The Shanghai Head Office of the People's Bank of China (“PBC”); all branches and business management departments of the PBC; all central sub-branches of the PBC in capital cities of provinces (autonomous regions) and sub-provincial cities; all state-owned commercial banks, joint-stock commercial banks, and Postal Savings Bank of China; all non-banking payment institutions; China UnionPay Co., Ltd.; the Payment & Clearing Association of China (PCAC); and China Nets Union Clearing Corporation:
For the purposes of regulating the barcode payment business, protecting the lawful rights and interests of consumers, maintaining the environment of fair competition on the market, and promoting the sound and sustainable development of the mobile payment business, the Standards for the Barcode Payment Business (for Trial Implementation) (Annex) are hereby issued to you, and the relevant work requirements are hereby notified as follows for your compliance and implementation.
I Strictly observing the requirements for business qualifications and clearing management
A non-banking payment institution (hereinafter referred to as the “payment institution”) which provides clients with payment services based on barcode technologies shall obtain the license to conduct the online payment business. The payment institution which provides barcode payment acquiring services for an entity franchised merchant or a network franchised merchant shall obtain the bankcard acquiring business license and online payment business license separately.
A banking financial institution (hereinafter referred to as a “bank”) or a payment institution that conducts the barcode payment business involving inter-bank transactions shall handle them through the inter-bank clearing system of the PBC or a clearing institution with legal qualifications. From the date of issuance of this Notice, no bank or payment institution may add any barcode payment business conducted through direct connection to different corporate institutions; and the existing business shall be transferred to a legal clearing institution as soon as possible according to the relevant provisions of the PBC.
II Regulating the management of the barcode payment acquiring business
“Barcode payment acquiring business” means the act that an acquiring institution enters into an acceptance agreement with a franchised merchant to provide transaction fund settlement services for the franchised merchant after the franchised merchant accepts the payment methods based on barcode technology as agreed upon and reaches a transaction with the payer. A bank or payment institution shall, when providing franchised merchants with barcode payment acquiring services, implement the Measures for the Administration of the Bankcard Acquiring Business ( Announcement No. 9 [2013], PBC ), the Notice of the People's Bank of China on Strengthening the Administration of Outsourcing of the Bankcard Acquiring Business (No. 199 [2015], PBC) and other relevant provisions. A bank or payment institution shall strengthen the management of the barcode payment acquiring business, and strictly abide by the basic provisions on the real name system of merchants, risk rating of merchants and monitoring of transaction risks. To provide acquiring services for entity franchised merchants, it shall perform the responsibility of local business operations and periodical patrol inspection of merchants. To provide acquiring services for online franchised merchants, it shall strengthen the use management of network payment interfaces and transaction monitoring, and take effective inspection measures and technical means to inspect their business content and transactions. A bank or payment institution which cooperates with an outsourcing service provider in barcode payment business shall specify the positioning of the outsourcing service provider, strengthen management and prevent business risks.
III Giving playing to the role of industry self-regulation
A bank or payment institution conducting the barcode payment business shall accept the industry self-regulatory management of the PCAC. The PCAC shall include barcode payment franchised merchants in the management of the franchised merchant information management system of the PCAC, and include barcode payment outsourcing service providers in the rating system for the bankcard acquiring outsourcing service providers of the PCAC for management. If a real-name report is made on the suspected violation of law or regulation in the barcode payment business, the PCAC shall punish the violator in accordance with the relevant requirements of the Measures for Rewarding the Reporting of Violations of Laws and Regulations on Payment and Settlement ( Announcement No. 7 [2016], PBC ) and the detailed rules for its implementation.
