投稿者 Attomo | January 21, 2019
We take a look into PayPay a Japanese App Based Consumer Payment System.
On 4th Deccember 2018 PayPay was released. Their bold marketing campaign received attention as 20% cashback up to the sum of 10billion JPY for all transactions (up to 50,000 JPY per user) could be received and lottery prize of up to 100,000 JPY at odds of 40:1 for PayPay User, 20:1 for Yahoo Premier User, 10:1 Softbank or YMobile user, created a buzz around Tech Savvy Consumers. The campaign lasted for 10days (til 13th December 2018) as 10 Billion JPY was quickly claimed instead of 4 months as planned.
Unfortunately, PayPay’s technology a JV between Yahoo, Softbank, PayTM (India) proved to have a security flaw for Card Number, Expiry Date, Card Security Code (CSC), especially focus was, the lack of security for the CSC where 3 or 4 digit (CVV/CVC) could be tried multiple times. This meant thieves could get information of credit cards on the black market (Card Number and Expiry Date) and try guessing the CSC multiple times.
On 18th December (14 days after the go live) a security feature was released. The feature locked the account after multiple trials of inserting Card Number, Expiry Date and Card Security Code. Since then news in regards to fraudulent transactions have fallen.
Question on responsibility arose but on 27th December PayPay announced they would take full responsibility for the compensation for the fraudulent transactions. Asahi Newspaper reported some consumers had not received their cashback on 12th January 2019. If there are issues PayPay has a website setup with a form to claim for the chargeback (aka bonus). The lesson learnt from PayPay’s release was the security features for the payment system was not adequate. PayPay saw the mistakes they made and improved within a 2-week sprint period/emergency release.
For consumer payment technology providers this case should help to highlight the user stories and testing which should be involved in releasing a consumer payment system in Japan.
1: Is there a limit on the Card Security Code (for credit/debit cards)?
2: Does the risk engine for fraudulent transactions highlight obscure transactions eg multiple accounts having the same card reference.
3: Is there a check on the user’s mobile number or IMEI?
It will be interesting to see how the Credit Card Fraud Statistics look on the J-Credit Website for the period Q4 of 2018. We look forward to how the Japanese Payment Industry & PayPay evolves!
References: JP: Why did PayPay’s Fraud Occur?http://www.itmedia.co.jp/mobile/articles/1812/17/news090.html
PayPay’s 10 billion JPY Campaign https://PayPay.ne.jp/promo/10billion-campaign/
JP: Was PayPay’s Campaign a Success? http://www.itmedia.co.jp/mobile/articles/1812/14/news064.html
ENG: PayPay to update app after wrongful charge complaints https://www.japantimes.co.jp/news/2018/12/17/business/corporate-business/japans-PayPay-update-app-wrongful-charge-complaints/#.XD8V5M-eTOR
JP: PayPay’s Chargeback was Cancelled https://www.asahi.com/articles/ASM1C5TVZM1CUTIL041.html
JP: PayPay’s Chargeback/Bonus claim site https://support.PayPay.ne.jp/PayPay_bonus
JP: PayPay to fully compensate for fraud https://www.asahi.com/articles/ASLDX369PLDXULFA00B.html
JP: PayPay the measurement’s were inadequate https://mainichi.jp/articles/20181218/k00/00m/040/191000c
JP: Credit Card Fraud Statistics https://www.j-credit.or.jp/information/statistics/download/toukei_03_g_181228.pdf