What is a QR Dispute?
QR Dispute refers to a situation whereby an end user disputes payments made via quick response (QR) codes scanned with their mobile phones over using cash or bank cards in an online purchase or physical stores. The end users are normally able to raise a QR dispute within 90 days of purchase payment.
Which e-Wallet Channels are Subject to QR Disputes?
- ShopeePay currently offers 2 payment flows -- QRIS for desktop flow and deep link for mobile flow. If a user scans and pays the presented QRIS with a non-ShopeePay app, the payment is subject to QR dispute.
- PayMaya (Maya)
- PayMaya (Maya) currently offers 2 payment flows -- QR PH and Express Checkout. If a user scans and pays the presented QR PH with a non-PayMaya (Maya) app, the payment is subject to QR dispute.
What are Some Common QR Disputes?
The circumstances usually involve billing errors, duplicate processing, refund issues, or fraud.
The merchant needs to contact the end users and clarifies regarding the QR dispute reason, which can be either:
Billing error (transaction failed or did not complete but the amount was still deducted from the end user’s balance.
Duplicate processing (the amount was taken twice from the end user’s account).
- E.g. An end user scanned a code that was no longer in use and so the store owner/merchant made the end user pay afresh.
End user claims the transaction is fraudulent.
- E.g. An end user scanned a fake QR code and was tricked to give out their money or personal information.
Credit not processed.
- E.g. The end user is highly likely to raise a dispute with their Bank if the merchant failed to issue a refund after the item has been returned.
Goods/services were not received or not as described.
Refund amount does not match the original amount of the transaction.
How Do You Get Notified?
When an end user raises a QR dispute to their paying bank or e-wallet, called the Issuer, the Acquiring Partner (ShopeePay or Maya/PayMaya) will let you know about the details.
QR Dispute Prevention Methods
A QR code can be generated for any web address, so scammers or fraudsters can print one linking to a website designed to steal payment information and paste it over an existing code at a business. An error can also occur during the scanning and codes can be tampered. Here’s how you can prevent this from happening:
Always check if a transaction went through. Always ask the customer to wait for a few extra seconds till you get the SMS alert to ensure the receipt of the payment. It is the merchant’s responsibility to confirm the genuineness of the QR code being used.
Always update the QR code, make sure to remove code that is no longer in use to avoid hassle and double billing error dispute.
For merchants who use physical QR codes, they must be checked regularly for tampering. Even if the code is within sight of employees, applying a sticker with a fake QR code is something that can be done discreetly, and in less than a second. Always make sure there's no sticker on top of the legitimate QR code.
Keep receipt of the transaction confirmation or screenshot of SMS alert.
Keep records of all transaction proof (invoices, order receipt etc.)
Respond to end user’s inquiries ASAP.
Process a refund as necessary.
QR Dispute Timeline
Generally, an end-user can issue QR disputes until H+90 from the date of transactions.
- Retrieval Stage: H+90 from the date our Acquiring Partner (ShopeePay ID or PayMaya/Maya) receives the QR dispute case, informs Xendit, until they submit the evidence to Issuer.
- QR Dispute Stage: H+30 from the date Acquiring Partner (ShopeePay ID or PayMaya/Maya) receives the news of Retrieval Stage, informs Xendit, until they re-submit the evidence to Issuer.
How do you recognize fraud cases when they arise? There are various sorts of fraud that can occur in QR transactions. QR code attacks, like ransomware and phishing attacks, are becoming more frequent across the global threat landscape. The documented types of fraud (so far) are listed below.
Cyber fraud, a fraudster can replicate or counterfeit QR Code data to defraud merchants during a transaction. They could embed malicious URLs with malware into them or infiltrate the smartphone and even direct it to a phishing site thus exposing the user’s personal and financial credentials.
- In a Quishing attack, threat actors send a phishing email containing a malicious QR code attachment. Once the user scans the QR code, it will direct the user to a phishing page that captures sensitive data like users' login credentials.
- A QRL allows users to log in to their accounts by scanning a QR code, which is encrypted with the user’s login credentials. A threat actor tricks unwitting users into scanning a specially crafted QRL rather than the legitimate one. Once the victim scans the malicious QRL, the device gets compromised, allowing the attacker to take over complete control over the device.
Friendly fraud and Return fraud can occur after the payment has been finalized. Typically, a legitimate end user contacts their issuer to chargeback a purchase, claiming they don't recognize or didn't make it.
Employee fraud. An employee replaced the original QR code and got another stuck over it, diverting the payment to another account. This is mostly common in Restaurants and Hotels.