Why mobile wallets still use QR codes—and why maybe they shouldn’t
Walmart’s addition of Chase Pay to its mobile wallet sounds like a big step forward for the payments industry, but the companies have a foot firmly planted in the past through their ongoing use of QR codes.
It’s worth asking why, after years of working out the kinks of contactless payments, we are still relying on a technology from the early 90s.
Quick response codes – the two-dimensional bar codes originally designed for Japan’s automotive industry in 1994 – present information in a way that computers can read and humans can’t, which makes them useful for displaying sensitive information. Starbucks, Paytm and Paydiant, which is a now part of PayPal, also use QR codes for mobile payments. Other examples include the Kohl’s department store chain’s app and Seamless in Sweden.
QR codes have pros and cons that banks will need to carefully consider as they make choices about their own mobile wallets and partnerships with others.
For companies like Walmart and Chase, which announced their mobile wallet agreement last week, there are many advantages to using QR codes.
The most important is ubiquity. Companies don’t have to worry about what device the customer is using — any smartphone can display or read a QR code with a small piece of software. They don’t have to be concerned about antennae or secure elements on phones; they’re not needed. The point-of-sale terminal doesn’t have to be anything special hardware-wise — it, too, needs only software to generate and read QR codes.
“The QR code makes a lot of sense right now from a political standpoint — you don’t have to wait and see what kind of requirements the [card] brands are going to make,” said Steve Mott, principal of BetterBuyDesign, an advisory firm in Colorado Springs. Visa’s PayWave and Mastercard’s Masterpass support QR codes.
He also noted that QR codes have a security advantage over existing methods. Contactless payments, even under the EMV chip standard, still transmit account credentials in the clear, which leaves them vulnerable to cybercriminals intent on stealing that information from the point-of-sale terminal.
“So if you’re Walmart, Chase, Paytm or anybody else, you’re better off with QR code because it’s better than magnetic stripe and it’s better than EMV, especially because the EMV deployment was bungled so badly,” Mott said. “And the card number is behind the walls as it’s going through its authorization, clearing and settlement. So by definition, it’s better than what’s out there in the marketplace today.”
Walmart has been using QR codes in its Walmart Pay mobile wallet, which it built into the Walmart app, since June at 4,600 stores. Customers come to a register, open the Walmart app on their phone, and sign in using a PIN (or Touch ID if it’s an iPhone). A QR code comes up on the point of sale terminal, and customers scan it with their phone. When the cashier has finished scanning the items, he sends an e-receipt to the customer’s phone.
The retailer said that in surveys, nearly four out of five customers say they plan to use Walmart Pay after using it the first time. About 90% of transactions come from repeat Walmart Pay users.
“When we talk to customers about why they’re using Walmart Pay, a lot of them say it’s a time savings tool,” said Molly Blakeman, a spokeswoman for Walmart. “Customers are telling us their need to save time has caught up with their need to save money.”
QR-code payments have a less appealing side: they can be cumbersome and they rely on a smoothly functioning and secure in-store WiFi network. The “secure” part is notoriously hard to achieve.
David Maman, CEO and founder of UnicornCyber, a cyber security company based in Tel Aviv, said stolen devices will be a threat for QR code implementations that don’t require proof of identity.
“I could understand not wanting to be dependent on a specific hardware or a specific process,” he said. “But you do have to ask for identification that’s not based on hardware.”
Having the customer take a selfie when she registers, then having her photo pop up on the cashier’s screen at the time of purchase, would do it. Otherwise, anyone could steal a phone and use it for purchases.
Because of the dependency on WiFi networks, a denial-of-service attack could short circuit a QR-code transaction, as could a rogue WiFi network set up to steal users’ identities, Maman noted. A WiFi network could be hijacked to conduct man-in-the-middle attacks that overlay fake QR codes over the existing ones and redirect payments to other accounts.
And WiFi networks might not be powerful enough to keep up with a high volume of transactions.
“What if inside a store there’s no reception?” Maman said. “What if the only way to access the internet is a WiFi? Inside of stores, when you don’t have good reception to run your 4G or 3G network, you won’t be able to pay.”
Another issue for QR codes is the unsophisticated design. For people accustomed to the latest devices, they just don’t make sense.
“I saw a lot of startups during the past year in a half that are all about trying to making the buying part of a shopping process easier,” Maman said. Having to scan items while putting them in a cart, then opening an app and scanning a bar code “is getting just annoying,” he said.
The lack of consistency among QR code algorithms could also become a problem. Mott points out that there are dozens of QR code implementations today.
“Starbucks is different from Paydiant which is different from Walmart and slightly different from Chase Pay,” he said. “Are all QR codes going to be compatible with each other? What happens at scale? If you’re a merchant, does your system automatically take every one? There may be operational complexities that show up down the road.”
In the end, it will come down to what resonates with consumers.
“The biggest advantage QR codes have is that consumers understand them intuitively,” Mott said. “They’ve all grown up with bar codes and QR codes. They’re more intuitive than even Apple Pay. All you have to do with Apple Pay is hover your thumb over the device. It’s very simple. But it’s not intuitive.”
First appeared at PS