Express Checkout

(Mobile & PC Solutions)

AGENDA
1. Product Overview

2. Risk Overview

3. System Architecture Overview

4. Settlement Overview
Product Overview
Projected Conversion Rate

* This rate is referenced from our current China Domestic Express Checkout Success Rate
Benefits of Express Checkout

More customers, driven by frictionless payment

experience on leading shopping platform (Lazada) and
global payment leader (Alipay)

More engaged customers default payment options

for online payments

Lower service cost

Alipay bear ATO risk no risk on bank side

Benefits of Express Checkout

Frictionless checkout (bank account and cards) - 95%

success rate in Alipay China

Simple instant online enrollment during transaction

Peace-of-mind: members protection provided by Alipay

Higher conversion rate due to less friction more sales

Higher conversion rate due to better connections more

sales

Lower fraud/ chargeback rate thru Alipay risk engine

Business Process Flow Overview
Bind Solution 1 Mobile OTP/Token

Email address

Verify
Name
Password
National ID

Card# / Bank Account #

OTP
Login
Expiry Date

CVV

Mobile Number

OTP Submit

Complete
Bind Solution 2 Random Charge/Deposit

Email address

Verify
Name
Password
National ID

Card# / Bank Account #

Random
Login
Expiry Date Charge

CVV

Mobile Number

Amount Submit

Complete
 Purchase/Transaction Flow

Pay with

Email address

Thank You
Password for your payment

Login Print
 Unbind Process

Email address
Reason to Unbind
Security Issue Password to confirm
Password Account Closed
xxxx-xxxx-8943
Other

Login Unbind Next Step Confirm

Complete
 Bind Process (Pre-filled information)

Verify
Email address

Password Authenticated

Login
 Refund Process

Transaction History
Email address
Order No. Amount Status Refund Request
12345 Rp1,000 Paid 12345 We are processing your
Password 12445 Rp2,000 Paid refund request
12545 Rp3,000 Paid
Rp1,000
Select Reason
Login Refund Back to Homepage
Submit

Transaction History
Order No. Amount Status
12345 Rp1,000 Refund In Progress
12345 Rp2,000 Paid
12345 Rp3,000 Paid

Refund
Risk Overview
Roles & Responsibilities
Bank
Provides support for enrolment checks
Ensures Authentication is complete and is based on a comprehensive set of
variables suited to the local context
Provides support for any case investigation and assists in sharing key information
for the negative users
Alipay
Provides full risk coverage spanning the entire life-cycle of a transaction (to track
customer behavior spanning non-financials and financial events)
Full suite of risk tools which include risk models, base velocity checks, bot
prevention tools etc. to mitigate possibilities of enrolment risk and takeover risk
Provides member protection* (to banks) and buyer protection** (to end
consumers)
* Excludes cases of technical issues or bugs on the banks side resulting in wrong verification results
** Excludes cases of friendly fraud by end consumers
Two key risks for Express-
Express-checkout business
Enrolment / Post-Binding /
Binding phase Payment phase
payment
Authentication
Alipay Authentication Change password
Alipay
unbinding
Cards Alipay Edit profile
Cards
Cards Info disclosure

Unauthorized card/ account risk Account takeover (ATO

(ATO)
ATO) risk

A binds Bs card to As Alipay A binds As card to As Alipay account. Money in

account and then pay with Bs As card is spent by someone else after his/her
card. Alipay account is taken-over.