IV Reinforcing supervision and inspection
A bank or payment institution that has conducted the barcode payment business shall comprehensively review its own barcode payment business (including domestic, cross-border and overseas businesses), and form reports, including but not limited to the business volume calculated on an annual basis, product introduction, business flow, technical plan, risk management mechanism, cooperation with domestic and foreign institutions, capital settlement mode, fee rates and profit distribution mechanism, measures for the protection of clients' rights and interests, information on outsourcing service providers, outsourcing scope, the information on self-inspection conducted in accordance with this Notice, and rectification plan. Before January 31, 2018, a national bank shall submit the report to the PBC Head Office, and any other bank or payment institution shall submit the report to the PBC branch office at the place where the legal person is located.
A bank, payment institution or clearing institution that innovates in the barcode payment business and expands cross-border and overseas barcode payment business shall report it to the PBC Head Office or the PBC branch office at the place where the legal person is located at least 30 days in advance.
PBC branch offices shall, in accordance with the law, conduct supervision and administration of the barcode payment business of banks and payment institutions within their respective jurisdictions, strengthen inspection, and handle the regulatory violations in accordance with the Measures for the Administration of the Payment Services Provided by Non-financial Institutions (Order No. 2 [2010], PBC), the Measures for the Administration of the Bankcard Acquiring Business, the Measures for the Administration of the Online Payment Business of Non-banking Payment Institutions ( Announcement No. 43 [2015], PBC ) and other relevant provisions. If the circumstances are serious, the violator shall be punished in accordance with the provision of Article 46 of the Law of the People's Republic of China on the People's Bank of China .
PBC branch offices shall forward this Notice to urban commercial banks, rural commercial banks, rural cooperative banks, rural credit cooperatives, village banks and foreign-funded banks within their respective jurisdictions.
The People's Bank of China
December 25, 2017
Annex
Standards for the Barcode Payment Business (for Trial Implementation)
Chapter I General Provisions
Article 1 For the purposes of regulating the barcode (QR code) payment (hereinafter referred to as “barcode payment”) business, protecting consumers' lawful rights and interests, and promoting the sound development of the barcode payment business, these Standards are developed in accordance with the Electronic Payment Guidelines (No. 1) ( Announcement No. 23 [2005], PBC ), the Measures for the Administration of the Payment Services Provided by Non-financial Institutions ( Announcement No. 2 [2010], PBC ), the Measures for the Administration of the Bankcard Acquiring Business ( Announcement No. 9 [2013], PBC ), the Measures for the Administration of the Online Payment Business of Non-banking Payment Institutions ( Announcement No. 43 [2015], PBC ) and other relevant provisions.
Article 2 For the purposes of these Standards, “barcode payment business” means the business activities in which banking financial institutions (hereinafter referred to as “banks”), non-banking payment institutions (hereinafter referred to as “payment institutions”) apply barcode technologies to realize the transfer of monetary funds between the payer and the payee.
The barcode payment business includes payment code scanning and receipt code scanning. “Payment code scanning” means that the payer's act of reading the barcode shown by the payee through the mobile terminal to complete payment. “Receipt code scanning” means the payee's act of reading the barcode shown by the payer through the mobile terminal to complete payment.
Article 3 A bank or payment institution shall conduct the barcode payment business in accordance with these Standards.
Article 4 A payment institution that conducts the barcode payment business shall obtain the appropriate business permit as required, and conduct the business in a standard manner in accordance with the applicable administrative measures.
Article 5 No payment institution may, on the basis of barcode technology, conduct such businesses as securities, insurance, credit, financing, wealth management, guarantee, trust, currency exchange, and cash deposit and withdrawal or do so in any disguised form.
Article 6 A bank or payment institution that conducts the barcode payment business shall comply with the provisions on the real-name system management of clients, comply with the requirements of anti-money laundering laws and regulations, perform the obligation of anti-money laundering and anti-terrorist financing, and protect the lawful rights and interests of clients and relevant parties in accordance with the law.
Article 7 A bank or payment institution shall consciously abide by business ethics, shall not denigrate the business reputation of any other market participant in any form, shall not exclude competitors, damage the interests of any other market participant, or disrupt the order of fair competition on the market by means of unfair competition.
