Securing Southeast Asia's QR Payments: Key Security Challenges and Solutions
January 21, 2025
In recent years, Southeast Asia has been adopting QR Code payment as a primary method of cashless transactions owing to the region's high smartphone penetration rate, younger population, and a strong preference for mobile-first solutions.
In contrast with what's been happening in Southeast Asia, more developed regions like North America or Europe where credit and debit cards have dominated for decades, Southeast Asia has leapfrogged traditional banking infrastructures in favor of mobile wallets and QR code technology. This shift is fueled by the region's diverse payment landscape, including the remaining unbanked population and government initiatives to promote financial inclusion.
In this article, we look at the current state of QR code payment in Southeast Asia, how these countries have managed to make the method national, its security risks and ways it can be further enhanced.
The state of QR Code Payment in Southeast Asia
QR code payments have seen rapid growth in Southeast Asia, with notable adoption in Singapore, Thailand, and Vietnam. In 2022, daily users of QR payments accounted for 27% of the population in Vietnam, 23% in Thailand, and 22% in Singapore.
By 2023, national QR systems processed 1.29 billion transactions in Vietnam, and 151.7 million transactions were recorded in just the first half of 2024, a 107% YoY increase. Singapore's inter-bank QR system handled 125 million transactions in 2020, with total value projected to reach USD 48.5 billion by 2025. Malaysia processed over 2 billion transactions in three years, while the Philippines recorded 58.6 million transactions in 2023.
Compared to credit cards, QR payments are quicker, more convenient, do not require users to download additional applications, and often low-cost, making them especially appealing in markets like Vietnam, Thailand, and the Philippines, where credit card adoption remains limited.
What is QR Code Payment?
QR code payment is a cashless transaction method that uses Quick Response (QR) codes to facilitate payments between customers and merchants. QR codes are two-dimensional barcodes that store information such as payment details, enabling fast and secure exchanges without the need for physical cards or cash.
This payment method has become popular in the region due to its convenience, affordability, and minimal infrastructure requirements. Users can make purchases by scanning a QR code displayed at a merchant's location or on their smartphone using a mobile payment app (a wallet or a banking app), which then processes the transaction through linked bank accounts or digital wallets.
How Does QR Code Payment Work?
QR code payments involve the payer's mobile device and the merchant's QR code. The merchant displays a QR code with payment details, which the customer scans using a mobile payment app. After confirming the amount, the app deducts funds from the customer's linked account and transfers them to the merchant.
In more detail, there are two types of QR codes adopted in payment: static and dynamic codes.
Static codes: these are issued once to the merchant and do not change over time. Upon scanning, customers will need to key-in the specific amount of payment they need to make before confirmation.
Dynamic codes: these codes are generated by merchants for each customer. Upon scanning, customers will only need to confirm the payment since the amount was already pre-filled by the merchant. This type of code is mostly used for e-wallets instead of banking.
Apart from this model, it is also possible for merchants to scan customers' individual QR codes that are generated by their payment application and subject to a short time period. However, this method is more commonly seen in East Asia where card-bound payment methods have matured.
National QR Code Real-time Payment Systems
In the aforementioned Southeast Asian countries, QR code payment has been strongly supported by the government through close collaboration with leading technology providers to establish a QR code system that allows transactions to be made, upon scanning, from any account at any bank that is a system member.
Though these systems are named differently, they operate in a similar way to achieve inter-bank transferability.
| Country | National QR Code Payment System |
| Vietnam | VietQR |
| Indonesia | QRis |
| Thailand | ThaiQR and PromptPay |
| The Philippines | QR Ph |
| Malaysia | DuitNow QR |
| Singapore | SGQR and PayNow |
| Myanmar | MPU QR |
| Laos | LaoQR |
Common QR Payment Security Risks in Southeast Asia
Although convenient, QR code as a payment method still has significant security risks. The first loophole is related to the QR codes themselves. From observation, users and experts have reported several types of scamming methods that constitute QR payment risks.
Fake QR codes: Fraudsters place a fake QR code on legitimate products, invoices, or advertisements, leading users to malicious websites or fraudulent payment platforms and share their personal information.
MITM attacks: Scammers intercept QR code transactions by modifying the QR code on display (at a POS or website) to redirect payments to their own account.
Social engineering: Bad actors over the internet (without physically meeting) can pretend to sell a product or service, share their account code, and receive money from users then run away.
QR Code swapping: Criminals replace legitimate QR codes at the merchant with their own code to steal the merchant's money in their account.
The second point of weakness lies not in the QR codes themselves, but in digital payment platforms that are not well-protected against external risks. In the region, QR code scanning is not only applied for quick, inter-bank transfers, but also to digital wallets. Both types of platforms are prone to the below risks.
Most online payment platforms, including banking, in Southeast Asia are using username and password as the main login authentication method. With the bad habit of reusing passwords across different websites, users are at risk of losing access (account takeover) to their account in the case fraudsters successfully gather their account information from data breaches.
Enhancing security for QR Code Payments
Based on the mentioned issues and risks, there are three aspects for enhancing security QR payment.
QR Payment Fraud Prevention at Merchants
To combat fake QR codes and MITM attacks, merchants can protect legitimate codes by only displaying them during online payments rather than at the cashier. If QR codes must be shown, merchants should educate customers on the correct design, often regulated by payment platforms, and consider adding their logo for verification.
For banking transfers, merchants should display the account holder's name under the QR code and remind customers to check if the displayed name matches the one shown in the system. Regular checks on QR codes are essential to ensure they are not replaced by counterfeit ones. Online merchants should choose reputable payment providers that follow security standards and secure their websites with SSL certificates.
How users can prevent QR code payment fraud
When making QR code payments, users should verify codes for any signs of tampering and choose reputable mobile payment apps to avoid malware and attacks. Enabling real-time notifications on payment apps allows users to monitor transactions more effectively.
At physical points of sale, merchants may use audio notifications to confirm completed transactions. For online purchases, users should look for email confirmations to ensure payments are made to the correct recipient.
Improving QR code payment security for payment platforms
Platforms should use advanced technology to strengthen payment authentication, requiring users to verify themselves before each transaction. This adds an extra layer of confirmation, ensuring legitimate payments.
Additionally, payment providers can implement AI-powered, risk-based systems to detect anomalies and potential fraud in real-time. These systems analyze historical data, user device attributes, and apply predefined risk rules to assess and manage transaction risks effectively.
Connecting Southeast Asia Through QR Code Payments
QR code payments in Southeast Asia are evolving beyond borders. Recognizing the challenges travelers face with foreign currencies, several cross-country QR payment collaborations are being developed to facilitate quick and secure payments across the region.
Leading this meaningful initiative is Singapore's PayNow, which is now integrated with Thailand's PromptPay, enabling seamless cross-border transactions. The ASEAN Payment Network (APN) is also crucial in standardizing QR payment formats, allowing merchants and consumers to use a single QR code system for transactions, regardless of the country.
As Southeast Asia continues to unite through innovative QR code payment systems, these initiatives not only simplify transactions for travelers but also pave the way for a more connected, cashless future across the region.
Enhance your platform security with HiTRUST solutions
If you're looking for ways to enhance the security of your payment platform, learn more about HiTRUST Veri FIDO for passwordless authentication - eliminating passwords and password-based security risks. For a more seamless user experience, look into HiTRUST Veri-id for smart and data-driven fraud risk decisioning.