The Use of Quick-Response Codes in Payments | A

FOCUS NOTE

THE USE OF QUICK-RESPONSE

CODES IN PAYMENTS
Part of the World Bank Fast Payments Toolkit

SEPTEMBER 2021
B | Fast Payment Systems: Preliminary Analysis of Global Developments

CONTENTS

1. SETTING THE CONTEXT   1

2. BACKGROUND  2
3. QR CODE USE CASES   4
4. CONSIDERATIONS  5
4.1. Security Considerations  6
5. TYPES AND USE CASES   7
6. QR CODE COMPONENTS   10
7. QR CODES IN THE CONTEXT OF FPS 11
8. QR SPECIFICATIONS 12
8.1. Customization of EMVCo’s Specifications  14
8.2. Alipay’s Specifications  14
8.3. EMVCo and Alipay—A Quick Comparison  15
8.4. Considerations while Arriving at QR Code Specifications  15
9. APPROACH TO STANDARDIZATION   18
10. CROSS-BORDER PAYMENTS VIA QR CODES   20
11. CONCLUSION  22
12. ACKNOWLEDGMENTS  23
13. APPENDIX  24

FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE

Payment Systems Development Group

© 2021 International Bank for Reconstruction and Development / The World Bank
1818 H Street NW
Washington DC 20433
Telephone: 202-473-1000
Internet: www.worldbank.org

This volume is a product of the staff of the World Bank. The findings, interpretations, and conclusions expressed in this
volume do not necessarily reflect the views of the Executive Directors of the World Bank or the governments they represent.

The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations,
and other information shown on any map in this work do not imply any judgment on the part of the World Bank
concerning the legal status of any territory or the endorsement or acceptance of such boundaries.

RIGHTS AND PERMISSIONS

The material in this publication is subject to copyright. Because the World Bank encourages dissemination of their
knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution
is given.
1 SETTING THE CONTEXT

The World Bank has been monitoring closely the development of fast pay-
ment systems (FPS) by central banks and private players across the globe.1
This comprehensive study of FPS implementations has resulted in a policy
toolkit. The toolkit was designed to guide countries and regions on the likely
alternatives and models that could assist them in their policy and implemen-
tation choices when they embark on their FPS journeys. Work on the FPS
Toolkit was supported by the Bill and Melinda Gates Foundation. The toolkit
can be found at fastpayments.worldbank.org and consists of the following
components:

• The main report Considerations and Lessons for the Development and
Implementation of Fast Payment Systems
• Case studies of countries that have already implemented fast payments
• A set of short focus notes on specific technical topics related to fast
payments

This note is part of the third component of the toolkit and aims to provide
inputs on quick-response (QR) codes from a payments perspective, with a
focus on fast payments. This topic is of high relevance, as adoption of QR
codes has been widespread in recent years, including as part of FPS imple-
mentations, owing to the multifold benefits that QR codes provide to both
merchants and customers.

| 1
2 BACKGROUND
QR code is a two-dimensional (2D) barcode.2 It consists of
black squares arranged in a square grid on a white back-
ground. Imaging devices such as smartphone cameras
can be used to read and interpret these codes.3 QR code
was created in 1994 by Denso Wave, a Toyota subsidiary,
to assist in the manufacturing process by tracking vehicles
and parts.4 Efforts were made to enhance the barcode tech-
nology to facilitate increased information storage, and after
various modifications, QR code took shape.
2D QR codes differ from traditional one-dimensional (1D)
barcodes primarily with respect to their information storage
and flexibility components.
Barcodes are scanned horizontally, so the data that can
be stored is limited to the single dimension. 2D QR codes,
on the other hand, have an additional dimension in which
FIGURE 1 Barcode and QR Code
Barcode
2 |
information can be written and scanned, thus increasing
its data-storage capacity. 2D QR codes store data horizon-
tally and vertically and can be read from any angle, making
them more flexible. 2D QR codes are also known to be more
secure and prone to fewer errors.
As mobile penetration increased, the initial push for QR
code in payment services came from market players as a
way to exchange the information required to initiate and/or
receive payments. QR codes are used either to convey the
account details of payees, or for payers to convey their pay-
ment account details to the payee. In the former case, once
the information is captured, a credit transfer to the payee is
initiated. In the latter case, a request to pay (RTP) is initiated
by the payee.
QR Code

