HSBC this week announced QR code payments are being rolled out to customers in the Middle East. It is the latest financial institution to embrace the contactless payment method, which is already popular in China and could be ready to emerge as an option in Western markets. The technology is easy to use but brings with it increased security risks, experts told Tech Monitor.
QR codes can now be used by customers of HSBC Qatar to make instant money transfers as part of a range of new mobile payments services launched this week. “Our digital strategy is all about improving customer experiences to suit our customers’ increasingly digital lives,” said Abdul Hakeem Mostafawi, CEO of HSBC Qatar. Already popular in the Far East, the move reflects growing interest in new, contactless forms of payment across the rest of the world, accelerated by the effects of the Covid-19 pandemic.
How do you use QR codes to make payments?
Short for ‘quick response code’, QR codes are bar codes that can be read by a smartphone camera, and are commonly used for the likes of e-tickets and Covid-19 passports. They are commonly used by consumers, with 83% of those polled by mobile security company MobileIron reporting they had scanned a QR code at least once, with 72% having scanned one in the month preceding the survey.
QR codes can be used for payments – usually the payee simply sets an amount in their payment app and scans the recipient’s QR code to automatically transfer funds. Currently, this method is not common in Western countries but is popular in China, where it is estimated more than $1.65trn of transactions have been carried out using QR codes over the past five years.
The trend could be ready to spread. “With the pandemic, we saw an increased number of locations, such as pubs, start using QR codes very effectively,” says Emmanuel Ide, head of engineering at fintech company Glint Pay. “And with the growing popularity of cryptocurrencies, and the benefit QR codes can provide in making crypto wallets easily accessible, I can definitely see a growing adoption of QR codes globally in future.”
Indeed, the size of the Chinese market means QR code payments will become the most-used digital commerce mechanism by volume throughout the next five years, according to figures from juniper Research. It estimates that QR code payments will account for 27% of all digital commerce transactions in 2024, with QR payments outside China set to rise in popularity.
Who is making QR code payments?
Banks like HSBC, as well as fintech companies, are increasingly turning to QR codes as an alternative payment method. PayPal introduced the ability to use QR codes last year, and chief executive Dan Schulman says that 1.3 million merchants are now processing the codes. "Every 20 seconds, a new merchant signs up to accept our QR codes," Schulman said last month.
Whether QR code payments take off in Western economies will depend on whether young people begin to use them in great numbers, argues Jake Moore, cybersecurity specialist at security company ESET. "If the younger generations find it super-easy and super-convenient then it really could take off," he says. "If the likes of PayPal are offering it with extreme ease and convenience then it will continue."
The security risks of QR code payments
But the simplicity of QR codes comes at a price, and they could become a target for hackers looking to re-route payments, Moore says. "We've all been taught for years about emails with links in them," he explains. "But there are simple ways of checking their destination, purely by looking at the URL that you're about to click on. With a QR code made up of lines and squares, it makes it very difficult to really know where you're going. Hackers may be drawn to that."
End users also appear to lack knowledge about what can be done using a QR code, which could make payments vulnerable to hackers. A study conducted earlier this year by IT infrastructure company Ivanti found that 96% of UK respondents have scanned a QR code on their mobile device, in restaurants and retail stores, despite almost half not knowing if they had mobile security software. Fifty-five per cent of those polled didn’t know that scanning a QR code can download an app, 86% were unaware they can be used to start a phone call and 82% didn’t know that scanning a QR code can initiate a text message. "A malicious QR code can easily be pasted over the one provided by a restaurant or bar to trick the user into paying for the bad actor's next holiday instead of a round of drinks," Ivanti vice president EMEA west Nigel Seddon explained.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.