QR Pay- Thailand

Written By frances coyle

This winter, I'm spending some time in Bangkok, and one thing that caught my eye was that QR codes are everywhere! If you've been following my articles, you'll know I'd get curious and want to find out how they work. So, for my fellow payment-curious peeps, here's what I could suss out—enjoy 🙂.

QR Payments Explained

The QR payment systems operate with two main players: the QR pay provider, PromptPay and the user's bank.

PromptPay facilitates QR payments by linking a citizen ID or phone number to a bank account, enabling users to transfer money within their banking app with little or no fees.

PromptPay is also an important tool used by the government for social welfare payments by transferring money directly to the recipient's citizen ID number.

Merchants provide QR codes online or at point-of-sale that include bank transfer information. When payees scan the QR code, it instructs their phone to open their banking app and initiate a bank transfer with the information encoded in the QR code, which includes the merchant's bank account details—name, account number, and sort code. Some codes may require payers to enter the amount manually, while others include price details for a faster process.

PromptPay in Action

As I don't have a Thai bank account, I couldn’t give PromptPay a test run myself. Luckily, a friend let me watch them use it after dinner. It really is everywhere and is accepted in most places in Bangkok.

The first thing I noticed was how their banking app's UX was designed for use in public. More private information, like account balances, is not visible on the bank transfer screen. This design is useful when opening your app in crowded spaces, but also if a merchant asks to take a picture of the completed bank transfer—a practice my friend says is not uncommon.

I really love this idea- it would spare me the "balance-covering shoulder shimmy" the next time I snag a deal on Facebook Marketplace.

Another thing worth mentioning was that my friend needed to enter a one-time password to complete the transfer. This got me wondering about security regulations like Secure Customer Authentication requirements as part of the PSD2 in the UK and Europe, and bank responsibility for fraud.


Security and Fraud

I found a research paper from 2011 that noted a roughly 50/50 split between banks that take some responsibility for fraudulent activities and those that do not. I've also had a look at Bangkok Bank's Terms and Conditions, which state no liability for checks and quite a bit of discretion on other debits. See section 5.6: “The Bank shall not be responsible for any loss due to fraudulent or unauthorized transactions on the Account.” And sections 13.3 and 13.4: “If the Customer disputes any entry within the stipulated period [only 14 days!], the Bank shall investigate the relevant Account to make the necessary adjustments and rectifications, if any”—suggesting a weaker position than the Payment Services Directive consumer protection we're used to.

So, while I'd usually find one-time passwords a bit annoying, I'd be thankful as a consumer that my bank has all the security bells and whistles if I'm on the hook for any unauthorised payments.

Wrap up

Hope you liked this glimpse into QR payments in Bangkok! I'll be around Southeast Asia for a few more months and am excited to see what other payment technologies pop up on my travels—maybe I'll dive into the Grab app next. 

As a product lawyer specialising in payment products, if you need support with your payment product, feel free to hit me up.

frances coyle
Next

AI in Fintech: The Legal Basis for Data Processing