QR codes have been prevalent in China since the early
2000s.5 Countries around the world have typically been
introducing QR code as an overlay service to their existing
mobile-payment options for cards and fast payments. QR
code is becoming increasingly common both among mer-
chants and customers, and it provides flexibility to support
the needs of both. Merchants and acquirers are attracted
to QR code primarily due to its low cost of acquisition and
maintenance, in comparison with traditional point-of-sale
devices or their equivalents. Smaller merchants typically
used to observe price as a barrier for digital payments, and
the introduction of QR code payments has lifted this barrier,
leading to smaller merchants transacting digitally. The ongo-
ing maintenance expenses for merchant-presented QR code
are limited to reprinting the sticker in the event of wear and
tear. Thus, the paper-based QR code (sticker) is cost effec-
tive.6 Cost centers to operate QR codes would typically be
similar to those seen in other acceptance infrastructure,
such as technology maintenance, security and fraud man-
agement, and dispute management and resolution.
The success of QR code use cases depends on their abil-
ity to meet customer needs and enhance their experience.
Scanning a QR code with a handheld device is easier than
entering bank account details or using an alias, such as a
mobile number. Moreover, QR codes provide the flexibility
of invoking various other peripheral services, such as redi-
recting to a merchant’s website or running promotional
campaigns, apart from facilitating payments (for example,
bill payments, invoice payments, installment payments).
Such services attract both merchant and customer adop-
tion of QR codes owing to enhanced customer experience.
Additionally, customers without bank accounts/cards can
FIGURE 1 Benefits of QR Codes
Low cost of acquisition User-friendly and
and maintenance provides enhanced
customer experience
The Use of Quick-Response Codes in Payments | 3
also leverage the QR code as a means of making transac-
tions through other payment instruments such as e-wallets.
Many financial institutions around the world, such as
banks, have been leveraging QR codes for a range of activi-
ties, such as marketing and promotional initiatives in which
QR codes link customers to additional details on a particu-
lar offer or scheme, provide details on social initiatives, and
allow customers to download a particular mobile applica-
tion to manage their bank account or credit card, among
others. QR codes can also be used for nonfinancial appli-
cations within the payments application. For example, they
can be used to link customers to entertainment portals and
to assert their identity and authentication.
Regulators and central banks around the world observed
success in select Asian countries and are working toward
advancing QR payments to digitize cash and also promote
financial inclusion. The Central Bank of Ghana recently
announced the launch of the Universal QR Code in a step
toward increased adoption of digital payments. PayPal has
also recognized the benefits associated with QR codes and
rolled out QR code payments via its mobile application.7
Similarly, WhatsApp has also introduced a new payment fea-
ture that enables users to transfer money by scanning QR
codes.8
QR codes have also seen increased uptake during the
COVID-19 pandemic. Payments made via QR codes limit
person-to-person contact and interaction and help com-
ply with social-distancing norms. QR codes are being used
to substitute for physical menus at restaurants, to provide
access to information and forms to be filled out to enable
contract tracing at restaurants and sporting events, and to
allow access to and payment for public transportation.
Flexible enough to invoke Limits person to person
peripheral services contact and facilitates
social distancing
3 QR CODE USE CASES
QR codes can serve as the initiation mechanism for both
push and pull payments, including at physical merchants,
in e-commerce transactions, for bill payments, and during
person-to-person transfers. The nonpayment-related sce-
narios in which QR codes can be used include the following:9
1. Redirecting to a merchant’s website
2. Running promotional campaigns
3. Allowing customers to download a mobile application to
manage their bank account or credit card
4. Linking employees to entertainment portals
5. Authenticating ID cards of employees at workplaces
6. Substituting for physical menus at restaurants
4 |
7. Providing access to information and forms to be filled
out to enable contract tracing at restaurants, sporting
events, and other venues
8. Allowing access to and payment for public transporta-
tion
9. Securing product/initiative details
10. Initiating a service request with a business
While the use cases related to payments can be standard-
ized from the perspective of a unified customer experience
and security aspects, the nonpayment-related use cases can
typically be proprietary.
4 CONSIDERATIONS
Despite the multiple advantages of QR code payments,
the following considerations may inhibit the growth of this
channel:
• QR code payments may be subject to legacy bias. While
QR payments are gaining popularity in emerging mar-
kets, their growth has been slow in some more devel-
oped markets, such as the United States and Australia,
where consumers and merchants have a predisposition
toward card-based or tap-and-go payments. Neverthe-
less, there is growth potential in these markets, owing to
the scope for innovation offered by QR codes.
• It is critical to establish the benefits of digital payments
in general over cash to facilitate adoption by merchants.
This could be accomplished by emphasizing the cost of
handling cash versus digital payments—QR code pay-
ment costs are potentially lower, depending on how the
acquirers structure their pricing—or by promoting addi-
tional merchant services in conjunction with QR pay-
ments, such as insurance and payment reconciliation,
among others. In this regard, countries such as Mexico
have introduced QR payments with no fees for the mer-
chant, to replicate the perceived benefits of cash while
encouraging merchants and consumers to enter the dig-
ital ecosystem.
• QR code merchant payments have several key enablers
and interdependencies, such as device affordability,
given the need for smartphones for the most seamless
experience, internet connectivity, wallet/bank account
penetration, and merchant distribution. These need to be
addressed to enhance the success of this access channel.
• The lack of harmonization and interoperability of QR
specifications could affect customer experience. Because
multiple providers have their own QR codes, consum-
ers are required to use multiple applications to transact
with different merchants. This could be cumbersome
and time consuming, and it could deter consumers from
transacting via QR codes. There should also be a focus on
user-journey standardization for both end users (registra-
tion, scanning, and final payment) and merchants (regis-
tration, payment confirmation, and final reconciliation),
as the learning curve is significant when using the ser-
vices of a particular payment service provider (PSP). This
keeps users and merchants from switching to a different
PSP and discourages healthy competition among PSPs.
• A delay in the onboarding process due to know-your-
customer compliance, document collection, verification,
and updates will apply for QR code-based acceptance
and can be a challenge for prospective merchants and
acquiring entities, such as payment aggregators and
acquiring banks.
• Language and currency may be a constraint even with
interoperable QR codes. Supporting multiple currencies
and languages can be explored to ensure that customers
in different countries can work in their native languages
and currencies.10
| 5
6 | The Use of Quick-Response Codes in Payments
• PSPs need to bear in mind that, to expand into rural areas,
they may have to spend more time, money, and effort
disseminating training material and building awareness
among merchants and customers.
• There may be restrictions on who can develop QR
functionalities. For example, in Mexico, merchants and
developers that want to develop solutions for CoDi (FPS
service in Mexico) have to go through a special process
that includes generating a letter of intent and a business
case, signing a confidentiality agreement, and certifying
the solution with Banco de México.11
4.1 SECURITY CONSIDERATIONS
Security aspects related to QR codes, including fraud com-
mitted by replicating the QR code, identity impersonation,
and data protection, need to be carefully assessed. Invest-
ments in back-end security are necessary to ensure secure
data transmission and storage. There should be adequate
focus on monitoring and enhancing security at the physical,
network, and application infrastructure levels.12
• Payment applications should provide users with a deeper
understanding of security. The merchant name and
masked credentials can be displayed in the app after
scanning a QR code, to enable safe transactions.13
• Details of a payment transaction should be displayed for
validation before a payment is processed. The service
should also be complemented by real-time notifications
to both the payer and the payee.
• Steps should be taken to verify the identity of the payee,
particularly when the QR codes are used in an RTP
framework.
• Third-party entities can conduct the security test and
security audit of the application being used for QR code–
based payments.14
• Person-to-business QR scans should display meaningful
user-friendly names to the payer. Generic names such as
“Verified Merchant” or “<Payment app> Merchant” make
it difficult to build trust in the system and may lower mer-
chant and customer experience.15
• EMVCo believes that the security principles for QR
codes should be similar to those for any software-based
mobile-payment mechanism. On this basis, the typical
layered approach should be considered depending on
the implementation itself, with data-at-rest security,
data-under-processing security, and data-transmission
security.
• To drive security and reduce fraud, similar to what hap-
pens with a contactless transaction, the EMV16 QR code
specification does not transmit any confidential infor-
mation.
Additionally, Ant Group has been working with experts from
different markets in ISO/TC68 Financial Services/SC2 Secu-
rity/WG19 Security on aspects of code-scanning payment,
to establish the new ISO 5201, an international standard on
financial services for code-scanning payment security. The
standard17 covers security issues related to code-scanning
technologies used for payments and includes an overview,
a risk assessment, and minimum security requirements and
extended security guidelines for code-scanning payment,
where the payer uses a device to operate the payment
transaction. The standard is applicable to cases where the
code is both used to initiate a payment transaction and pre-
sented by the payer or the payee.
5 TYPES AND USE CASES
QR codes are classified based on two broad dimensions: the
type of information (static or dynamic) and the presenter
of the code (that is, merchant or consumer). The following
types and use cases of the QRs are based on these dimen-
sions.
• Merchant-presented static QR code: These QR codes
contain a fixed (static) set of data and cannot be overwrit-
ten once generated. They are presented by merchants to
consumers to initiate payments by scanning the QR code.
QR code payments usually tend to kick-start with this cat-
egory of QR codes, and they have been observed to be
especially suitable for emerging markets and small mer-
chants, as they are cost effective. (The cost is usually that
of printing the QR code sticker.) In markets dominated by
feature phones, customers who use feature phones that
cannot scan QR codes can manually key in the number
printed adjacent to the merchant’s QR code sticker (for
example, the merchant ID) to initiate a USSD dialogue
to complete the transaction.18 However, there are limita-
tions with such stickers related to security and constraints
for offering value-added services owing to their static
nature. To overcome these limitations, dynamic QR codes
came into force.
• Merchant-presented dynamic QR code: These QR
codes are generated dynamically and thereby provide
the option of customizing/changing data for each scan
(for example, transaction-specific data such as the trans-
action amount and transaction cryptogram). Such QR
codes are presented by merchants to consumers through
a point-of-sale terminal or smartphone to initiate push
payments by scanning the QR code. Dynamic QR is more
secure, and cryptographic techniques and time stamps
can be applied for verification. Select use cases have
been highlighted below.
– Merchant-presented dynamic QR codes could be
used to prefill transaction-dependent data, such
as the transaction amount and details of goods, to
enhance the payment experience.
– They could be used in promotional campaigns as
promotional codes that are circulated via email or
text message and entitle customers to a discount.
The QR code can be displayed at a store, and the
discount can be taken while making a purchase.
– They could become an entry point to various kinds
of value-added services, as merchants can push their
own digital services using these codes. For example,
scanning a QR code at a restaurant could lead to a
menu through which customers could place their
orders and make payments digitally.
While the use cases listed above are for merchants, similar
use cases may also be used for person-to-person transac-
tions. Specifically, QR codes can act as a person-to-person
transfer code that allows one person to collect or request
money from another person. QR codes are also becoming
increasing popular in advertisements as means of offering
access to additional product details, redirecting readers to a
page with a video/trailer, and facilitating e-commerce trans-
| 7
8 | The Use of Quick-Response Codes in Payments

FIGURE 3 Payment Flow for Merchant-Presented QR Code

NETWORK
3 Transaction initiation

4 Transaction outcome

MOBILE TRANSACTION POI MERCHANT ISSUER

2 Scan 4 Transaction outcome

PAYMENT NETWORK
1

Displays Displays Point of Initiation (POI)

transaction transaction generates QRC based
result result on merchant details
ACQUIRER

1 Merchant generates and displays QR code based on merchant details

2 Consumer scans QR code using a mobile application to initiate the transaction, with CDCVM if required
3 Mobile application sends the transaction initiation request to the Network
4 The Network processes the transaction and informs the Merchant and the Consumer of the transaction outcome

