A new trend in payments has recently emerged: paying using QR codes. It’s now more and more possible to generate a QR code with a mobile device and pay or accept payment for goods or services to a Point of Interaction (POI) only using a QR code. Such a system is often more efficient and convenient than other payment methods.The following information details how it works.
QR codes have been strongly advancing in the world of sales & marketing. The reasons lie at hand: no extra device is needed. A smartphone with a camera is sufficient to provide consumers with additional data about a specific good. Companies also benefit, paving the way for easy, unhampered purchase, reducing the need for additional printware, and gaining exploitable meta-data on user-preferences and habits. As Forbes.com puts it: “QR Codes Are Providing Customers With Convenience And Businesses With Data”.
Within a span of 7 months, the awareness of QR code as a payment method rose from 35.5% to over 80%, as shown in a survey in 2021 by statista.com.
This article explains the concept of QR codes, in the context of payment applications. The article closes by discussing what level of cybersecurity is needed to provide banking-grade security, and hence bring it on a comparable security level as credit-card-based transactions.
What is a QR code?
QR codes in payment use the general QR definition. QR stands for Quick Response code. It is an image made with black and white squares of various sizes and positions and with a principle similar to the bar codes (some versions of QR codes are using various others colours). In fact a QR code may be considered as an advanced “two-dimensional” barcode (ISO 18004-compliant encoding and visualisation of data).
The data is coded as an alternance of black and white squares. What predetermines QR codes for the use in payment is its resilience (it still provides information even if damaged up to a certain extent) and error-proofness (it contains an error correction code system based on the Reed-Solomon error correction codes).
The QR code in itself is divided into several geometrical parts:
- Quiet Zone: this is simply the white area surrounding the image in itself, useful for the scanner;
- Position markers: Three big squares which allow a scanner to define the area of the scan;
- Fixed patterns: They allow the scanner to do some calibration;
- Format information: Allow the scanner to determine the format of the QR code (and thus perform adequately the scan of the data);
- Data zone: Contains both the data and the error correction codes and miscellaneous information.
We represent the typical structure of a QR code in the illustration below. The data area is partitioned into several zones. Such zones have a defined role: ‘pure’ data, error correction data, mode indicator, stop and character count.
The scan of the data is done via a ‘zig-zag’ around the QR code.
What are QR codes used for?
QR codes can be virtually used for anything. They can represent any sort of information as long as it is below a maximum size. In general short information such as URLs are traditionally coded as QR codes but other type of information are also usually coded as QR codes such as :
- Product information (ingredients, origins, sustainability, fair trade etc)
- Map directions (GPS data etc …)
- Phone numbers
But their resilient and error-protected design on the one side and their lightweight implementation on the other side really makes them a good option for payments and with the potential to replace some NFC mobile payment systems.
QR codes for payments (EMV)
QR codes have been introduced into EMV payments systems for both merchants and consumers. While QR codes are equally used in americas, europe and asia (10-20 millions QR code scans per area in 2020), QR codes for payments massively originate from China where they represented more than 80% of the mobile domestic payments in 2020.
Consumer-presented QR Code: how does it work?
The principle of using QR codes for EMV payment is simple: the customer will generate a QR code with their mobile device, containing some of the cardholder payment card information. The Merchant, at the Point Of Interaction, will scan this code and process the information online.
1. The cardholder chooses to generate a QR code from the card registered in their mobile device.
2. The Merchant QR Code Reader scans the QR Code then decodes the QR Code and sends the extracted data to the POI as base64 data.
3. The Point of Sale application processes the base64 encoded QR Code payload. This includes:
- Decoding the base64,
- Parsing the data,
- Checking the format,
- Processing the transaction.
If there is a need for cardholder verification, it is usually performed using Consumer Device Cardholder Verification Methods (CDCVM).
Note: The generated QR code doesn’t use any encryption.
Merchant-presented QR Code: how does it work?
‘Scan to pay’ is also an alternate QR-based payment system. This is the opposite system of the Consumer-presented QR code. In order to pay for a good or a service, a consumer will scan a QR code generated by a merchant containing all the relevant information about the transaction. The QR code is then processed by the mobile device of the consumer: information is extracted and sent to an online payment system by the device. Both merchant and consumer can check - quickly - the outcome of the transaction with minimal hassle and interaction.
Advantages and Disadvantages of QR-Code based payment
In post covid times, contactless payment possibilities have become the preferred payment method for an increasing amount of people. QR code based payments cater well for this. They are perfectly touchless, and simple. Credit or debit cards are not required (with no fees payable by customers or retailers). The customer’s payment app is just enabling a transaction between customer and retailer account channels. No sensitive information will be shared (like credit card details which could be exploited subsequently.
For retailers, it is comparably simple. No specific payment terminals are needed (with their included fees, regular upgrades, challenges with unstable connections etc.). The retailer simply prints out the QR code, and payment is made possible.
But not all methods are secure. The following section outlines a banking-grade approach for protecting payment apps and the end-to-end transaction channel, so that it cannot be abused.
Hardware Security Modules provide Banking-Grade Security
QR codes have not been designed with any security in mind. They don’t contain any way to provide confidentiality or authentication. They only provide a way to ensure integrity. Therefore the only way is to use cryptographic algorithms before and after encoding the data on a QR code.
In order to provide such security, and especially in the framework of the EMV payments, HSMs must be used in the chain. Only Payment HSMs and their associated platforms can ensure that QR codes transport cryptographically secured data. This is especially true if QR codes will be used to transport specific cryptograms, the same ones which are normed by EMVco. After all, a QR code can transport the same information as a EMV contactless card. To generate the cryptograms, a very secure environment should be in place in the merchant’s infrastructure as well as in the payment application system given to the cardholder. That secure infrastructure should use HSMs as the root of trust for QR codes.
In order to introduce a fast and convenient way of payment, QR codes have been recently introduced, both initiated by consumers and merchants. They represent a simple way to exchange payment data between a consumer and a merchant at a Point of Interaction. However QR codes do not contain by themselves any encryption or specific security and as such they remain somehow experimental in the world of card payments. Therefore they must be used with encryption systems and especially with Payment HSMs which are fully compliant with the local regulations about encryption for retail banking.
- EMV® QR Code Specification for Payment Systems (EMV® QRCPS) Merchant-Presented Mode, EMVco
- EMV® QR Code Specification for Payment Systems (EMV® QRCPS) Consumer-Presented Mode, EMVco
- How We Shop, PYMNTS.com/PayPal, 2020
Blog post by Martin Rupp, a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.