Introduction: Development of Payment Systems in Malaysia
Malaysia’s payment landscape has undergone a steady transformation over the past few decades, moving from cash-heavy transactions to a highly digital and interoperable ecosystem. Before 2000, cash and cheques were the primary payment methods, with ATMs mainly used for cash withdrawals and limited electronic transaction capabilities.
From the early 2000s, improvements in banking infrastructure encouraged the adoption of electronic payments. The Malaysian financial landscape moved to Interbank GIRO (IBG), expanded ATM networks, and increased debit and credit card usage marked Malaysia’s initial shift away from cash. This transition accelerated between 2005 and 2015 with the rise of internet banking, FPX for online payments, and JomPAY for bill payments, making digital transactions part of daily life.
A major transformation occurred in 2017–2018 with the establishment of Payments Network Malaysia (PayNet) and the launch of DuitNow, enabling real-time, account-to-account transfers using simple identifiers. From 2019 onwards, DuitNow QR further accelerated cashless adoption by providing a single interoperable QR code for banks and e-wallets, benefiting consumers and merchants, especially SMEs.
Today, Malaysia’s digital payment landscape extends beyond domestic use through cross-border QR linkages with neighboring ASEAN countries such as Thailand and Indonesia. Cash usage at point-of-sale transactions has declined significantly, while QR payments, account-to-account transfers, and e-wallets like Touch ‘n Go, Boost, GrabPay, and ShopeePay continue to grow, first supported by regulatory frameworks by Bank Negara Malaysia (“BNM”) and government initiatives promoting digital adoption.
What is DuitNow QR?
DuitNow QR is Malaysia’s national QR payment standard established under BNM’s Interoperable Credit Transfer Framework (ICTF) on the 23rd of March 2019 and implemented by Payments Network Malaysia (PayNet). It allows interoperable QR payments across different banks and e-wallets.
Instead of having many different QR codes (one for each bank or e-wallet), merchants display one DuitNow QR code, and customers can pay using any participating mobile banking or e-wallet app.
Core Roles of DuitNow QR as a National Standard
The Payment Ecosystem Unpacked: PSOs and Merchant Acquirers at Work
A Payment System Operator (PSO) is an entity that operates payment systems and provides the core infrastructure that enables transactions to be processed, cleared, and settled between different parties such as banks, merchants, and digital wallets.[1] PSOs define the rules, standards, messaging formats, and settlement processes for specific payment methods, for example DuitNow QR, and they ensure interoperability among financial institutions, wallets, and merchants. In Malaysia, PSOs are regulated by BNM under the Financial Services Act 2013 (FSA) and the Payment Systems Act 2003 (PSA) because they operate critical payment system infrastructure that is widely used by the public and financial institutions. Examples of a licensed PSO are MasterCard Asia Pacific Pte Ltd, Visa Worldwide Pte Ltd and Payments Network Malaysia Sdn Bhd (PayNet), which operates DuitNow (including DuitNow QR), IBG, and other interbank payment systems.
A Merchant Acquirer is a BNM approved entity that onboards merchants to accept electronic payments, such as card payments or QR-based payments, and manages the transaction flow between merchants and payment networks or issuing institutions.[2] Merchant acquirers provide services including merchant account setup, payment terminals or QR acceptance tools, settlement of funds into merchants’ bank accounts, transaction reporting, and risk and fraud management. A merchant acquirer handles payment authorisation requests at physical point-of-sale terminals or online platforms and route these requests to the appropriate payment network or PSO.
How PSOs and Merchant Acquirers Work Together in an Ecosystem
In a payment ecosystem, PSO and merchant acquirers play distinct but closely connected roles. The PSO owns and operates the payment rails, defines system rules and messaging, and handles clearing and settlement between participants, while merchant acquirers focus on onboarding merchants, managing merchant accounts and settlements, and handling merchant risk and fraud. Merchant acquirers also interface directly with issuers to manage authorization flows, whereas PSOs do so indirectly through the network. For example, a PSO like DuitNow QR builds and maintains the underlying rail, while merchant acquirers connect merchants to that rail, enabling payment acceptance and settlement. Together, they create a functional ecosystem: the PSO provides standards and settlement infrastructure, acquirers implement these standards for merchants, issuers or banks approve payments on the rail, and networks facilitate routing between participants. Oversight by BNM ensures the safety and resilience of payment systems, protects consumers, manages risks such as fraud or settlement exposure, and promotes interoperability and competition.
POS QR Ecosystem in Malaysia
In Malaysia’s POS QR payment ecosystem (such as scan-to-pay at retail stores), several parties work together to enable a smooth transaction. The merchant accepts digital payments and works with a merchant acquirer or acquiring bank, which onboards the merchant, provides QR acceptance or POS tools, and settles funds into the merchant’s account. Transactions are routed through a PSO for DuitNow QR, this is PayNet which operates the shared infrastructure, ensures interoperability across banks and e-wallets, and handles clearing and settlement under BNM’s regulation. The issuer bank or wallet provider (such as Maybank, CIMB, Touch ’n Go, or GrabPay) holds the customer’s account and authorises or declines the payment. A network operator (often the PSO itself for DuitNow QR) connects issuers and acquirers through switching services. Finally, the POS system or terminal provider supplies the software or hardware that allows merchants to display or scan QR codes and connect to the acquirer, enabling the payment experience without directly handling the financial settlement.[3]
Example Transaction Flow (Scan-to-Pay)
Obligations of Acquirers
Acquirers are generally regulated financial institutions or approved non-bank payment service providers and are directly accountable to BNM.[4] This is because acquirers are reporting institutions under Malaysian Anti-Money Laundering / Countering the Financing of Terrorism laws.[5] Acquirers need to practice onboarding / due diligence practices such as Know-Your-Customer (“KYC”) and Customer Due Diligence (“CDD”) practices to verify customer identities, assess risks, and prevent financial crimes. These practices involve verifying the merchant’s identifying information including but not limited to: the legal name, registration number, business address and operating location(s), nature of business and expected transaction activity.