Source: EMVCo

actions. Consumers can scan QR codes displayed at check-
out during an online transaction instead of providing card
details. Consumers can also scan the QR code associated
with a product in a store and save the code in their cart to
purchase later. Social networks, such as WhatsApp, are also
leveraging QR code scanning to make it easy for customers
to initiate conversations with businesses that have official
WhatsApp accounts.
Typically, only a few steps are involved on the merchant’s
end to generate and display a QR code. As an illustrative
example, the following steps are involved for a merchant to
generate the Bharat QR Code (India):
1. Have a bank account
2. Link bank account with the BHIM application19
3. Generate unique Bharat QR Code from the BHIM appli-
cation
4. Print the QR code and paste it inside the store in a place
where it is clearly visible and convenient for customers to
scan using their mobile phones
• Consumer-presented QR code: These QR codes are
generated by consumers (payers) on their smartphones,
and the merchant uses an optical scanner to scan them.
The consumer-presented mode (CPM) has fewer oper-
ational steps on the consumer side and brings more
control on the merchant side. It is important for consum-
er-presented QR codes to be dynamic and to have short
expiration times, to prevent fraud and control risks. This
mode may be less suitable for regions with low smart-
phone penetration. Select use cases have been high-
lighted below.
– Consumer-presented QR codes can be used to make
payments for transportation, such as on buses or
trains, by placing the QR code in front of an installed
scanner.
– Large merchants that wish to upgrade to newer
devices for scanning 2D QR codes or that wish to
reuse existing barcode-scanning equipment to scan
1D barcodes20 prefer this type of QR code imple-
mentation.
 The Use of Quick-Response Codes in Payments | 9

FIGURE 4 Payment Flow for Consumer-Presented QR Code

Consumer presented

PAYMENT
MOBILE QR Code POI ACQUIRER NETWORK ISSUER
APPLICATION Reader MERCHANT
Auth request
with EMV data
Scan
Auth response

Transaction
result Decode QR and
extract chip data

Source: EMVCo

1D barcodes have been adopted in multiple markets, typ-
ically in combination with a 2D QR code containing the
same information, so that merchants can accept digital
payments using the most convenient equipment. China is
an advanced market where 1D barcodes for consumer-pre-
sented modes of payment are widely accepted, and the use
of both merchant-presented and consumer-presented QR
codes is expanding as well.
Merchants accept payments through one or a combina-
tion of the above types. While the static QR codes offer basic
functionalities, dynamic QR codes expand the offerings and
provide heightened security. Additionally, the dynamic mer-
chant-presented mode (MPM) has the potential to offer
richer services and functionalities, whereas CPM reduces
the steps on the consumer side. Overall, the merchant-pre-
sented QR code has been taken up more prominently in
countries around the world, while the consumer-presented
QR code is more common in urban areas of more advanced
QR markets, such as China.
The QR code solution provider can provide the option
of using different sources of funds to make payments. The
wallet/mobile app used by consumers typically asks them to
select their preferred payment method. In India, the BHIM
QR code can be used to make payments via a mobile wal-
let or a bank account linked to the wallet, while the Bharat
QR Code can be used to make payments through a bank’s
application via a debit or credit card offered by the bank.
Some QR codes have a four-party scheme, where four
roles are involved in the payment flow: a customer, the
provider of the consumer digital wallet, the acquirer of a
merchant, and the merchant. If the digital wallet and the
acquirer are different institutions, it is called the four-party
scheme. Others have a three-party scheme; when the digital
wallet provider and the acquirer in the payment flow are the
same institution, it is called the three-party scheme.
6 QR CODE COMPONENTS
The data components of QR codes differ for card transac-
tions, for mobile-money payments, and for fast payments.
The differences in the payment methods can be elaborated
with the following scenarios:21
Card-based transaction: In the case of the UnionPay solu-
tion used in China (card token) pertaining to CPM, both
barcode and QR code are supported. In the case of EMVCo
solution, only QR code is supported, but card token and chip
information can be used.
Mobile-money (or wallet-based) transaction: An MPM
code contains the merchant’s identifier, and a CPM code
contains the user’s account token. When making a payment,
10 |
users can choose from different sources of funds accessible
from their mobile-wallet application—for example, a wallet
balance, a debit card, a credit line, promotional benefits, or
a combination.
Fast Payments: In the case of PromptPay (Thailand’s QR
code), which supports only MPM, the bank account of the
payee is contained in the code. The payer can choose from
their linked bank accounts to pay. Inter-bank transfer and
collection is possible based on PromptPay network infra-
structure.
7 QR CODES IN THE CONTEXT OF FPS
QR code is an access channel that can accommodate differ-
ent types of payments, which are cleared in different types
of systems and not limited to FPS. QR-based payments
are predominantly used in the retail environment—that is,
where a consumer pays a merchant for goods/services pro-
vided (usually in store yet possibly online). For such payment
flows to add value, the merchant should receive a (nearly)
instant confirmation of payment to be willing to hand over
the goods/services to the consumer. The most evident way
to accomplish this is the scenario in which instant confirma-
tion follows the actual instant transfer of funds—that is, as is
the case in a FPS.
Over the last few years, FPS globally are introducing QR
code as an access channel. As early as 2011, Alipay launched
a code-scanning payment product in China. Due to its low
usage cost and good user experience, it soon became pop-
ular in China and has been adopted by more and more dig-
ital wallets. Subsequently, in 2014, WeChat also launched a
code-scanning payment product, further popularizing QR
code in China. Countries such as Australia, Bahrain and Mex-
ico offer merchant-presented QR capabilities, while a few
countries, such as China, India, Malaysia, and Thailand, offer
both merchant-presented and consumer-presented QR
capabilities. Mexico and Hong Kong SAR, China are con-
sidering consumer-presented QR codes in their road map.
Adoption of this channel is observed to be picking up in
most developing countries.
An advantage that QR codes offer is that they lie at the
interface. They allow the flexibility of following a phased,
modular approach and making changes and innovations
at the interface without making many changes at the back
end, due to their limited link with FPS. Many countries have
included the QR code access channel as an overlay service or
an application over the FPS. Countries that offer the QR code
access channel through overlay mobile applications include
Australia (Osko), Mexico (CoDi), and Singapore (PayNow).
The security of the physical point of sale has been
strengthened over time, and similar security measures for
QR codes are evolving. One of the techniques adopted for
ensuring security is checking for modifications in the QR
code by comparing merchant data on the server side and
seeking confirmation from the customer that the merchant
is the one the customer wishes to pay. A similar technique
is applied in India’s Unified Payment Interface (UPI) using
a signed QR functionality, wherein the QR code signed
by the merchant using its private key is verified using the
merchant’s public key in UPI, and the customer is notified
in case of discrepancies. It is important that security mea-
sures are applied at the back end through risk engines that
analyze transactions that have passed through the system.
Security risks should be identified throughout the entire
process of scanning and making payments. Adequate
focus should also be given to application and back-end
payment system security.
| 11
8 QR SPECIFICATIONS
Various QR specifications are being adopted by different
systems (for example, FPS, mobile-money operators, and
card schemes). Some FPS, such as PromptPay in Thailand,
FPS in Hong Kong SAR, China, PayNow in Singapore, and
Osko in Australia, have based their QR specification on EMV-
Co’s QR specifications.
EMVCo’s specifications are publicly available for countries
to adopt and flexible enough to accommodate different use
cases and to cater to local and business needs. The specifi-
cations can be adapted to many payment systems and are
available royalty free on the EMVCo website.22 For example,
in Singapore, by reading the same QR code, a consumer
can select the best way to pay from eight payment systems,
both international and domestic. (See figure 5.) The brand
logos indicate to the consumer which payment system/
application can be used for the QR code.
FIGURE 5 Example of QR Code in Singapore
12 |
There are predefined data fields for the transmission
of data between the reader and provider. The EMV mer-
chant-presented QR code specification defines existing
fields, including card-based and account-based payments,
and allows other payment-solution fields to be added to
accommodate different use cases. Another key reason for
using EMVCo’s QR specification has been enabling future
interoperability, as these specifications are being adopted
by various operators and participants.
Similar to chip transactions, EMVCo defines a set of data
that could be included in QR codes (merchant presented
and consumer presented), but the data always depends on
the use case and the implementation.
The EMV merchant-presented QR code includes the fol-
lowing information:23
• The conventions used for the QR code content, such as
the Payload Format Indicator, which defines the version
of the QR code template and hence the conventions on
the identifiers, lengths, and values
• Merchant account information, including information
about the merchant account
• Additional information about the merchant, such as its
name, city, and postal code
• Information about the transaction value, if known, such
as the amount and currency
• Additional data in support of various use cases, such as
the bill number, mobile-phone number (of the merchant
or customer), and the purpose of the transaction