Article 8 A bank or payment institution shall comply with the requirements of relevant technical standards and specifications issued by the PBC, and guarantee the trading security and information security of the barcode payment business.
Chapter II Barcode Generation and Acceptance
Article 9 A bank or payment institution that conducts the barcode payment business shall conduct affiliated management of the bank account or payment account, identity certificate number, and mobile phone number of the client used for generating barcodes.
Article 10 A bank or payment institution that conducts the barcode payment business may combine the following three elements to verify a client's barcode payment transactions:
(1) Elements knew by a client, such as static passwords.
(2) The elements which are only held by the client, unique, non-duplicated or cannot be used repeatedly, such as digital certificate and electronic signature which have passed safety certification, and one-time passwords generated and transmitted through safety channels.
(3) The elements on client's own biological characteristics, such as fingerprints.
The bank or payment institution shall ensure that the elements adopted are independent from each other, and the damage or leakage of some elements shall not lead to the damage or leakage of other elements.
Article 11 Where the digital certificate or electronic signature is used as the verification element, the digital certificate and the process of generating the electronic signature shall comply with the relevant provisions, and the uniqueness and integrity of the digital certificate and non-repudiation of the transaction shall be ensured.
Where the one-off password is used as the verification element, the risk arising from that the one-time password access end and the end sending payment instructions are the same physical equipment shall be effectively prevented, and the validity period of one-time passwords shall be strictly limited to the shortest necessary time.
Where the biological characteristics of a client are used as the validation element, they shall meet the national and financial industry standards and relevant information security management requirements, and illegal storage, replication or replay is prohibited.
Article 12 A bank or payment institution shall, according to the classification of risk prevention capability in the Technical Specifications for the Safety of Barcode Payment (for Trial Implementation) (No. 242 [2017], PBC), conduct quota management of the barcode payment business for individual clients:
(1) If the risk prevention capability reaches Grade A, that is, the transaction is verified by adopting two or more valid elements, including digital certificate or electronic signature, the accumulative limit in one day may be agreed upon with the client through agreement.
(2) If the risk prevention capability reaches Grade B, that is, the transaction is verified by adopting two or more valid elements, excluding digital certificate and electronic signature, the accumulative transaction amount in a single bank account or all payment accounts of the same client in one day shall not exceed 5,000 yuan.
(3) If the risk prevention capability reaches Grade C, that is, the transaction is verified by adopting less than two types of elements, the accumulative transaction amount in a single bank account or all payment accounts of the same client in one day shall not exceed 1,000 yuan.
(4) If the risk prevention capability reaches Grade D, that is, the static barcode is used, the accumulative transaction amount in a single bank account or all payment accounts of the same client in one day shall not exceed 500 yuan.
Article 13 Where a payment institution sends a payment instruction to the account opening bank of a client, and deducts funds in the client's bank account, the accumulative daily trading limit for all bank accounts of the same client shall be governed by the provisions of Article 12.
Article 14 A bank or payment institution providing payment code scanning services shall have differentiated risk control measures and complete mechanisms for resolving the damage to clients' rights and interests, expressly remind clients of the payment risk in such core business flow as barcode generation, reading and payment, and effectively prevent lawbreakers from causing client information leakage and fund loss by inserting Trojan horse and viruses in barcodes.
Article 15 Where a bank or payment institution provides payment code scanning services, it shall use the dynamic barcode, set the validity period of barcodes, use frequency and other means so as to prevent the repeated use of barcodes, which may lead to repeated deductions, and ensure that the barcodes are true and valid.
Article 16 The business systems, client end software, and acceptance terminals (network payment interfaces), among others, involved in the barcode payment business conducted by a bank or payment institution shall continuously comply with the requirements of regulatory authorities and industry standards, and the security, truthfulness and integrity of the process of code generation and reading shall be guaranteed.
