QRIS
In the bustling markets of Yogyakarta and the high-end malls of Jakarta, a small black-and-white checkered square has become the most powerful symbol of Indonesia’s modern economy. QRIS (Quick Response Code Indonesian Standard) isn't just a payment method; it’s a cultural shift.
Launched by Bank Indonesia on August 17, 2019 (effective nationwide by January 1, 2020), QRIS was designed to unify a fragmented digital landscape. But as we tap, scan, and pay, it’s worth looking under the hood to see how this "convenience" actually works, who is subsidizing it, and what happens to our data.
User Adoption: The 21% Parallel Indonesia vs. India
To understand QRIS’s success, we must look at the global gold standard: India’s UPI. According to data from Bank Indonesia via Katadata, QRIS users surged to 54.1 million by Q3 2024 and are estimated to hit the 58-60 million mark by 2025/2026.
There is a fascinating mathematical symmetry between the two nations when compared to India's UPI adoption curve:
| Metric | Indonesia (QRIS) | India (UPI) |
|---|---|---|
| Launch Year | 2020 | 2016 |
| Total Population | ~280 Million | ~1.4 Billion |
| User Penetration | ~21% (58M users) | ~21% (300M users) |
The Takeaway: Indonesia matched India’s adoption curve despite launching 6 years later.
The Tech: A Three-Layer Cake
Most people think QRIS is "one system" where a single company or the government controls every bit of your data. Wrong. QRIS is a three-layer cake where each player only sees a specific "slice" of your transaction.
- Layer 1: The Rails (Banks & Bank Indonesia)
- What they see: Money flow and settlement.
- What they don't: Your identity. They see "Account A" sent money to "Account B."
- Layer 2: The App Layer (E-Wallets like GoPay/OVO)
- What they see: Your identity and balance.
- What they don't: The merchant’s full economics. They only see the handshake needed to authorize your side of the deal.
- Layer 3: The Ecosystem Layer (Super-Apps)
- What they see: Cross-service behavior (e.g., you took a ride-hailing car to buy this coffee).
- What they don't: The actual bank-level settlement details.
Who Pays for This "Convenience"?
"Free" is a marketing term, not a financial one. The cost of moving money is real, and it’s distributed across three groups:
- Merchants: Pay a Merchant Discount Rate (MDR) of 0.3% to 0.7% to acquiring banks. This is the direct cost of the infrastructure.
- E-Wallets: Sometimes subsidize transactions (0% MDR promos) to burn cash and gain market share essentially "buying" your presence in their ecosystem.
- Consumers: Pay 0% at the counter but pay indirectly through:
- Price Pass-through: Tight margins mean the MDR eventually hits the price of your goods.
- Data Monetization: Your spending patterns are used to build credit profiles for "PayLater" loans.
- Ecosystem Lock-in: Once your life is in one app, the "switching cost" becomes high.
The Privacy Paradox
There is a common assumption that standardization leads to total surveillance. QRIS flips this on its head.
The Insight: Standardization without centralization creates "Accidental Privacy."
Because QRIS is a standard (a language) rather than a single database, your data is actually siloed. Your bank knows your money, your e-wallet knows your name, and the merchant’s bank knows their sales. No single private entity has the "God View" of the entire transaction from end-to-end. In a world of monolithic tech giants, QRIS’s fragmented architecture is a rare win for data compartmentalization.
The UU PDP: Who is the "Data Controller"?
As the digital economy grew, Indonesia passed the UU PDP (Undang-Undang Pelindungan Data Pribadi). However, in a multi-layered QRIS transaction, a critical question remains: Who is actually the "Data Controller"?
According to the UU PDP Article 18, a Data Controller is the entity that determines the "purpose and control" of data processing. In a single QRIS scan, we have a Joint Controller scenario (Article 18):
- The Issuer (Your App): Controls your personal identity and balance verification.
- The Acquirer (Merchant’s Bank): Controls the merchant’s financial data and payout.
The Questionable Reality: If your data is leaked, who is responsible? If the leak happens during the "handshake" between your app and the merchant’s bank, the lines of accountability blur. The UU PDP mandates that Joint Controllers have a clear agreement, but for the average user, this feels like a game of musical chairs where no one wants to be caught holding the liability when the music stops.