Standardising European QR-code payments

Standardising European QR-code payments

08 September 22

Share This

The views expressed in this article are solely those of the authors and should not be attributed to the European Payments Council.

In June this year, the European Payments Council (EPC) published the final version of the Standardisation of Quick-Response (QR) codes for mobile initiated SEPA (instant) credit transfers (MSCTs) document. We wanted to find out more by interviewing the two co-chairs of the multi-stakeholder group on mobile-initiated SEPA (Instant) credit transfers (MSG MSCT) namely Dag-Inge Flatraaker, Senior Vice President at DNB Bank, and Pascal Spittler, P2P Process Development Leader at IKEA INGKA Group.

How would you describe the European situation regarding the use of QR-codes for payments?

The European payments market is characterised by multiple local solutions for mobile account-based payments that rely on QR-codes. Most of these solutions are domestic and stop at national borders, creating a fragmented European mobile payments landscape. 

This prompted the MSG MSCT to produce a document on the standardisation of QR-codes for MSCTs to facilitate pan-European interoperability and foster the harmonisation of these types of payments, covering both payee- and payer-presented QR-codes.

In retail contexts, the usage of the standardised payee-presented QR-codes for MSCTs will enable a consumer to pay in a cross-border context by using their own domestic mobile payment solution while scanning the QR-code from the merchant’s payment terminal.

Likewise, the usage of the standardised payer-presented QR-codes for MSCTs will enable a merchant to scan this QR-code while the foreign consumer authenticates the transaction through their own ‘local’ mobile payment solution.

These standardised QR-codes would be the most effective way to achieve interoperability of mobile account-based payments across SEPA. This would support the mobile lifestyle of consumers while enabling transaction authentication directly on their mobile devices via the mobile payments solution with which they are familiar. It would offer merchants opportunities to enlarge their customer base and to provide value-added services (e.g. couponing, loyalty, etc.), while also leading to a reduction in the investment costs needed to accept mobile payments from all over Europe. At the same time, the availability of standardised QR-codes should also enhance the uptake of this proximity technology for mobile payments. 

Could you describe the key steps towards the development of this document?

First, the MSG MSCT leveraged the document on Standardisation and governance of QR-codes for IPs at the POI (EPC212-21), which was developed in 2021 to address the request made by the Euro Retail Payments Board (ERPB) to the EPC in their Statement of June 2021 (ERPB/2021/012). For the new document published in June 2022, the scope of the previous document was extended to all types of payment contexts, person-to-person, person-to-business, business-to-person and business-to-business while covering both ‘classic’ SEPA credit transfers. In addition, the 2022 document contains a chapter devoted to the security aspects of the data in the QR-codes.

This new document also takes into account the answers received from the European Banking Authority (EBA) on the EBA Q&A 2020_5476 and 2020_5477. By developing this QR-code standard for MSCTs, the MSG MSCT also addresses Recommendation A (to develop a generic QR code standard for all MSCT payment contexts that is widely adopted by the market) from the ERPB Statement published in November 2021 (ERPB/2021/028).

As it was very important to gather industry opinion and market feedback regarding this QR-code standard for MSCTs, an eight-week public consultation was launched earlier this year, closing on 14 April 2022. The MSG MSCT has processed the comments received through this public consultation and prepared the final version of this document for publication. 

Could you tell us more about the security aspects of the QR-codes?

A QR-code may contain both sensitive and non-sensitive payment data that can be used by different entities involved in the processing of the MSCT transaction. 

Tampering with QR-code data may lead to fraudulent transactions or data leakage, so the sensitive payment data in the QR-code should be adequately protected while the integrity of the data elements in the QR-code should also be secure to avoid any service disruptions. For example, if the payer identification data is not adequately protected in the payer-presented QR-code, this could result in impersonation attacks, or the manipulation of the IBAN in a payee-presented QR-code might lead to a funds transfer to the wrong payee (e.g. an attacker). More detailed information regarding security can be found in chapter 5, Security aspects of QR-codes and their data (see “related documents”). 

What’s next for QR-code standardisation in payments and beyond QR-codes?

The next step is to develop a generic version of the document on the Standardisation of QR-codes for (instant) credit transfers for submission through a ‘fast-track procedure’ to the International Standardisation Organization (ISO), specifically the ISO Technical Committee TC 68 on Financial services. 

The MSG MSCT also started to further analyse the interoperability of MSCTs based on other proximity technologies to exchange transaction-related data between the payer and the payee to enable the initiation of an MSCT and to identify possible standardisation opportunities. The goal is to first address Near Field Communication (NFC) both in a uni- and bi-directional way between the payer’s mobile device and the payee’s payment infrastructure (e.g. POI, mobile device), then by Bluetooth Low Energy (BLE). 

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.