BOX 1 EMVCo’s QR CODE SPECIFICATIONS
EMVCo is an organization that facilitates interoperability
and secure payment transactions. Its activities are over-
seen by its six member organizations: American Express,
Discover, JCB, Mastercard, UnionPay, and Visa. EMVCo
commenced its QR code payment activity in 2016. It
has developed QR specifications for QR code payments
to promote global interoperability and security. Dozens
of organizations from around the world participate as
EMVCo associates and subscribers, contributing their
knowledge and expertise to the EMV specifications.
EMVCo’s CPM and MPM specifications support both
static and dynamic QR codes. For CPM, the solution is
compatible with EMVCo’s existing payments ecosystem
and infrastructure. The specifications for the two modes
In the case of EMVCo’s CPM,24 the high-level functionality
of various components of the QR code-processing architec-
ture on the consumer device is summarized below.
• Mobile application/wallet: A consumer-facing user inter-
face application provided by the issuer, merchant, or a
third-party and provisioned to the consumer’s mobile
device. It includes the functionality to encode the pay-
ment credentials based on this specification and then
displays the resulting QR code.
• QR code payload: The payload, consisting of a perma-
nent account number, payment token credentials, and/
or other data, converted to base 6425 and encoded in a
QR code.
The merchant device has the following two components:26
• QR code reader: Scans the QR code, decodes it, and
sends the data recovered to the point-of-interaction sys-
tem. This data constitutes the base 64–encoded QR code
payload.
• Point-of-interaction application: The application devel-
oped by the point-of-interaction vendor to process
the base 64–encoded QR code payload. Its functions
include decoding the base 64 payload, parsing the data,
checking the content and format, and processing the
transaction.
Quick-Response Codes | 13
are different. The CPM is in line with EMV’s four-corner
model, where the QR code is used to transmit consumer
data, similar to how it is done with a mobile phone/con-
tactless card. The MPM does not necessarily follow the
four-corner model, and the list of data to be transmitted
is different. However, the high-level format for the two
is the same: IDLV (IDentifier, Length, and Value). Many
countries have already established or are in the process
of establishing their QR specifications based on EMV-
Co’s specifications and incorporating their own coun-
try-specific customizations. EMVCo has seen growing
interest in the EMVCo specifications in Africa, Europe,
Asia, and South America.
In India, Bharat QR Code is based on EMVCo merchant-
presented QR standards, which allow interoperability
across banks and card schemes. It supports all card pay-
ment network credentials and has provisions for domes-
tic payment methods, such as UPI/proprietary payment
methods.27 A similar case is that of the QR code standards
established in Nepal.28
In Hong Kong SAR, China, EMV QR standards were
adopted because they are well established and ensure eas-
ier interoperability. They would make it easy for other PSPs
to migrate their QR code standards to the one common
QR code. Not much localization or customization is needed
to the EMV standard QR code. EMVCo focuses on the data
transmission. The format specified by EMVCo provides
a way to encode QR code data that is flexible, to accom-
modate all needs, including the support of proprietary QR
code. EMVCo’s specifications are flexible enough to add as
many data fields that a country may wish to add. The com-
pany also has a process in place to adapt specifications to
specific needs, and it is open to discussions with stakehold-
ers when needed. EMVCo will consider any changes to or
customizations of specifications, to avoid a negative impact
on interoperability and security. EMVCo’s QR specifications
also have scope to accommodate future requirements. The
specifications are dynamic and can be updated based on
market needs and feedback received.
14 | The Use of Quick-Response Codes in Payments
8.1 CUSTOMIZATION OF EMVCO’S SPECIFICATIONS
Customization of EMVCo’s QR code, in the MPM, includes
customizations of the merchant ID, merchant category
code, transaction currency, and language. Customization
also refers to, and varies according to, each payment system
supported. Details of select QR code payment platforms
with customized specifications have been provided based
on findings from stakeholder interviews.
For instance, custom-built specifications were preferred
for Mexico’s CoDi, to cater to customized needs. While the
strengths of existing specifications, including those pre-
scribed by EMVCo, were acknowledged, CoDi developed its
specifications to account for enhanced security measures.
Existing specifications were observed to be designed to
cater to the needs of more developed countries with limited
fraud. The main differences between CoDi specifications
and EMVCo’s specifications are the encryption capability
and representation format (json). Complete data encryption
is not supported by EMVCo. To avoid the alteration of data,
including the account number and recipient’s name, CoDi’s
QR codes are encrypted and generated only by previously
validated users. Given that CoDi’s QR codes are encrypted,
the payee is required to send a request to the CoDi platform
for validation in order to process the payment. As part of
that process, the CoDi platform also validates that CoDi’s QR
codes correspond to the agent that requested the payment
by validating the key on it. The transaction flow for a CoDi
QR code payment is below.
Payee generates an encrypted CoDi QR code, which con-
tains an RTP message, using an app previously registered
and certified by Banco de México. Encryption involves the
use of a key available only to the payee’s RTP-generation
app and CoDi’s platform.
i. Payer scans a QR code using a financial app.
ii. The payer’s financial app is incapable of decrypting
the scanned QR, so the payer’s financial app sends the
encrypted QR code to CoDi’s platform (web service).
iii. CoDi’s platform decrypts the QR code and validates its
content.
iv. If the validation is successful, the payer’s financial app
receives an encrypted message (only visible on the pay-
er’s financial app and CoDi’s platform) including a key to
decrypt the QR code generated previously by the payee.
The key is valid for the decryption of only this particular
QR code.
v. Payer’s financial app displays the payment information
generated in the payee’s RTP.
vi. Payer validates and accepts the payment for the RTP;
thus, the transfer order is generated.
vii. The transfer order is settled—through the Interbank
Electronic Payment System (SPEI) or in the financial insti-
tution’s core system if the payer and payee accounts are
in the same financial institution—and the financial insti-
tutions for the payee and payer are notified.
viii. Payee’s financial institution notifies CoDi’s platform
when the payee’s account has been credited.
ix. CoDi’s platform sends a push notification to the financial
institution’s apps (payee and payer).
The specific security aspects on which Banco de México
focused included enhanced security to avoid the imperson-
ation of an individual or business entity; enhanced security
to avoid an information security breach through the encryp-
tion of RTP messages; the elimination of the possibility of a
name change in an RTP message by carrying out onboard-
ing through an electronic certification; and higher message
sizes in ISO standards compared with proprietary standard.
CoDi’s specifications support both static and dynamic mer-
chant-presented QR code. The development of consum-
er-presented QR code is in their future road map.
Although both Singapore and Thailand are using EMV-
Co’s standards to define QR specifications, the countries
have made several customizations based on local require-
ments. This limits interoperability between the two QR spec-
ifications.29 As per the EMV QR code specification for MPM,
merchant account information values 26 to 51 are reserved
for any payment networks. On this basis, there are some cus-
tomizations on Thailand’s QR specifications. However, the
allocation of these values is out of scope for EMVCo and must
be agreed between the local payment systems that need
such a value. Thus, payment systems using EMVCo specifi-
cations should locally align to ensure that there is no conflict
with other payment systems using EMVCo specifications.
8.2 ALIPAY’S SPECIFICATIONS
In China, QR code payments are made through two of their
most popular mobile-payment platforms: Tencent’s WeChat
Pay and Alibaba’s payment arm, Alipay.30
Typical scenarios where an Alipay QR code is used have
been included below.31
• Online payment: A user of KakaoPay (the biggest digital
wallet in South Korea) makes a purchase on AliExpress or
Bigo (an e-commerce website). The merchant displays the
QR code for the user to scan with KakaoPay to complete

