X9 Publishes Standard for QR Code Protection Using Cryptography

The Accredited Standards Committee X9 Inc. (X9) today announced that it has released a standard for QR Code Protection Using Cryptographic Solutions, X9.148. The new standard guides the financial services industry in deploying cryptography to create trusted, secure QR codes, including definitions and descriptions for the secure usage of QR codes in financial applications. It is now available from ANSI for download.

QR (Quick Response) codes have become popular for their fast readability and greater storage capacity compared to standard Universal Product Code (UPC) barcodes. The various applications for QR codes increasingly include payments, where security is particularly important. (In fact, X9.148 complements X9’s ongoing work to develop a standard for using QR codes for payments.) While the QR code might be protected as a data element within a message, the QR code does not protect itself from malfeasance. Adoption of X9.148 corrects this problem.

Untrusted, unsecured QR codes are vulnerable to modification, duplication and masquerading, while a trusted QR code secured using cryptographic solutions will be protected against actions by unauthorized entities. Those potentially benefiting from the new standard include merchants, financial institutions, regulatory organizations, service providers, hardware and software manufacturers, auditors and assessors, as well as users of their products and services.

The standard sets up the scope and context of security analysis by first giving an overview of QR code-scanning payment. The basic framework is defined, and the major roles are described. Some basic steps are mandatory for such payment services, and there are many variations in practice because flexibility is one of the major benefits of QR code-scanning payments. Security must still be paramount, however.

“The use of cryptography supports the persistent protection of any QR code content,” said Jeff Stapleton, chair of the X9 working group that developed the standard. “This leads to new opportunities for payors and payees. Protecting the QR code makes transmission a matter of convenience and storage a matter of choice. Use of X9.148 to create secure, trusted QR codes with cryptography will result in additional safe, flexible payment choices for consumers and businesses.”

About the Accredited Standards Committee X9 Inc.

The Accredited Standards Committee X9 Inc. is a non-profit organization accredited by the American National Standards Institute (ANSI) to develop and maintain national and – through ISO — international standards for the financial services industry. The subjects of X9’s standards include: retail, mobile and business payments; corporate treasury functions; block chain technology; processing of electronic legal orders issued to financial institutions; tracking of financial transactions and instruments; financial transaction messaging (ISO 8583 and 20022); quantum computing; AI, PKI; checks; cloud; data breach notification and more.

X9 acts as the U.S. Technical Advisory Group (TAG) for ISO TC68 (Financial) and TC321 (E-Commerce) and performs the secretariat functions for ISO TC68. Please visit our website (www.x9.org) for more information.