Victim: card holder Victim: Alipay user/card holder

Authorization-
Authorization-binding Possibility of Unauthorized card usage
Card Fraud Data Security
Definition Unauthorized payment and binding action from card holder Customer card data leakage or compromise

Root Causes Trojan Hack

Phishing Social engineering
Scam
Data leakage
Social engineering
Mobile phone number reuse
Bank issue

Mitigation
Methods
Authentication Strategy Data & Info Security

Encryption

Phishing Recognition Risk Detection

3rd party Data Integration

collaboration Customer
(external blacklist) (device & Education
location)

1
7
Post-
Post-Binding / Payment Phase Possibility of ATO Risk
Wallet account take over Data/system Security
Definition A criminal/fraudster poses as a genuine customer, gains control of an account. Customer card data leakage or compromise

Root Causes Trojan Hack

Phishing Social engineering
Scam
Data leakage
Social engineering
Mobile phone number reuse

Account credentials security Assess new function risk

Mitigation
Design credential reset policy Build up policy and solutions
Methods Detect account abnormal activities Customer education

Account
Risk Policy
Security

Risk Authenticati
Detection on
Data integration Dynamic authentication
Phishing recognition methods for risk verification
Risk engine Advanced biometric
Fraud analysis authentication methods

1
8
Alipay capabilities | Risk Management
Data-
Data-driven Risk Management & Intelligence

80+ Risk models

Thousands Risk rules

<0.001% Fraud loss rate

20% Employees are in risk

related roles
State-
State-of-
of-the-
the-art risk detection service powered by Alipay

Decisions from Alipay:

Reject/Accept/Review
Landing plan
Extra Authentication
 State-
State-of-
of-the-
the-art Risk Platform powered by Alipay
Local Interface Layer
Partner Group
Merchant SDK partners
service data Mobile SDK

Core
Core TP integration Risk detection AML System security
modules
modules Risk service cooperation Promotion Sanction screening Human recognition
Fraud
abuse

STR Secret key

Merchant
Risk data cooperation SN risk
risk
CRR Hacking and defence

Risk Core Platform

Rules engine Models Relation network Biometrics Data network
Global
merchant
Risk Data Platform
Account Transaction Velocity Name lists Trust list IP/GEO Device TP data

Service Risk Operations Back-office

Output Service
Event General Monitor & Chargeback Model operation Appeal Output
search Alert
Fraud
Global strategy Merchant TP
management strategy Fraud Analysis AML operation
center operation

Merchant risk management platform

Risk management portal Onboarding Name list Rules

Regulators in different jurisdictions

 Firm Security principles behind Alipay Platform

all Alipay Users

Collect User payment/environment/behavior data

Collect Essential info;
Register
Password requirement;

RDS during login;

Log in/
limited password trials);
Low-risk account activities
Partially hidden when display private info;

Change/retake well-designed authentication for sensitive account activities

sensitive info

Risk-based Authentication

Pay/transfer Generate risk decision

withdraw via Alipays risk engine

Member Protection
LOSS
Risk-
Risk-based Authentication

Low Risk Medium Risk High Risk

PIN: 6 digits Knowledge-Based Questions Reject: cancel transaction

or
SMS OTP
(mobile no during Alipay registration)

OTP Code
 Member Protection

claim investigation
File a dispute customers Alipay notify and compensate

bank

Member dispute
protection Dedicated
Webpage team compensate
Alipays Service + compensate
hotline
Abilities review
Cases directed platform
notify
from bank

Front-desk: Back-end: Channel/ budget:

Entrance/notification manpower/ infrastructure Ability to give away money
Secure design specially for Alipay App

Secure design for App of Alipay wallets

Draw pattern (or fingerprint authentication ) when activate App

Security SDK integrated to collect info for risk detection

Risk Detection
Location

Environment
Pay with Touch ID
Device info
APP info
Outline

Proposals to mitigate Enrolment Risk

Authentications during binding phase
Enrolment process at Alipays webpage/APPs
1. Alipay collects essential fields from users, which will be passed to the member bank at the
time of enrolment.
2. Only upon a successful confirmation from the bank (positive response to the enrolment
request) - Alipay will then, notify users and bind their cards to their respective Alipay accounts.