Article 17 A bank or payment institution shall, in accordance with the relevant provisions of the PBC, strengthen the internal control management and security protection of sensitive payment information, strengthen the transaction password protection mechanism, and control information leakage and fraudulent trading risks from the source by such means as the application of payment tokenization technologies.
Article 18 A bank or payment institution shall designate special persons to operate and maintain barcode generation systems. Barcode information shall only cover the information on the current payment, and shall not cover any sensitive payment information related to the client and its account.
The barcode displayed by a franchised merchant shall only cover such information as franchised merchant, commodity (service) or commodity (service) order related to the current payment.
The barcode displayed by the mobile terminal shall not cover the unencrypted client's own account information.
Article 19 A bank or payment institution shall ensure that the barcode payment transaction is confirmed or authorized by the client, and the payment instruction shall be true, complete and valid.
After the mobile terminal has finished barcode scanning, the scanned content shall be displayed in an accurate and complete manner for the client to confirm.
After the acceptance terminal of a franchised merchant completes the barcode scanning, it shall only show the scanning result and remind the next step operation, and shall not show the payer's sensitive payment information.
Article 20 A bank or payment institution shall, according to the true scenarios of barcode payment, correctly choose transaction types according to the relevant provisions, accurately identify transaction information and send them in a complete manner, and ensure the integrity, truthfulness and traceability of transaction information.
The transaction information shall at least cover the name, category and code of the franchised merchant directly providing commodities or services, the type and code of acceptance terminal (network payment interface), trading time and place (network address of network franchised merchants), transaction amount, transaction type and channel, and transaction initiating method, among others. The transaction information of network franchised merchants shall also cover the order number and the name of the online trading platform.
A bank or payment institution shall, in the payment transaction message, mark the transaction as a barcode payment transaction through a specific domain for the recipient of the message to correctly identify it and handle it upon authorization.
Article 21 After the payment transaction is completed, the acceptance terminal and mobile terminal of a franchised merchant shall show the payment result; and if the payment fails, the acceptance terminal and mobile terminal of the franchised merchant shall also show the reason for the failure.
Section III Management of Franchised Merchants
Article 22 A bank or payment institution shall follow the principle of “knowing your clients” when expanding barcode payment franchised merchants, and ensure that the franchised merchants are formed and operated in accordance with the law.
Article 23 The PCAC and clearing institutions shall include barcode payment franchised merchants in the information management system for franchised merchants and blacklist management mechanism. When a bank or payment institution expands franchised merchants, it shall conduct inquiry and confirmation, and if a merchant or its legal representative or person in charge has any bad information record in the franchised merchant information management system, it shall prudently provide barcode payment services for the merchant. It shall not expand an entity or individual that has been included in the blacklist or an entity where an individual included in the blacklist serves as the legal representative or person in charge as the franchised merchant, and if it has expanded the entity as a franchised merchant, it shall remove the franchised merchant within 10 days from the date when the franchised merchant is included in the blacklist.
Article 24 A bank or payment institution shall carry out the provisions of the real-name system when expanding franchised merchants, strictly examine the business licenses of franchised merchants and other certification documents, valid identity certificates of legal representatives or persons in charge, and other application materials, confirm the truthfulness, integrity and validity of application materials, and retain the photocopies or copies of application materials.
For entity franchised merchants (micro and small merchants) which are exempted from undergoing registration at industrial and commercial administrative departments in accordance with laws, regulations and relevant regulatory provisions, the acquiring institution may, under the premise of adhering to the principle of “knowing your clients,” provide them with barcode payment acquiring services by examining the identity certification documents of the principal persons in charge of the merchants and the auxiliary certification materials. The auxiliary certification materials shall include but not be limited to materials that can reflect micro and small merchants' true and legal commodity or service trading activities such as lease agreements or property right certificates of business places and certification documents issued by the managers of the centralized business places.