BOX 2 ALIBABA’S ALIPAY QR CODE STANDARD
Alibaba’s Alipay QR code standard refers to a set of uni-
versally adopted barcode standards. Both a digital wal-
let and a merchant’s acquirer can issue codes. Currently,
the Alipay QR code standard has been widely applied in
three-party and four-party schemes for online payment
and cross-border in-store payment scenarios. Alipay’s
QR specifications support static and dynamic QR codes,
as well as merchant- and consumer-presented QR codes.
Different types of QR codes address different needs
and provide the opportunity to innovate. For example,
the consumer-presented QR code is used during trans-
portation and to transact using digital wallets, while the
merchant-presented QR code is usually displayed at
merchant shops. Alipay’s specifications are compatible
with both 2D QR codes and 1D barcodes. Its specifica-
tions follow the minimum data concept to reduce the
cost of upgrading and enhance flexibility, where the
the payment. AliExpress or Bigo as a merchant presents
the QR code issued by their acquirers according to Alipay’s
QR code standard. After the user scans the code, KakaoPay
gets order information upon decoding by the acquirer and
guides the user through the remaining payment process.
• In-store payment: An Alipay China user makes purchases
at merchants in Japan. The user displays the QR code or
barcode in the wallet, and merchants of many different
acquirers can scan the code to initiate the collection
process. After the merchant scans the QR code, it then
passes the code value to the corresponding code issuer
through its acquirer. The code issuer verifies the code
and deducts from the corresponding user account.
8.3 EMVCO AND ALIPAY—A QUICK COMPARISON
Alipay and EMVCo’s QR specifications have certain differ-
ences. Alipay’s standard is based on the Unified Modeling
Language (UML) format, while EMVCo’s format is the Inter-
active Data Language (IDL). For MPM, the payload data ele-
ments are similar for both specifications. The differences are
mainly in the code design philosophy—that is, whether to
put all the data elements or minimal data (just the address
and identifier to access online resources) into the code and
obtain the payload data elements from a trusted server. For
the CPM, the payload data elements needed for Alipay’s QR
The Use of Quick-Response Codes in Payments | 15
QR code holds minimum data and the remaining data
is extracted and processed at the back end through a
unique ID. For example, an identifier consisting of two
parts—a code-issuer ID (that is, merchant, acquirer, and
so forth) and tokenized user account information that
enables the code issuer to identify the user account—
is stored in the consumer-presented QR code, and the
remaining data is processed at the back end. Similarly,
data in the merchant-presented code is positioned as
an identifier to access/direct to the merchant’s online
resources or services. Alipay’s specifications are suitable
for both domestic and cross-border scenarios. Alipay
can customize its technical solutions to support other
QR code standards for compatibility. For example, Ali-
pay’s QR code specifications are compatible with other
specifications such as Singapore Quick Response Code,
which is based on EMVCo’s specifications.
code and EMV’s QR code specifications are the key differ-
ence. In terms of infrastructural differences between the two
specifications, for MPM, the scanning capabilities of mobile
devices are the same for both EMVCo’s specifications and
Alipay’s specifications. For CPM, on the other hand, Alipay’s
code can be processed by 1D barcode scanners and 2D QR
code scanners, whereas EMVCo’s code can be processed
only by 2D QR code scanners.
Industry collaborations help EMVCo accommodate all
other specifications through constant feedback. As per EMV-
Co’s knowledge, EMVCo’s specifications are flexible enough
to support all other formats. So far, EMVCo has not received
feedback that its specification does not cater to a particular
region’s desired format.
EMVCo’s format is flexible enough to accommodate Ali-
pay’s format (example in Singapore). The approach is differ-
ent for CPM and MPM payments. These have been described
in the appendix.
8.4 CONSIDERATIONS WHILE ARRIVING AT
QR CODE SPECIFICATIONS
It is imperative to note that the QR code specifica-
tions are highly tailored to specific business requirements.
On the one hand, this has allowed newer services to be
offered through QR codes. On the other hand, it has
16 | The Use of Quick-Response Codes in Payments

FIGURE 6 Factors for Arriving at QR Code Specifications

Types Technology Standardization Security

Assess whether they
want to support both
merchant-presented and
customer-presented
QR payments, and both
dynamic and static
QR codes
Evaluate what tech-
nology will be adopted
based on local infra-
structure available with
merchants and mobile
internet infrastructure
Understand whether Establish security standards
standards available in and relevant practices to
other markets can be fulfill requirements on
adopted, and tailor security, data protection,
specifications to be and compliance
compatible with them

created a proliferation of QR codes in the market, harm-
ing compatibility and customer experience. Hence, har-
monizing QR specifications has become the need of
the hour. Achieving harmonization through standard-
ization will improve service levels and user experience,
heighten security, lower cost, and provide interoperability
between players in different markets, and it will encour-
age more and more smaller merchants to go digital.
While deciding whether to support static or dynamic QR
codes, factors such as the availability of the supporting infra-
structure, the penetration of mobile devices and technology,
and the penetration of smartphones need to be assessed.
In developing countries, the static QR code has had a more
prominent uptake due to lower associated infrastructural
expenses and ease of use. Similarly, the merchant-presented
QR code can be considered in jurisdictions with limited
literacy levels and where the willingness to experiment is
limited. Consumer-presented QR code can be introduced
as a follow-on to merchant-presented QR code when the
need arises, or in more digitally advanced markets with high
smartphone penetration.
Additionally, before building a QR specification, it’s
important for the standard setter to define clearly its QR
payment business models, including what the target mar-
ket segments are and what the business requirements are,
including application scenarios (for example, in-store and/
or online to offline payment, transportation, promotion)
and cross-border scenarios. Based on the targeted business
model, corresponding standards and specifications should
be built.

TABLE 1 Detailed Considerations for QR Code Specifications
STATIC
MPM 1. L ow implementation cost and convenient
deployment
2. Save cashier’s efforts
3. A
 pplicable scenarios: Static codes are applicable to
merchants who can use sticker materials. Merchants
do not need to participate in the payment process
but only need to receive payment notification
and confirm the payment results, which makes it
especially convenient for small and micro merchants
to conduct in-store payment businesses at low cost.
In some scenarios, static codes are also used as
the entry point to a series of experiences, such as
shopping cart, checking out, obtaining promotional
benefits, and redeeming benefits. All these
diversified application scenarios are supported by
URL-based QR code. The URL-based code standard
has unique advantages here, as it’s widely supported
by underlying internet applications.
CPM No application due to security concerns.
Source: Own elaboration
The Use of Quick-Response Codes in Payments | 17
DYNAMIC
1. Higher requirement for point-of-interaction terminals
2. The merchant generates an order containing the payment
amount. After scanning the code, the user needs only to
confirm the order information without entering the payment
amount. This makes the experience smoother and reduces
the error rate.
3. A
 pplicable scenarios: Dynamic codes are applicable to
terminals with a display screen, and order codes better suit
scenarios such as vending machines.
1. W
 allets need to have the ability to generate code in online
and offline environments (with higher technical
requirements).
2. The CPM barcode displayed by a user is a payment token
generated with the user’s authorization. The code is refreshed
regularly, and each token can be used only once at most to
improve payment security.
3. M
 erchants participate in transaction confirmation, which
reduces the error rate.
4. Merchants must have a scanner, which can be any device
with optical recognition capability, such as a smart point of
sale, a “small white box,” or even mobile phones or tablets
in which a merchant code-scanning collection app has been
installed. For 1D CPM barcodes, a traditional barcodeStandardization
scanner
can be reused. Hence, for most supermarkets, no additional
investment is needed.
5. T
 he interaction is faster. It is suitable for small-amount and
high-frequency traffic scenarios that are speed sensitive.
6. Applicable scenarios: Large and medium-sized merchants
with code-scanning ability.
Security
9 APPROACH TO STANDARDIZATION
Standardization is necessary both at the country level and
globally. One critical target of standardizing QR code speci-
fications is enabling interoperability, so that merchants enjoy
a unified solution to reach more consumers while consum-
ers enjoy a unified payment experience at more merchants.
To fulfill this requirement, it’s necessary to build unified
standards to identify payment code issuers, rules for rout-
ing transactions, and standardized information exchange
and processing. Interoperability can also produce cost effi-
ciencies and enable superior risk management. On a global
level, countries have recognized the need to adopt stan-
dardized specifications. Standardization of a specific chan-
nel is delinked from the way different payment systems are
connected; thus, the standardization of the QR code can
be addressed independently. It is important for providers
to work toward harmonization and build compatible plat-
forms at this stage. QR code interoperability can be achieved
by harmonizing QR code specifications, as is the case with
different EMVCo-compliant QR codes, and through harmo-
nization via API and/or back-end integration.32 The harmo-
nization of QR code specifications is at the front end, while
API harmonization is at the back end. Interoperability can be
achieved using either of these two mechanisms.
In the recent years, many countries have also realized the
need to establish a standard QR specification for use across
payment systems, owing to interoperability issues and the
subsequent lowering of customer experience. The following
approaches are being taken in this regard at different levels:
• In India, there are two QR specifications: Bharat QR and
UPI QR. The two QR code specifications were launched
18 |
at different times; hence, they coexist. Initiatives have
been taken to make Bharat QR and UPI QR interoperable,
so that customers can pay as per their will, regardless of
the app they are using.33 This has countered the incon-
venience associated with multiple QR codes for differ-
ent wallets, for the merchant as well as the customer. In
October 2020, the Reserve Bank of India announced that
payment system operators that use proprietary QR codes
in India should shift to one or more interoperable QR
codes by March 31, 2022, and that no new proprietary
QR codes could be launched by any payment system
operator for any payment transaction. This measure aims
to reinforce the acceptance infrastructure, provide better
user convenience due to interoperability, and enhance
system efficiency.34
• In many countries, such as Malaysia, Thailand, and Singa-
pore, regulators, central banks, or payment councils have
taken a national approach to defining common QR spec-
ifications. Singapore recognized the need for standard-
ization when consumers saw various e-payment solutions
at merchant shops and had to check manually if their
preferred method was accepted and merchants faced
logistical constraints of supporting multiple QR codes.
Thus, to promote interoperability, Singapore launched
the Singapore Quick Response Code by setting up a
task force comprising members from payment schemes,
issuers, acquirers, banks, and government agencies to
enforce standardization of e-payments in the country
across providers. The code specifications are based on
the specifications issued by EMVCo.35