Essential fields Information security

1. KYC credentials (first name, last name, ID) Both parties are obligated to
2. Card info (card No.) keep their users essential
factors safe and undisclosed.
3. Factors that can be used to prove belongingness
Cellphone (SMS) Business constraint
Random charge/deposit ID of card holders (on banks file)
and ID of Alipay account should
match.
 Compensations for customers loss
Binding phase Post-Binding phase

A binds As card to As Alipay account.

A binds Bs card to As Alipay account
Money in As card is spent by someone
Scenario and then pay with Bs card.
else .
Victim: card holder
Victim: Alipay user

Cooperate to direct the cases to Alipay .

Bank At some cases share background info No obligation
with Alipay to assist in case investigation.
Member Bank Protection -
Alipay compensate* to the member bank so
Buyer Protection applies
that the card holders
bank account could be credited
Funding pool
May involve third party insurance firms, depending on the total volumes
for coverage of losses

* Except for falsely authenticated cases due to banks error. For example, due to a
bank system bug, mismatched card info and KYC info are verified as matched.
System Architecture Overview
Security
As sensitive information are being shared as part of the Express Checkout, important consideration has to
be given to ensure security and confidentiality is not compromised.

Information Security
Card information (card number, expiry date) and Customer information (full name, id
information) to be stored in PCI-compliant environment

Communication Security
Host-to-Host connection to Bank to be performed over Virtual Private Network
Data communication to be secured e.g., REST APIs
Express Checkout APIs (Host-
(Host-to-
to-Host)
An agreement has to be established between 3 parties (Customer, Bank, Alipay) to allow Alipay to make
payments upon Customers instructions.
This agreement can be
terminated (at discretion of Customer)
suspended (at discretion of Bank)
expired (default validity: 20 years)

1. Global API Specifications - define global API specifications

2. ValidateAgreement - verify user data against bank records

3. CreateAgreement - establish an agreement for Express Checkout

4. ExecuteAgreementPayment - perform a payment using an agreement ID

5. RefundAgreementPayment - refund a payment using an agreement ID + original reference ID

6. GetAgreementStatus - get validity of an agreement

7. CancelAgreement - cancel an established agreement

Sequence Diagram Discussion

1. Creating an Express Checkout Agreement

2. Performing Payment through an Express Checkout Agreement
3. Refunding an Express Checkout Payment
4. Cancelling an Express Checkout Payment
Global API Specification
The Express Fund APIs must follow Global API specifications defined below:

The API definition will be of 2 types (request and response) and comprises of the following
components:
Global API Specification (cont.)
Request Header

Request Body
Request body will be determined by each different APIs business logic. There is no
common structure for request body of APIs.
Global API Specification (cont.)
Response Header
 Global API Specification (cont.)
Response Body
For all responses, the body should include the resultInfo common data structure which comprises of the following fields:
 ValidateAgreement
Verify customers details against banks record
Request
Field Data Type Mandatory Description

accountName char (128) Y Customers full name

idType char (2) Y Type of ID (passport, NIK, KTP, etc)

idNo char (64) Y ID number

bankCardType char (1) Y Type of bank card (debit, credit, etc)

bankCardNo char (64) Y Bank card number

bankCardExpiry char (6) Y Bank card expiry

CVV2 char (4) N Bank card CVV2 (will not be stored)

mobilePhone char (20) Y Customers phone number

Response
Field Data Type Mandatory Description

validationResult char (1) Y Result of validation

memo char (256) Y Memo

 CreateAgreement
Create an agreement for Express Checkout
Request
Field Data Type Mandatory Description

accountName char (128) Y Customers full name

idType char (2) Y Type of ID (passport, NIK, KTP, etc)

idNo char (64) Y ID number

bankCardType char (1) Y Type of bank card (debit, credit, etc)

bankCardNo char (45) Y Bank card number

bankCardExpiry char (6) Y Bank card expiry

CVV2 char (4) N Bank card CVV2 (will not be stored)

mobilePhone char (20) Y Customers phone number

agreementID char (32) Y Unique ID of created agreement

otpValue char(10) Y OTP Value

Response
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of created agreement