The upper limit for receipts from barcode payment on the basis of credit cards handled by all micro and small merchants with the same identity certificate at the same acquiring institution is a daily accumulative amount of 1,000 yuan and a monthly accumulative amount of 10,000 yuan. A bank or payment institution shall, in consideration of the risk degree of micro and small merchants, make dynamic adjustments to transaction card varieties, trading limits, and settlement period, among others, and strengthen the monitoring of transactions of micro and small merchants.
Article 25 A bank or payment institution shall enter into barcode payment acceptance agreements with franchised merchants to agree on the establishment and modification of bank settlement accounts, capital settlement periods, settlement commission fee rates, error and dispute settlement and other matters relating to barcode payment services, and specify both parties' rights, obligations and liabilities for the breach of contract.
Article 26 In the barcode payment acceptance agreement, a bank or payment institution shall require franchised merchants to accept barcode payment on the basis of true commodity or service transaction background, use acceptance terminals or network payment interfaces and bank settlement accounts as required, and not to use them or provide assistance for any other person to conduct illegal activities; properly handle transaction data information, retain transaction vouchers, guarantee transaction information security; and not to charge additional fees from clients or do so in any disguised form or reduce the service level.
Article 27 A bank or payment institution shall establish a franchised merchant information management system to record the names and business addresses of franchised merchants, the identity information of franchised merchants, the categories of franchised merchants, the settlement commission fee rates, the bank settlement account information, the opened transaction types and opening hours, the types and installation address of acceptance terminals (network transaction interfaces) and other information, and update the information in a timely manner.
The bank or payment institution shall, as required, submit the basic information on franchised merchants to the PCAC and the franchised merchant information management system of the clearing institution.
Article 28 A bank or payment institution shall establish rules for the inspection of franchised merchants, specify the inspection frequency, inspection content, inspection records and other management requirements, and fulfill the inspection responsibilities.
Article 29 A bank or payment institution shall conduct the localized operation and management of barcode acquiring services for entity franchised merchants, provide acquiring services through acquiring institutions or their branches within the jurisdiction of provinces (autonomous regions and municipalities directly under the Central Government) at the places where franchised merchants and their branches are located, and shall not conduct the barcode acquiring business across provinces (autonomous regions and municipalities directly under the Central Government).
Article 30 A bank or payment institution shall, in accordance with the relevant requirements of the Notice of the People's Bank of China on Strengthening the Administration of Outsourcing of the Bankcard Acquiring Business (No. 199 [2015], PBC), prudently select outsourcing service providers, strictly regulate the business cooperation with outsourcing service providers, and reinforce the risk management responsibilities of acquiring outsourcing services. The management responsibilities and risk assumption liability of the bank or payment institution as the subject for the barcode payment acquiring business shall not be transferred due to the outsourcing relationship.
A bank or payment institution shall not assign the qualification examination of franchised merchants, conclusion of acceptance agreement, capital settlement, transaction processing, risk monitoring, master key generation and management of acceptance terminals, management of network payment interfaces, error and dispute settlement to the outsourcing service provider. If a bank or a payment institution links to the system of an outsourcing service provider to conduct business, it shall ensure that the outsourcing service provider is unable to obtain or have access to the sensitive payment information, or conduct the settlement of capital of franchised merchants directly or in a disguised form.
Article 31 A bank or payment institution shall respect franchised merchants' right of choice, and shall not intervene in the cooperation between franchised merchants and other institutions or do so in any disguised form.
Article 32 A bank or payment institution that conducts the barcode payment business shall determine price in a scientific and rational manner by reference to the pricing standards for the bankcard swipe fees, shall not exclude competitors and disrupt the market order by using unfair means such as cross-subsidies and dumping below cost price.
Chapter IV Risk Management
Article 33 A bank or payment institution shall establish a comprehensive risk management system and an internal control mechanism, enhance the risk identification capability, take effective measures to prevent risks, and find out and handle suspicious transaction information and risk events in a timely manner.
Article 34 A bank or payment institution conducting the barcode payment business shall assess the money laundering and terrorist financing risks related to its business, and take management and control measures appropriate to its risk levels.