• The regulator in Hong Kong SAR, China issued common
QR specifications for retail payments for the MPM based
on EMVCo’s specifications to facilitate interoperability
with the international standard. This standard was devel-
oped in consultation with industry players, but leeway is
given to providers in terms of adoption, so that it can be
driven by market needs and as per industry best prac-
tices and business considerations. The common QR code
solution enables merchants,36 especially small and medi-
um-sized enterprises, to convert multiple merchant-pre-
sented QR codes that are in accordance with the standard
into a single code for accepting different payment
schemes, instead of displaying multiple QR codes to their
customers, to enhance user experience and convenience.
The common QR code enables each PSP to put its own
relevant information in the combined QR code into a
standard form. While this is the case, the common QR
code itself would not enable payments across different
payment schemes unless the concerned PSPs made both
technical and commercial arrangements bilaterally or in a
multilateral arrangement to enable interoperability. While
merchants in Hong Kong SAR, China are not mandated to
adopt the common QR code, to promote the wider use
of mobile retail payments and bring greater convenience
to customers and merchants, the Hong Kong Monetary
Authority encourages relevant PSPs in Hong Kong SAR,
China to adopt and support the standard. Any PSPs,
including those that are not participating in FPS, mer-
chant acquirers, or merchants may adopt the standard.
• Additionally, a common national QR code mobile appli-
cation (Hong Kong Common QR Code), which is a tech-
nical solution, has also been launched in Hong Kong SAR,
China. Various QR codes can be fed as input to generate a
common QR code as an output for scanning by consum-
ers, thus addressing the issue of multiple QRs without
standardizing all the specifications, therefore encourag-
ing compatibility. The application follows the rules and
requirements as set out in the standard to combine the
QR codes provided by participating PSPs as listed in the
mobile application. So merchants may contact their PSPs
and request QR codes that conform to the standard and
use the mobile app to create a common QR code.
• In Thailand, Mastercard, UnionPay International, and Visa
have introduced a Standardized QR Code for payments to
support the Bank of Thailand’s cashless agenda to drive
innovation, interoperability, and security in payments. To
pay, consumers holding a Mastercard, UnionPay, or Visa
card simply use a mobile application that supports the
Standardized QR Code to scan the merchant-presented
The Use of Quick-Response Codes in Payments | 19
QR code.37 Based on these specifications, which were
developed through industry collaboration, MyPromptQR
was launched in September 2019.38
• In Australia, while the EMVCo-compliant QR codes of
New Payments Platform Australia and BPay have pene-
trated the market to some extent, uptake of QR codes
has not been as significant as in markets such as China
and other Asian countries. Australia is experiencing a
large uptake in tap-and-go payments due to the conve-
nience associated with them. Consequently, the demand
for QR hasn’t been large.
• Mobile-money providers are also expanding the value
of their specifications by expanding their footprint and
collaborating with other providers. For example, Tencent
has announced that it is sharing a common QR code
system for mobile payments with China’s state-owned
UnionPay, under a new partnership. With the common
QR code system, merchants could provide the same code
for making payments to users of WeChat Pay and Union-
Pay’s Quickpass.39
• To enable Chinese Alipay consumers to pay in different
markets with their home wallet, Alipay has worked out
multiple technical solutions to support the QR specifica-
tions of different countries with minimal impact on the
customers’ payment experience.
• Under MPM, Alipay started issuing the Singapore Quick
Response Code according to the Alipay standard in 2018
and the standard for the Network for Electronic Transfers
of Singapore (NETS) in 2019.
• Different CPM QR/barcode specifications can cause
compatibility issues for consumers when paying, which
means they have to switch to different codes in differ-
ent countries. To address this, Alipay has designed a CPM
QR/barcode standard to support both local and inter-
national scenarios, so that consumers can use one CPM
code at more merchants in different markets.
While the standardization wave is making its way across the
globe, the challenge for achieving standardization is that
the payments ecosystem is very large, and it is critical to
onboard all operators, switching companies, and regulators
to achieve complete standardization. Isolated solutions will
eventually limit adoption and functionality. A collaborative
approach across governments and ecosystem players would
benefit the community at large. To achieve that, various fac-
tors must be taken into account to incorporate the require-
ments of such players as card schemes, mobile-money
players, and others while arriving at the common specifica-
tion. The following aspects will have to be considered:
20 | The Use of Quick-Response Codes in Payments
• All underlying payment instruments, such as cards,
mobile money, and e-wallets, need to be included. For
example, since the data requirements for card and mobile
payments differ, achieving interoperability between
specifications will be a challenge because of redundant
data fields and different ID numbers, which increase the
overhead. Hence, minimum common data requirements
may be needed, as well as flexibility to incorporate any
additional requirements over and above these common
specifications.
• A simplification of the format and data interaction
between the merchant and customer, and the right bal-
ance of data to be handled at the interface and back end,
would need to be arrived at considering requirements of
all ecosystem participants.
• Consensus would be required on security aspects and
their incorporation.
• Different messaging standards follow different meth-
odologies for defining merchant codes, acquirer codes,
and so on. Scheme owners further define the acquirer
ID and issuer ID. However, common identification codes
and formats would be needed to achieve complete stan-
dardization.
• The different types and uses cases would also need to
be taken into account to arrive at the common specifi-
cations.
Regulatory aspects and the markets’ commercial/business
requirements would also have to be considered. For emerg-
ing markets that would like to enable digital payments and
quickly improve financial inclusion across the market, MPM
static QR code payment will be a reasonable starting point,
but a signed QR code is recommended to address security
risks. For larger merchants with better integration capability
to generate dynamic codes or with the equipment to scan
CPM codes, MPM dynamic code and CPM dynamic code
specifications will be more suitable.
For each business scenario, there are different aspects
to focus on, including the QR code format standard, usage
rules, presentation standards, and relevant security stan-
dards. A CPM QR code payment would require certain
equipment standards. And to minimize merchant imple-
mentation costs, Alipay adopts the 1D barcode format for
CPM code, so that merchants can reuse existing barcode
scanners and start accepting mobile payments easily. In
addition, since URL-based QR code is being used for many
other payment-related scenarios, such as red packet code
(scanning code to obtain promotional benefits before pay-
ments) and O2O code (scanning code to access offline ser-
vices and make payments online), different formats might
be considered under different business scenarios.
From both a regulatory and customer-service point of
view, a security standard is also especially important for QR
code payments.
10 CROSS-BORDER PAYMENTS VIA QR CODES
Cross-border payment interoperability has increasingly been
making headway. Such payments require additional consid-
erations in terms of supporting payment systems to enable
cross-border connectivity, the methodology for identifying
common-code issuers, and so forth across the markets. The
following are examples of cross-border initiatives that are
underway:
• Thailand is aiming at cross-border QR payments with Sin-
gapore and Cambodia.40
• Malaysia’s OCBC Bank has introduced OCBC OneCollect,
Malaysia’s first merchant cross-border QR code-collection
service, which enables those who use the mobile app of
banks participating in Singapore’s PayNow ecosystem to
make QR payments to OCBC merchants in Malaysia from
their Singaporean bank accounts.41
• A pilot demo of BHIM UPI QR-based payments was held
in Singapore in November 2019. The project is being
developed jointly by the National Payments Corporation
of India and NETS. This QR code-based system would
allow anyone with a BHIM app to scan the Singapore
Quick Response Code at NETS terminals for payments in
Singapore.42 Since the pilot, the system has gone live in
both Singapore and Bhutan.
• Eleven mobile-payment providers have come together
through an association, the European Mobile Payment
Systems Association, to unify the payment landscape
across Europe by establishing and implementing a
cross-platform framework that connects all association
members and allows for payment processing for custom-
ers. The initiative aims to allow users of the participating
digital wallets to make QR code-based payments with
their home apps to local merchants in all participating
countries.43 The European Mobile Payment Systems Asso-
ciation covers Belgium (Bancontact Payconiq), Germany
and Austria (Bluecode), Denmark and Finland (Mobile-
Pay), Portugal (SIBS/MB WAY), Slovenia (Bankart), Sweden
(Swish), Switzerland (TWINT), Norway (VIPPS), Italy (BAN-
COMAT and Plick), and Poland (BLIK).44 Alipay has part-
nered with mobile-wallet players Bluecode, ePassi, momo
pocket, Pagaqui, Pivo, and Vipps in Europe to adopt a
unified QR code that will enable payment interoperability
for travelers in Europe and China.45 The detailed process
describing how the unified QR code is being created and
how the different underlying national schemes are iden-
tified in the QR code format has been presented in the
appendix.
| 21
11 CONCLUSION
After the successful application in China, more and more PSPs
and FPS around the world have launched their code-scan-
ning payment solutions. This further promotes the use of
code-scanning payments in different markets. FPS are typi-
cally the leading initiative to promote payment innovations
such as code-scanning payments, giving more traction to QR
code usage. To encourage the adoption of QR codes, banks
can offer value-added services, and all relevant stakeholders
can carry out media campaigns to improve awareness. Addi-
tionally, regulatory pushes can also drive adoption. While
FPS offer QR code payments, the proliferation of QR codes
poses challenges in terms of interoperability because each
market player has its own specifications and customizations.
A unified standard will help lower the implementation cost
and improve each project’s future reusability and interoper-
22 |
ability. Many countries have adopted EMVCo’s QR standards,
while others have chosen to develop standards best suited
to the needs of their own country. Countries have recog-
nized the need to expand their offerings to other countries
to facilitate the acceptance of QR code payments in markets
abroad. On the one hand, interoperability between different
providers in the same country is required, while interoper-
ability to promote seamless cross-border transactions and
make payments globally is also necessary. Thus, a focused
approach is required, not only before launching QR codes as
a channel in FPS but also before selecting specifications that
ensure interoperability with existing modes and meet mar-
ket-specific requirements. At a larger level across the world,
while the need for standardization has been established, it
remains a goal that global players continue to work toward.
12 ACKNOWLEDGMENTS

