The Curious Case of the QR Code

With standards emerging from Beijing to San Francisco, QR is coming of age.

Could global security standards be coming into view for QR? There is an ISO standard for the “symbology” of a visual configuration that is now familiar worldwide. But, for payments, the standardisation needs to go far deeper. “At present there is no universally agreed security infrastructure,” says Lafferty’s Head of Research, David Hickey. “But I am sure security for QR payments will improve. China has just introduced two-factor authentication for QR transactions above a certain value. And EMVCo also published QR code standards last year.”

Indeed those moves made by the People’s Bank of China show that there is a big difference to be aware of between ‘static’ and ‘dynamic’ codes: a dynamic code can be disposable, tokenised and also have detailed user/merchant metadata and verification elements baked in. Reassured by the added security such features make possible, the authorities in Beijing have decided that there should be no transaction limit on dynamic barcodes that incorporate at least two digital certificates or signatures, whereas static codes now have a transaction limit of 500 yuan ($80). The only surprise here is that it took the central bank so long, as static codes are so easy to fake it is a wonder they ever took off for transactions at all: for example, the code on a rentable city bike can easily be (and has been) replaced with a fake code that actually triggers a funds transfer to a fraudulent account.

Two years into its project, EMVCo in California meanwhile is certainly serious about getting its standards in place as widely as possible: “Given its early stage of deployment and growing adoption, now is the time to ensure the technology’s potential is not constrained in the future due to compatibility issues.” It has also just released a mark for use by merchants to indicate that they can accept mobile payments via QR. As with any botched strategy, getting QR wrong at the commercial level can be costly: the ill-fated CurrentC app in the United States, developed by a consortium of merchants (including a Walmart aggrieved by the power of the traditional networks), required users to go through several steps at the point of sale, beginning with unlocking their phone, starting the app, then switching to the camera to capture the QR code. (And remember that, tellingly, there was no native app to scan QR codes on iPhones until iOS 11 of late last year: QR has not had an easy time of it in the US.)


The attractions of the QR protocol are many, especially if you are a small merchant that has been missing out over the years on payments by card (and now digital wallets). Cash-in-circulation may be growing worldwide but new forms of payment are a reality everywhere, and the QR solution is especially appealing for those not hooked up to the traditional schemes.

China, as readers will know, is way ahead on QR, and the unprecedented success of Alipay and WeChat has been instrumental in that phenomenon. Cashless payments in the country really took off when people began using Alipay for buying things on Taobao (Alipay’s shopping website), a shift intimately connected with QR. As Professor Chen Yiwen of the Chinese Academy of Sciences recently pointed out, the country “has started the transition to a cash-free economy faster than anyone could have imagined, largely because of the viral spread of two-dimensional barcodes”. And by viral spread, he is hardly exaggerating: QR codes are even to be found on the clothing of waiters, bridesmaids and pedlars. With Alipay and WeChat bringing well-funded AI technology to bear on the analysis of real-time payment flows, anti-fraud efforts are on the up also.

QR codes are particularly well-placed to meet the needs and opportunities of markets that have largely bypassed fixed-line infrastructure and have landed firmly in the smartphone age: in Nigeria, for example, Mastercard can deliver customised codes to small businesses via a Facebook Messenger bot.

India too presents an eye-catching case: the official QR standard, BharatQR, is a common interface for RuPay, Visa and Mastercard through its integration with the official Unified Payments Interface and so brings the might of a state-owned payments infrastructure to bear behind the humble code displayed at the point of sale. This might draw in vendors and businesspeople that have found standard POS equipment significantly more expensive (in the case of India, more than a hundred times more so) to set up than QR. Paytm too is on board with QR: “From a transaction perspective, nothing much changes. While the user scans the same QR code, [he] will now get two or three options (e-wallet, account and debit card) and can choose the payment instrument. It does not add to the number of steps as the same screen will have multiple options”, the company’s chief operating officer recently told the Times of India.

The great gain of QR is a symbolic convention that can reach both developed and underdeveloped markets, the banked and the unbanked alike: “What counts in making a happy marriage,” Leo Tolstoy once wrote, “is not so much how compatible you are but how you deal with incompatibility.” Assuming East and West can see eye to eye on security standards, QR’s best days seem to be ahead of it.



By FIN KEEGAN, via Lafferty News



Leave a Reply

Your email address will not be published.