With specific reference to QR Payments, acquirers are obligated to monitor QR transactions for unusual transactions inconsistent with merchant profile whereby Suspicious Transaction Reports (“STR”) must be filed with BNM’s Financial Intelligence System where the Acquirer encounters potential fraudulent transactions.
From BNM’s perspective, acquirers are the “first line of defence” in QR payments and therefore expects strong gatekeeping of merchants, continuous monitoring, clear accountability even when functions are outsourced and consumer protection embedded into operations. [6] Acquirers must be able to demonstrate that merchant onboarding is not a “tick-box” exercise, but risk-sensitive, continuously monitored practice, or risk being penalised with sanctions, suspension from DuitNow QR scheme and regulatory enforcement action.[7]
Obligations of Merchants
Although merchants onboarded by a merchant acquirer are not directly regulated by BNM, they remain subject to a robust framework of contractual obligations imposed by the acquirer and its appointed payment service providers. The purpose of such obligations is to ensure that all participants in the acquiring chain including acquirers, payment service providers, merchants and consumers operate within a sound, transparent and accountable framework. These frameworks also serve to protect consumers, prevent abuse of payment channels, maintain transaction traceability, and support dispute resolution and compliance processes.
In practice, these obligations are enforced through the merchant agreement with the approved merchant acquirer, who bears the primary responsibility to conduct appropriate due diligence on merchants at the onboarding stage[8]. A merchant’s right to accept electronic payments is therefore conditional upon continued compliance with the terms imposed by the merchant acquirer.
For example, a common fundamental obligation imposed on merchants is that the acquiring service may only be used for lawful and permitted transactions. The merchant must not permit the payment service to be used for any goods or services that are illegal under applicable laws or that fall within the acquirer’s list of prohibited businesses or activities. This ensures that the acquiring platform is not misused to facilitate unlawful or high-risk transactions that may expose the acquirer, the payment system or end-users to regulatory or reputational harm.
Merchant agreements also typically require that electronic payment methods be offered to customers without any surcharge, processing fee, mark-up or additional cost. Customers must not be charged more simply because they choose to pay electronically. In line with this principle, the price of goods or services must remain the same regardless of the payment method used, including cash. To support this obligation, merchants are also required to ensure that the final transaction amount is clearly and prominently displayed at the point of payment, so that customers are not misled during the checkout process. These transparency requirements are intended to promote fairness, consistency and consumer confidence in electronic payments. From a commercial perspective, the Merchant Discount Rate (“MDR”) is contractually borne by the merchant and represents the cost of participating in the acquiring network. Merchant agreements commonly provide that the merchant may either absorb the MDR as a cost of doing business or, where permitted by the acquirer and applicable scheme rules, factor it into its overall pricing strategy.
Another important segment is that acquirers are required to ensure their merchants comply with is confidentiality and personal data protection[9]. In the course of providing goods or services and processing electronic payments, merchants may obtain access to personal data and confidential information belonging to users, customers, employees, or the acquiring parties. Accordingly, merchant agreements typically impose strict confidentiality and data protection obligations on both merchants and acquirers, requiring them to handle such information in accordance with all applicable data protection and privacy laws, including the Personal Data Protection Act 2010.
Conclusion
POS QR payments have become an integral part of Malaysia’s cashless ecosystem, offering speed, accessibility and efficiency to both merchants and consumers. While the regulatory framework primarily governs merchant acquirers, the obligations imposed contractually on merchants play an equally critical role in safeguarding the integrity of the payment system.
Through merchant acquiring arrangements, regulatory expectations relating to consumer protection, transparency, operational resilience, data security and anti-financial crime controls are effectively extended to merchants. Acquirers, as regulated entities must ensure compliance by conducting proper due diligence, enforcing compliance standards and monitoring merchant conduct. Merchants, in turn, are required to operate within clearly defined boundaries that promote lawful use, fair pricing, data protection and proper handling of payment instruments.
As QR-based payment adoption continues to expand, the strength of Malaysia’s payment ecosystem will depend not only on regulatory oversight, but also on the discipline with which acquirers and merchants maintain their respective obligations in which these responsibilities form the foundation of a secure, trusted and sustainable digital payment environment.
Authors:
- Maryam Amilah
- Alina Filza
- Ow Kai Wing
References
[1] Paragraph 1.1 of the Policy Document on Payment System Operator issued by Bank Negara Malaysia on 22 December 2022
[2] Paragraph 1.1 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
[3] Paragraph 1.2 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
[4] Section 72 of the Financial Services Act 2013
[5] Section 3 of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001
[6] Appendixes 4 to 8 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
[7] Paragraphs 5.2, and 11 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
[8] Paragraph 11.1 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
[9] Paragraph 11.12 of the Policy Document on Merchant Acquiring Services issued by Bank Negara Malaysia on 15 September 2021