agreementValidity date Y Expiry date of agreement

memo char (256) Y Memo

 ExecuteAgreementPayment
Perform a payment using an agreement ID
Request
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of agreement

transactionID char (32) Y Alipays transaction ID

amount long (20) Y Transaction amount

currency char (3) Y Transaction currency

bankCardType char (1) N Type of bank card (debit, credit, etc)

bankCardNo char (45) N Bank card number

bankCardExpiry char (6) N Bank card expiry

installmentPeriod char (3) N Number of installments (3 mths, 6 mths, 12 mths)

Response
Field Data Type Mandatory Description

bankTransactionID char (32) Y Unique ID of transaction stored in bank

amount long (20) Y Transaction amount

currency char (3) Y Transaction currency

installmentPeriod char (3) N Number of installments (3 mths, 6 mths, 12 mths)

 RefundAgreementPayment
Refund a payment using an agreement ID + original reference ID

Request
Field Data Type Mandatory Description

refundID char (32) Y Refund ID generated by Alipay

bankTransactionID char (32) Y Original transaction reference ID

agreementID char (32) Y Unique ID of agreement

amount long (20) Y Transaction amount

currency char (3) Y Transaction currency

Response
Field Data Type Mandatory Description

bankRefundID char (32) Y Unique ID of refund performed by bank

bankOriginalTransactionID char (32) Y Original transaction ID

refundAmount long (20) Y Refund amount

refundCurrency char (3) Y Refund currency

 GetAgreementStatus
Get validity of an agreement

Request
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of agreement

Response
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of agreement

agreementStatus char (1) Y 0 In-force

1 Suspended
2 Cancelled
3 - Expired
agreementValidity date Y Expiry date of agreement
 CancelAgreement
Cancel an established agreement

Request
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of agreement

Response
Field Data Type Mandatory Description

agreementID char (32) Y Unique ID of agreement

agreementStatus char (1) Y 0 In-force

1 Suspended
2 Cancelled
3 - Expired
Settlement Overview
 Cash Flow for Payment and Refund
Payment cash flow
Refund cash flow

1. Deduct fund in real time ( on transaction day )

Customer Bank account Refund back to original payment account Acquiring bank

T+1 (payment refund )

2.Net Fund settlement on
3. Net fund Remittance to Merchant on T+2

Merchant bank account Indonesia site escrow account in acquiring

bank
Cash Flow for Wallet Top Up and Withdraw
Only for Debit card

1. Deduct fund in real time (on topup day)

Customer Bank account Fund transfer to withdraw bank account Acquiring bank

T+1 (topup-withdraw)
2.Net Fund settlement on
Topup cash flow
withdraw cash flow

Note: Indonesia site escrow account in acquiring

1. Withdraw amount Wallet balance bank
Merchant Remittance Flow

1. Authorization for merchant remittance

Indonesia site
Merchant 5. Send Remittance result to Merchant

remittance order
2.Create merchant
return
4 .Remittance result
Note:
1. Alipay issues merchant remittance order on behalf
of merchant and send to bank automatically

2. Acquiring Bank should support all bank account Settlement bank

remittance (including internal and external bank
account ) and return remittance result to Alipay
automatically
Business/ Fund Reconciliation flow
Alipay Acquiring Bank
inquiry resend Transaction files

Transaction info. Transaction info.

Business
reconciliation

Matching
Related Records Settlement files

Fund
reconciliation

Matching results Matching Bank statement

What Alipay will do?

Merchant remittance/ refund automatically

Alipay system will support processing merchant remittance and refund automatically
issuing remittance/ refund orders ,
sending to bank and analyzing result form bank and so on

Business/fund reconciliation automatically

Alipay system will support reconciliation automatically
analyzing data form cooperator (Acquiring Bank) e.g. bank settlement file/ statement
Matching data form cooperator with data in Alipay system
Thank You!