Password free payment, as a feature launched by e-commerce payment platforms and network applications to enhance transaction convenience, is based on user authorization to complete payments without entering a password within the preset single transaction limit. This mode has significantly optimized the payment process and improved the transaction efficiency. However, it bypasses the important risk isolation barrier of "entering passwords", and once exploited by criminals, it is highly likely to cause property damage and personal information leakage risks. For example, after a user's mobile device is lost or payment information is leaked, criminals may bypass password verification and directly consume or transfer funds, or they may illegally obtain core sensitive information such as payment vouchers and bank accounts by exploiting protocol or program vulnerabilities, exacerbating the risk of information leakage. Although the existing laws in our country involve non confidential payments, the regulatory system is not yet perfect. Firstly, there are difficulties in defining and pursuing civil liability. According to Article 1194 of the Civil Code, internet users and service providers who use the internet to infringe upon the civil rights and interests of others shall bear tort liability. However, when users activate non encrypted payments, they usually sign an agreement with the platform, explicitly authorizing the platform to waive encrypted deductions under specific conditions. Once theft occurs, if users hold the platform responsible for infringement, the platform often uses "user authorization" as a defense. To prove that the platform has made mistakes in fulfilling its security obligations, such as unreasonable protocol design, insufficient risk warning, and ineffective risk control measures, it often faces the problems of complex evidence and high costs. Secondly, the front-end prevention and control of personal information protection needs to be strengthened. Although the Personal Information Protection Law, E-commerce Law, and Network Data Security Management Regulations have strengthened the platform's security protection and leakage disposal responsibilities, their regulatory focus tends to be on post event relief. There is a lack of sufficiently rigid and detailed pre control rules for the risks hidden in encrypted payments due to simplified authorization and weakened verification processes. How to ensure the security of user core payment information throughout the entire chain of protocol fulfillment, data transmission, storage, etc., the specific requirements and implementation standards of existing laws and regulations need to be further clarified and improved. Thirdly, regulation and evidence collection face challenges. The virtuality, transience, and cross regional nature of online payments make it easy for criminals to conceal their behavior when using non confidential payments to commit infringement. It is difficult for regulatory authorities to timely discover clues and effectively fix electronic evidence, resulting in numerous difficulties in holding perpetrators accountable and recovering user losses. Therefore, to effectively address the legal risks of non confidential payments, it is necessary to establish a systematic and operable regulatory system. This requires focusing on core aspects such as authorization, supervision, and accountability around responsible entities such as payment platforms, regulatory agencies, network users, and industry organizations, and collaboratively promoting legal risk prevention mechanisms. Strengthen the standardization of the pre authorization process to ensure user autonomy. The activation of non confidential payment must strictly follow the principles of voluntary, informed, and explicit consent of users, and resolutely prevent inducement, coercion, or default automatic activation. In response to the problem of lengthy agreement texts and obscure terminology that make it difficult for users to fully understand risks, the platform should be further required to prominently label core terms related to fund security, risk responsibility, key authorization, etc., to ensure that users have a clear understanding of the legal consequences. At the same time, setting a "single transaction limit" alone is not enough to prevent the cumulative risks caused by small-scale high-frequency fraud. It is also necessary to add a "single day/single cycle cumulative transaction limit" clause in the agreement to form a multi-level limit control mechanism. Strengthen the platform's dynamic risk control responsibility in the in-process supervision process. Payment platforms have important security obligations and should establish more intelligent and dynamic risk monitoring systems. Once high-frequency, unconventional time and location, and deviation from user habits of non confidential payments are detected, warnings should be immediately issued to users through effective channels such as SMS, APP pop ups, and phone calls. When high risks or user feedback anomalies are discovered, the platform should promptly take protective measures such as suspending confidential payments and temporarily freezing accounts. In addition, the platform should actively utilize technological means to establish a risk assessment model based on user profiles, transaction characteristics, and risk types. For identified high-risk transactions, the system should increase verification intensity or adopt stricter security control measures to effectively block potential infringement. Optimize the allocation of burden of proof in the post accountability process. When users encounter unauthorized payment without confidentiality and the platform claims to have fulfilled its obligation to prompt and supervise, the determination of responsibility is crucial. In this regard, the platform's security responsibility can be further strengthened in the design of rules. Specifically, in the event of unauthorized payment without confidentiality causing user losses, the platform should be required to prove that it has fulfilled its reasonable and sufficient security obligations. If the platform can provide sufficient evidence to prove that it is not at fault, and the loss is indeed caused by external factors such as the user's own gross negligence, force majeure, or third-party criminal behavior, its responsibility can be reduced or exempted. This type of rule design aims to balance the burden of proof between users and the platform, more effectively protect user rights, and encourage the platform to continuously invest resources to improve its risk control level. Promote industry self-discipline and enhance user risk awareness. The Internet Association and other industry organizations should take the lead in formulating and issuing relevant payment security specifications and guidelines, clarify the security responsibility boundary, technical standards and emergency procedures of the platform in the non secret payment scenario, and provide a model for the platform to establish a scientific risk control mechanism. At the same time, establish a security assessment and information sharing mechanism, and urge platforms with weak protection and frequent vulnerabilities to improve by issuing risk warnings and sending rectification notification letters. Users need to carefully evaluate their needs and risks, and establish the awareness of "not opening unless necessary, and strictly managing after use". Timely disable the no secret payment function for infrequently used or reputation questionable platforms, regularly check authorization management, and increase vigilance. (New Society)