payment methods. The wallet user often selects and sets a default payment method;
- Beneficiaries (e.g. merchants) can often support multiple payment methods. The beneficiary can set a preferred (priority) payment method for MSCTs based on the QR code presented by the beneficiary;
- Need to avoid any special actions (e.g. any additional actions generate friction, such as asking what kind of wallet or what kind of payment instrument the payer wants to use to merchant staff at the point of interaction – this i.e. the initial point in the merchant’s environment (e.g. POS, ATM, checkout page on a merchant’s website, QR code on a sign, etc.) where data is exchanged with a consumer device (e.g. mobile, laptop, etc.) or where consumer data is entered to initiate an instant transfer);
- Need to avoid any special actions by the wallet user at the POI (especially in stores – e.g. browsing a POS menu to find a specific wallet generates friction).
Chapter 5 of the EPC document also contains certain security aspects related to the data contained in the QR codes used to initiate MSCTs.
It should be noted that a QR code can contain both sensitive and non-sensitive payment data which can be used by different entities involved in processing the MSCT transaction.
In principle, a QR code can be static or dynamic to initiate/identify a single specific MSCT transaction. Tampering with QR code data may lead to fraudulent transactions or data leaks. Therefore, the sensitive payment data in the QR code must be adequately protected and the integrity of the data elements in the QR code must also be protected to avoid any service interruption. Non-sensitive data may be related to app information such as name, download URL, etc. – this type of data can remain visible, to be available for a simple QR code reader but also for marketing or user information purposes.
Note that governance aspects related to the use of QR codes are proposed to be part of the overall governance of an “interoperability framework for MSCTs”. The latter also involves the creation of a so-called registration authority for issuing the identifiers of MSCT service providers.