AWS for Industries
How Payment Companies are Using Cloud Technology to Advance Quick Response (QR) Transactions
The last 12 months have heightened our awareness and the phrase “social distancing” has taken on a new meaning when it comes to proximity to people and exposure to objects (i.e. surface sanitation). From contemplating whether we can touch a door knob, to debating whether or not you sanitized your hands after leaving the grocery store before touching the steering wheel of your car. Air handshakes and the occasional elbow greetings have now assimilated into acceptable salutations. These new norms have influenced the rapid adoption of Quick Response codes (QRCs), initially located on restaurant menus in the US at the start of the pandemic and now used as a full-fledged form of payment.
The notion of QR payments is not novel. For years, QRCs have been used in many markets as a form of payment, whether it be for a closed loop payment (accepted at limited merchants) or an open loop payment with Visa QR and Mastercard QR. However, recent events have enhanced its relevancy and will continue to grow as digital payments continue to surge. Merchants are also adopting this new payment form factor, such as PayPal’s iZettle recently introduced QRCs at point of sale (POS) for UK merchants. Additionally, large enhancements are taking place for QRC payment systems with US merchants.
An article in PYMNTS framed the new adoption well, “in what is surely one of the greatest COVID-19 underdog success stories, humble QR codes are the touchless payment ‘innovation’ that’s going wide and keeping business moving, sans hands.”
Recently in an effort to promote the ASEAN Payment Connectivity initiative, the Bank of Thailand and the State Bank of Vietnam launched a cross-border interoperable QRC payment connection between the two countries. According to Regulation Asia, the retail payment link will facilitate cross-border transactions between the two countries using local currencies. This is an indication of how markets are recognizing QRC as a sufficient payment instrument and telling of its global relevancy in the years to come.
What exactly is a QRC Payment?
QRC payments are a contactless payment method where customers scan a visual QRC using their mobile application. It looks like a pattern of black squares arranged of a squared grid with a white background. Typically, smartphones can be used to read QR codes. It can be an alternative to perform an electronic funds transfer at the POS location using a payment terminal. They are quite similar to the logic of a barcode; however, they can store a significant amount of data.
Figure 1: Sample QR Code that leads you to AWS Financial Services website
QRCs have become an extremely prominent part of the payments landscape in the Asia Pacific region and in China specifically. However, in the US, they’ve mostly been relegated to the periphery of the payment and commerce ecosystems. This is starting to change with entities like PayPal and Venmo expanding this model. Customers in-store are now able to use both PayPal and Venmo for payment via a mobile app-based QRC in the US.
Who typically uses QRC and what are their benefits?
- Digital customers (such as wallet providers and mobile payment providers): Typically those that are looking for engaging products that can be delivered and managed digitally. Benefits: Low cost to issue digital acceptance products and unbanked customers have a payment solution that supports financial inclusion.
- Interoperability and global acceptance platform: QR payments anywhere that Mastercard, Visa, China Union Pay QR is displayed. Benefits: Offers safe and secure payments using mobile devices without using physical cards or requiring a bank account.
- Micro merchants: These form a large part of the formal and informal sector and look for low-cost acquiring solutions to manage their payments. Benefits: QR provides merchants with affordable ways to receive payments in stores and online with payments that go directly to their bank account without having incur POS terminal costs and fees.
Reference Architecture
The architecture presented in this blog post explains about how a QR payment traverses through various components and communicates with payment processors.
1. To start, customers scan the business QRC displayed at the checkout page on website or at the POS terminal.
2. Amazon Route 53 to route traffic to an Amazon API Gateway endpoint for dynamic content and static content to Amazon CloudFront. AWS Security services such as AWS WAF and AWS Shield provide security by protecting the web applications from common application-layer exploits and against DDoS attacks.
3. Amazon CloudFront CDN is used to return resources found in its cache in addition to static resources from Amazon Simple Storage Service.
4. Amazon API Gateway and Amazon CloudFront can be seamlessly integrated with AWS Certificate Manager to handle the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your application.
5. The request is routed through a Network Load Balancer which can handle millions of request per second and distributes incoming traffic across its healthy registered targets. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while maintaining ultra-low latencies.
6. Payment request is processed at application layer using Amazon Elastic Container Service that supports deploying tasks on AWS Fargate.
7. Payment transaction information is stored either in Amazon Aurora or Amazon DynamoDB. Amazon ElastiCache is used as a session store to manage session information in the payment processing. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.
8. Service logs are collected in Amazon S3 and analyzed and monitored using Amazon OpenSearch Service (September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service).
9. At security and compliance layer, AWS Config provides nearly continuous compliance. Amazon GuardDuty continuously monitors for malicious activity and unauthorized behavior; protecting AWS accounts and workloads. AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources.
10. Payment request outbound traffic is then sent to the payment processor via NAT Gateway that in turn is connected to card schemes for verification.
Conclusion
This post shows how to use AWS services to design a QR payment with a focus on availability, security, scale, and cost-optimized solution. QR is here to stay. Various forms of contactless payments will continue to emerge, be it on the acceptance side or the issuing side. Though driven by the pandemic, QR has proven to be of value to diversify various customer needs in multiple markets. It is lowering the entry barriers for small merchants and providing consumers an additional value-added service to pay safely and securely—and top of mind these days—without having to worry about sanitization.
For more information about how to work with AWS and to understand how we are supporting payment customers around the world to address niche payment methods please contact your AWS Account Manager or visit AWS Financial Services – Payments, using the QRC in this post. Watch the AWS re:Invent session: How Venmo responded to the demand for contactless payment on Amazon Aurora (Register to view on demand) for more information.