Organization Contributor
Ant Group Meng Yan
Xi Sun
Mabel Lyu
Haiyan Lyu
Ji Zheng
Banco de México Miguel Diaz
Angel Salazhar
Deloitte India Deloitte India
EMVCo Bastien Latge
Simon Kleine
GSMA Bart-Jan Pors
World Bank Harish Natarajan
Nilima Ramteke
Holti Banka

| 23
13 APPENDIX

1. ACCOMMODATION OF ALIPAY QR CODE WITHIN EMV QR CODE

a. Consumer-Presented Mode
To make a CPM payment, the merchant scans a code presented by a consumer with a scanner and initiates
a payment request from the merchant side. Both EMVCo and Alipay have corresponding code standards.
While EMVCo supports only 2D QR code, Alipay supports both 1D barcodes and 2D QR codes.

TABLE 2 Payload Format for an EMVCo Code46

TAG VALUE LENGTH FORMAT PRESENCE

‘85’ Payload Format Indicator 5 an M

‘61’ Application Template var. b O

‘xxxx’ Additional BER-TLV coded data objects var. b O
‘63’ Application Specific Transparent Template var. b O
‘xxxx’ Additional BER-TLV coded data objects var. b O
‘61’ Application Template var. b O
‘xxxx’ Additional BER-TLV coded data objects var. b O
‘63’ Application Specific Transparent Template var. b O
‘xxxx’ Additional BER-TLV coded data objects var. b O
‘62’ Common Data Template var. b O
‘xxxx’ Additional BER-TLV coded data objects var. b O
‘64’ Common Data Transparent Template var. b O
‘xxxx’ Additional BER-TLV coded data objects var. b O
‘xx’ Other template var. b O
‘yy’ Another template or primitive data object var. b O

The Payload Format Indicator (tag ‘85’) defines the QR Code format version and is the first data project of the payload. In this version of the
specification, the Payload Format Indicator has the value of “CPV01”.

24 |
 The Use of Quick-Response Codes in Payments | 25

As shown in table 2, the EMVCo CPM QR code standard
caters to bankcard-based transactions and contains data
elements of the EMVCo integrated-circuit card standard.
The Alipay CPM QR/barcode standard includes both 1D
and 2D barcodes, and the code information is minimal to
ensure recognition and processing efficiency. Since most of
the EMV card data elements used in the EMVCo QR code
standard are not necessary for digital wallets, Alipay doesn’t
implement a compatibility solution in practice.
b. Merchant-Presented Mode
Under MPM, a consumer scans a merchant’s QR code with a
digital wallet application in a mobile phone to initiate pay-
ment to the merchant. Both EMVCo and Alipay have MPM
QR code standards, and the design rationale behind each
is similar. An MPM QR code contains information that the
consumer’s digital wallet can recognize to process payment
transactions accordingly—normally, the merchant informa-
tion or an order information. When the digital wallet appli-
cation scans the code, it should be able to obtain useful data
elements from the QR code payload information. Therefore,
when a merchant generates its own QR code, it can put Ali-
pay QR code payload information into an EMVCo QR code,
and vice versa. For example, putting Alipay QR code payload
information into EMVCo MPM QR code fields 26 to 51 is
shown in table 3.47

TABLE 3 Data Object ID Allocation in Merchant Account Information Template (IDs 26 to 51)

ID MEANING FORMAT LENGTH PRESENCE COMMENT

“00” Globally Unique Identifier ans var. up to “32” M An identifier that sets the context of the data that fol-
lows. The value is one of the following:
• an Application Identifier (AID);
• a [UUID] without the hyphen (-) separators;
• a reverse domain name
“00”–“99” Payment network specific S O Association of data objects to IDs and type of data object is
specific to the Globally Unique Identifier

TABLE 4 EMVCo QR Code Payload Incorporated into Alipay QR Code

DATA OBJECT ID LENGTH FORMAT MEANING PRESENCE

AMAD Var. Additional Merchant Account Data
01–99 Var., up to 99 S Other representation of the merchange account information At least one subdata
which can be used by the partner of code issuers object shall be
The value of each subdata object complies with the tem- present if this data
plate defined in Table 2.1.7. object exists

The data object AMAD indicates other identification information of the merchant which can e used by the partners of code issuers to identify the merchant
directly. The value of each subdata object represents a partner repressentation of the merchant, and the format of each representation is defined by the code
issuer or the partner for private use.

