Decoding the QR Code

Decoding the QR Code
Steve Cole Director, Tech Engagement Merchant Advisory Group
Apr 1, 2024

The Quick Response Code, more commonly known as the QR Code, has become a familiar sight in our daily lives. QR Codes seem to be everywhere these days whether on restaurant tables, plastered to light poles, or at the exhibit booths of your favorite payments conference. How did this come to be? Let’s take a closer look at what QR Codes are, how they work, and why payments professionals should care about them. Invented by Japanese engineer Masahiro Hara of the Denso Wave company in 1994, the QR Code was originally used to track automobiles and auto parts during the manufacturing process. However, with the advent of the smartphone and its optical scanning capability, the number of use cases for QR Codes exploded. 

 Some of you may be thinking, “Barcodes have been around for decades, what makes a QR Code so much more useful?” In one word, “data”. Barcodes generally support less than 100 characters. In fact, the Universal Product Code (UPC) that merchants are so familiar with is a specific type of bar code used to identify products (and the vendor of the product) and only supports 12 characters!  On the other hand, a QR Code can support approximately 7,000 numeric characters, 4,300 alphanumeric characters, or 2,900 binary characters.  Most applications, however, won’t come close to approaching these limits. For instance, the most common use for a QR Code is to direct the user to a website URL which is generally around 40-50 characters. The reason a QR Code can support so much more data is due to its format. A barcode is a one-dimensional code made up of a series of vertical lines with varying widths and distances between the lines. A QR code is a two-dimensional matrix of squares or dots that can be read both horizontally and vertically which allows for the storage of much more data. In addition to the amount of data, QR Codes have other advantages. They can be scanned from any angle and can include other visual elements such as images. The format of a QR Code also includes data duplication for error correction.  This means depending on the size of the code, it can still be read even if up to 30% of the code is damaged (or covered by an image).  QR Codes can be static or dynamic. With static QR Codes, the information such as a target URL, is encoded directly into the code so the information cannot be changed once the QR Code is created.  While the definition of a “Dynamic” QR Code varies, it most often means either that the code can be generated in real-time using transaction-specific information or it can use a short URL that redirects to the target URL.  Because of the redirection, the target URL can be changed while keeping the short URL (in the QR Code) the same. Finally, QR codes can be used for many purposes beyond linking to a website including joining a Wi-Fi network, generating a preformatted email, and most significantly for our purposes, making a payment.

 In a world that has become increasingly averse to touching objects such as payment terminals in public spaces, QR Codes can provide a convenient means to support a touchless payment experience. This can be accomplished in a couple of ways. The merchant may display a code, either physically or digitally, that is scanned by the customer’s device or the customer may display a code on their device that is read by the merchant’s scanning device. In the merchant-displayed use case, the customer experience may vary depending on the merchant’s QR Code implementation and the functionality of the customer’s device. For instance, if the merchant has a static code printed on a countertop card display, there will be no transaction-specific information provided when the code is scanned, so the customer will be prompted to enter the transaction amount in a browser window or payment app. However, if the code is generated on a per-transaction basis and displayed on a screen or printed on a paper receipt, the amount can be included in the code and the customer simply confirms the amount displayed. For customer-displayed QR Codes, the code on the customer’s device identifies the payment credential details. When the merchant scans the code, the scanner decodes the payment data and sends it to the merchant’s POS system.

 One area of concern with QR Code-based payments, as with all payments systems, is fraud and security. First, it is important to recognize that QR Codes used for payments do not contain any personally identifiable information (PII). To protect QR Codes that access sensitive information such as payments data, encryption can be used.  However, while there is no practical way to “hack” QR Codes, they can be replaced.  It’s important to understand the security risk of QR Codes is not in the code itself but in the target the code links to. A common fraud vector is where a bad actor replaces a legitimate merchant QR Code with a malicious one that directs users to a phishing website or a site that initiates the download of malware. 

 While adoption of QR Codes for payments has not caught on in the United States as NFC-based payments have, QR Codes can be a catalyst for payments innovation. The Pix payments system in Brazil has seen massive adoption in consumer-to-business payments.  Introduced in 2020, by 2022 Pix accounted for nearly 30% of all electronic payments, greater than both credit and debit card payments. This adoption curve was made possible by QR Codes because it did not require merchants to deploy new hardware. With minimal development, the QR Code could be displayed on the POS terminal or printed on the receipt.  In Singapore, the unified SGQR Code allows consumers to scan a single QR Code to make payments with the payment app of their choice.  A recent upgrade of this system allows merchants to access a wider range of payments providers, both local and cross-border, through a single financial institution. The Federal Reserve also sees QR Codes as a key technology for faster payments adoption.  Although it may still be some time before QR Code payments become mainstream in the U.S., their versatility and growing adoption in other use cases gives one every reason to believe they will one day become an essential tool in a merchant’s payments toolbox.

The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.