Article 35 A bank or payment institution shall establish risk rating rules for franchised merchants, and conduct risk rating of franchised merchants by taking overall consideration of such factors as the regional and industry characteristics, business scale, and financial and credit status of franchised merchants.
Article 36 A bank or payment institution shall, in consideration of the risk degrees and transaction types of franchised merchants and other factors, set or agree on the single and daily accumulative trading limits.
Article 37 A bank or payment institution shall take risk management measures such as reinforcing transaction monitoring, establishing risk reserve fund for franchised merchants and delaying clearing against franchised merchants with relatively high risk levels, so as to prevent transaction risks.
Article 38 A bank or payment institution shall establish rules for the inspection and assessment of franchised merchants, determine different inspection and assessment frequencies and methods according to the risk levels of franchised merchants, and retain relevant records.
Article 39 A bank or payment institution shall make emergency response plans, establish disaster backup systems, and guarantee the continuity of the barcode payment business and the safe operation of business systems.
Article 40 A bank or payment institution shall be able to effectively identify client end programs issued by it and franchised merchants' acceptance terminals, and be able to ensure the security of the generation and reading of barcodes.
Article 41 A bank or payment institution shall ensure the security of clients' identity or account information, prevent leakage, and set barcode validity and use frequency according to different business scenarios of receipt and payment.
Article 42 A bank or payment institution shall establish a risk monitoring system for barcode payment transactions, find suspicious transactions in a timely manner, and prevent trading risks by such means as blocking transactions and contacting clients to verify transactions.
Article 43 Where a bank or payment institution discovers any suspected cash-out, money laundering, terrorist financing, fraud, or retention or leakage of account information or any other risk event of any franchised merchant, it shall take such measures as delaying capital settlement, suspending trading and freezing accounts against the franchised merchant, and assume the liability for risk loss caused by the failure to take measures; and if it finds any suspected illegal or criminal activities, it shall report the case to the public security authority in a timely manner.
Article 44 A bank or payment institution shall constantly improve its client service system, accept and resolve in a timely manner problems such as clients' consultation, inquiry and complaints in the barcode payment business, and consciously protect the lawful rights and interests of clients.
Article 45 A bank or payment institution shall fully disclose the product types, handling processes, operating procedures, fee rates and other information about the barcode payment business, and specify business risk points and relevant liability assumption mechanisms, risk loss compensation methods and operating methods.
Article 46 A bank or payment institution shall provide barcode payment security education to clients and enhance their risk prevention awareness and response capability.
Article 47 A bank or payment institution shall report the risk information on barcode payment franchised merchants to the PCAC or the risk information management system of the clearing institution.
Where a bank, payment institution or its outsourcing service provider or barcode payment franchised merchant is suspected of any major illegal or criminal case or major risk event in relation to payment, it shall report to the PBC or its branch office within two working days.
Chapter V Supplementary Provisions
Article 48 These Rules shall apply, mutatis mutandis, to the administration of payment services by transferring transaction information by such information carriers as user-defined symbols, graphics and images.
Article 49 The relevant terms of these Rules shall have the following meanings:
“Mobile terminal” means a terminal equipment with mobile communication functions that is used by a client for displaying or reading barcodes and completing payment, such as mobile phones and laptops.
“Acceptance terminals of franchised merchants” means the special equipment for franchised merchant terminals which has such functions as barcode display or reading, participates in barcode payment and completes the receipt of sale payment, including the code display device with barcode display functions, the special equipment for reading barcodes and sending payment instructions to the back-office system, including but not limited to the cashier system with code scanning devices, the point of sale (POS), and self-service terminals.
“Sensitive payment information” means the information that will damage information security and fund security of identified information subjects once it is divulged or amended, including but not limited to payment passwords, bankcard passwords, verification codes, card validity period, biological characteristics, and financial information not authorized by clients.
Article 50 These Rules shall come into force on April 1, 2018.
術語表 
網站地圖 
中文版