| 25
26 | The Use of Quick-Response Codes in Payments
2. CREATION OF UNIFIED QR CODES BY ALIPAY
Each party issues its own codes in accordance with the
unified code-scanning payment standards. The design of
the code format as a part of the code standards can reflect
information such as the issuer and applicable scenarios of
the code. The codes issued by each wallet can be scanned
and recognized by each other.
National schemes can also adopt the same standards
to issue codes. Through code-issuer IDs, decoding par-
FIGURE 7 Code-Issuing Process
4 11
CDS platform
3 5
6 1
7 14
Acquirer 1 Acquirer 1 Merchant
database 2 9
Merchant onboarding
process for Acquirer 1
Merchant onboarding process for acquirer 1
1. A merchant accepts a payment and provides its merchant infor-
mation to acquirer 1 for verification.
2. Acquirer 1 verifies the data and confirms whether the merchant
meets the eligibility requirements.
3. Acquirer 1 registers the merchant on a CDS platform.
4. The CDS platform assigns a merchant index number to the mer-
chant and binds the acquiring information of acquirer 1 with this
merchant index number.
5. The CDS platform returns the merchant CDS index number to
acquirer 1.
6. Acquirer 1 assigns its own merchant identifier in its system to
the merchant and binds the merchant information and merchant
CDS index number with the merchant identifier.
7. Acquirer 1 puts the CDS platform identifier and the merchant
CDS index number into CDS data in a general payload where
some of the code-issuer reference data may also be included.
Then acquirer 1 generates a store code and sends the store code
to the merchant.
The store code can now be used by consumers using e-wallet apps
to scan and pay.
ties can recognize which national scheme has issued the
codes. Specifically, national schemes can indicate the code
directory service (CDS) and code issuer in the code value
as per the standard format of MPM code. When an acquirer
issues the code to the merchant, the acquirer can also reg-
ister the merchant on a CDS platform. After users scan the
QR code with their wallets, the wallets can access CDS to
obtain the merchant information and guide the users to
complete the payment.
12 10
8 13
Acquirer 2 Acquirer 2
database
Merchant onboarding
process for Acquirer 2
Same merchant onboarding process for acquirer 2
1. The merchant accepts a payment and provides its merchant infor-
mation to acquirer 2 for verification. Acquirer 2 identifies that the
merchant has been registered on the CDS platform, and it can
scan the store code to get the merchant CDS index number.
2. Acquirer 2 verifies the data and confirms whether the merchant
meets the eligibility requirements.
3. Acquirer 2 uses the merchant CDS index number to request the
binding of its acquiring information with the merchant on the
CDS platform.
4. The CDS platform binds the acquiring information of acquirer 2
for the merchant with the merchant CDS index number.
5. The CDS platform returns the binding result to acquirer 2.
6. Acquirer 2 assigns its own merchant identifier in its system to
the merchant and binds the merchant information and merchant
CDS index number with the merchant identifier.
7. Acquirer 2 notifies the merchant that e-wallet apps that act as
acquirer 2 partners can consume the same store code.
The same process applies for other acquirers who bind their acquir-
ing information of the merchant on the CDS platform. The same
store code is shared among acquirers on the CDS platform for con-
sumers to scan and pay.
 The Use of Quick-Response Codes in Payments | 27

FIGURE 8 Payment Process Flow

Optional Optional
CDS platform

5 13

1 9

Consumer Issuing participant 1 Merchant Issuing participant 2 Consumer

2 4 6 8 16 14 12 10

3 8 16 11

Code-scanning payment process Code-scanning payment process

for PSP1 digital wallet for PSP2 digital wallet

1. A consumer opens an e-wallet app 1 and scans a store code pre-
sented by a merchant.
2. The digital wallet app parses the code and sends the code data
to its back-end server for processing.
3. The digital wallet server 1 processes the code data and extracts
reference data from the code. If reference data does not exist,
the server extracts the CDS data, and maps the data (the CDS
platform identifier and the merchant CDS index number) with
merchant information in the system.
4. The digital wallet server 1 finds the merchant information is
bound with the merchant CDS index number in its system and
returns the merchant information to the app.
5. The app renders the merchant information page and displays the
page to the consumer for confirmation.
6. The consumer confirms the merchant information, enters the
transaction value, and initiates a payment request.
7. The digital wallet server 1 processes the payment requests and
decides whether to authorize the payment.
8. The PSP server 1 sends the payment result to the consumer and
the merchant.
Note: In the processing between step 3 and 4, a digital wallet may
use the merchant index number to obtain all the acquiring informa-
tion of the merchant from the CDS platform and then choose the
acquiring information of an acquirer.
Similar steps apply for the process of e-wallet app provided by dig-
ital wallet 2.
28 | The Use of Quick-Response Codes in Payments

NOTES

1. According to the Committee on Payments and Market Infrastructures, a fast payment can be defined as a
payment in which the “transmission of the payment message and the availability of ‘final’ funds to the payee
occur in real time or near-real time on as near to a 24-hour and seven-day (24/7) basis as possible.”
2. QR Code is a registered trademark of Denso Wave.
3. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
4. http://www.mobile-qr-codes.org/history-of-qr-codes.html#:~:text=QR%20codes%20were%20first%20
created,the%20name%20Quick%20Response%20code
5. https://www.inspiry.com.cn/AboutUs
6. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
7. https://www.nfcw.com/2020/05/19/366591/paypal-rolls-out-qr-payments-to-28-countries-around-the-
world/#:~:text=The%2028%20countries%20where%20the%2cSpain%2c%20the%20UK%20and%20the
8. https://gadgets.ndtv.com/apps/news/whatsapp-how-to-send-transfer-money-scan-qr-code-
payments-1828715
9. This is not an exhaustive list.
10. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
11. https://www.codi.org.mx/paginas/guiaparticipacion.html
12. A separate note in the Fast Payments Toolkit focuses on customer authentication.
13. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
14. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
15. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
16. EMV® is a registered trademark in the United States and other countries and an unregistered trademark
elsewhere. The EMV trademark is owned by EMVCo, LLC.
17. WG19 is working toward delivery of a draft international standard in the summer 2022.
18. GMSA, QR Code Merchant Payments: A Growth Opportunity for Mobile Money Providers.
19. BHIM is an aggregator for all UPI-based services offered by banks; UPI is India’s FPS.
20. One-dimensional (1D) barcodes are linear barcodes. They consist of vertical lines of varying widths with
specific gaps resulting in a particular pattern. 1D barcodes usually encode a string of numerals, such as
product numbers, production dates, types, sizes, and so on. The QR code stores larger amounts of data,
enabling more flexible usage.
21. Source: Ant Group.
22. https://www.emvco.com/emv-technologies/qrcodes/
23. https://www.emvco.com/emv-technologies/qrcodes/ and https://www.emvco.com/terms-of-use/?u=/
wp-content/uploads/documents/EMVCo-Merchant-Presented-QR-Specification-v1.1.pdf
24. https://www.emvco.com/emv-technologies/qrcodes/
25. Base 64 encoding is a way of encoding arbitrary binary data in ASCII text. In base 64 encoding, each six bits of
the input is essentially encoded in a 64-character alphabet.
26. For more details, please see EMVCo, EMV® QR Code Specification for Payment Systems (EMV QRCPS):
Consumer-Presented Mode (EMVCo, November 2020), https://www.emvco.com/terms-of-use/?u=/
wp-content/uploads/documents/EMVCo-Consumer-Presented-QR-Specification-v1.1.pdf.
27. Reserve Bank of India, Report of the Committee on the Analysis of QR (Quick Response) Code (RBI, July 2020),
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1142.
28. https://www.nrb.org.np/contents/uploads/2021/03/NepalQR-Standardization-Framework-and-Guidelines.pdf
29. Primary interview with a fintech player.
30. https://www.cnbc.com/2019/11/19/tencents-wechat-china-may-soon-use-facial-recognition-for-payments.
html
31. Source: Ant Group.

28 |
 The Use of Quick-Response Codes in Payments | 29

32. https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2020/08/QR-Code-Merchant-Payments-
A-growth-opportunity-for-mobile-money-providers.pdf
33. https://www.npci.org.in/qr-codes-%E2%80%93-new-age-tech-shaping-india%E2%80%99s-digital-
payments-landscape
34. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11987&Mode=0
35. https://www.imda.gov.sg/-/media/Imda/Files/About/Media-Releases/2018/Annex-A--Singapore-Quick-
Response-Code-SGQR.pdf?la=en
36. As mentioned subsequently, any PSPs (including those that are not participating in FPS), merchant acquirers,
or merchants may adopt the standard.
37. https://newsroom.mastercard.com/asia-pacific/press-releases/mastercard-unionpay-international-and-visa-
make-e-payments-in-thailand-easier-with-the-introduction-of-standardized-qr-code/
38. https://www.bot.or.th/Thai/AboutBOT/Activities/event/Documents/ADBI_bancha.pdf
39. https://kr-asia.com/tencent-and-state-owned-unionpay-to-merge-qr-code-systems-for-mobile-payments-in-
china
40. https://www.bangkokpost.com/business/1854194/thai-banks-spread-qr-code-in-asean
41. https://ringgitplus.com/en/blog/bank-news/ocbc-bank-introduces-ocbc-onecollect-malaysias-first-cross-
border-qr-code-payment-service.html
42. https://economictimes.indiatimes.com/small-biz/sme-sector/bhim-upi-goes-international-qr-code-based-
payments-demonstrated-at-singapore-fintech-festival/articleshow/72035005.cms
43. https://fintechnews.ch/mobilepayments/european-mobile-payment-system-association-empsa/30582/
44. https://empsa.org/#story
45. https://www.pymnts.com/news/mobile-payments/2019/europe-mobile-wallet-alipay-qr-code/
46. https://www.emvco.com/emv-technologies/qrcodes/
47. https://www.emvco.com/emv-technologies/qrcodes/