ASC X9 Launches Effort To Develop New Standard That Will Enhance QR Code Security Via Cryptography
ANNAPOLIS, Md. – June 8, 2022
The Accredited Standards Committee X9 Inc. (X9) today announced an initiative to develop a new standard, “X9.148 — QR Code Protection Using Cryptographic Solutions,” and the organization is seeking participants for the effort.
QR codes (quick response codes) are a type of matrix bar code, created according to the ISO/IEC 18004 standard, that offers fast readability and greater storage capacity, compared to standard Universal Product Code (UPC) bar codes. QR codes’ use has increased since the start of the COVID-19 pandemic, because they can provide “touchless” systems to display information, show menus, or provide consumer information.
QR codes have been in use since the 1990s for product tracking, item identification, time tracking, document management, general marketing and even payments. More consumer-friendly than the older, one-dimensional barcodes that were designed to be mechanically scanned by a narrow beam of light, a QR code is detected by a two-dimensional digital image sensor – often the camera of a mobile phone — and then digitally analyzed by a programmed processor.
However, QR codes do not provide data protection using cryptographic solutions, and thus can be vulnerable to hijacking and other forms of fraud. While a QR code might be protected as a data element within a message, the QR code does not protect itself from modification, duplication or masquerading. A trusted QR code using cryptographic solutions would be protected against such actions by unauthorized operators. Smartphones can dynamically generate or verify cryptographically protected QR codes, but the industry needs a financial standard for payment security and interoperability.
The X9 initiative seeks to develop a new standard for QR code management and security, including the associated cryptographic key management, for use within the financial services industry. The recent increase in use, particularly for payments, heightens the urgency of this effort to enhance QR code protection.
“Untrusted QR codes are vulnerable to redirection and other fraud by bad actors,” said Jeff Stapleton, chair of the X9F4 Cybersecurity and Cryptographic Solutions working group. “Trusted QR codes, which our standard will enable, will be a deterrent for identity theft and transaction fraud, especially for mobile payments. As applications employing QR codes continue to proliferate, I encourage all stakeholders to join us in developing a new approach to QR code security.”
Potential participants in the new effort include representatives of merchants, financial institutions, regulatory organizations, service providers, hardware and software manufacturers, and financial auditors and assessors. Those interested in this work may write to firstname.lastname@example.org for information about becoming involved or request to participate.
About the Accredited Standards Committee X9 Inc.
The Accredited Standards Committee X9 Inc. is a non-profit organization accredited by the American National Standards Institute (ANSI) to develop and maintain national and – through ISO — international standards for the financial services industry. The subjects of X9’s standards include: retail, mobile and business payments; corporate treasury functions; block chain technology; processing of electronic legal orders issued to financial institutions; tracking of financial transactions and instruments; financial transaction messaging (ISO 8583 and 20022); quantum computing; PKI; checks; cloud; data breach notification and more.
X9 acts as the U.S. Technical Advisory Group (TAG) for ISO TC68 (Financial), TC321 (E-Commerce) and TC322 (Sustainable Finance) and performs the secretariat functions for ISO TC68. Please visit our website (www.x9.org) for more information.