This guide covers QR code payments from every angle: how they work technically, what they cost, how to set them up as a business, and how to use them safely as a consumer. If you run a business, jump to the merchant sections. If you just want to understand the technology, the first three sections give you everything you need.
What are QR code payments?
A QR code payment — also called scan-to-pay — lets anyone pay by pointing their smartphone camera at a square barcode, which instantly connects the physical world to a digital payment process. The customer opens their banking app or mobile wallet (such as Apple Pay, Google Pay, or Samsung Pay), scans the code, confirms the amount, and the payment is authorised within seconds using the authentication built into their phone.
The QR code itself — short for Quick Response code — was invented in Japan by Masahiro Hara in 1994. Its square shape mirrors the grid of the board game Go, and its design allows data to be read at any angle, making it far more versatile than a traditional barcode. The technology became a mainstream payment tool when Apple enabled native QR scanning in the iPhone camera in 2017, and it exploded during the pandemic as businesses and consumers sought contact-free alternatives to cash and card terminals.
Today, QR payments are used in almost every context imaginable: small coffee shops and market stalls, invoice payments, charitable donations, peer-to-peer money transfers, and subscription sign-ups. In East Asia, QR payments power some of the world’s largest digital economies — China’s WeChat Pay and Alipay process trillions of yuan in transactions annually via QR codes, and similar superapps have taken hold across South Korea (Kakao Pay), Japan (LINE Pay), and Southeast Asia (GrabPay).
In the UK, QR payments have grown steadily, particularly in hospitality and table-ordering settings, and are gaining momentum through Open Banking-powered account-to-account (A2A) payment rails, which offer faster settlement and lower fees than traditional card networks.
- What are QR code payments?
- How does a QR code payment work?
- Merchant-presented QR (most common for businesses)
- Are QR code payments safe?
- What are the benefits and drawbacks of QR code payments?
- How much do QR code payments cost? Provider comparison
- Are QR codes safe?
- QR code payments vs NFC: which should you choose?
- Security and compliance essentials for UK businesses
- How to give customers a smooth QR payment experience
- FAQs
- Your Next Step to Getting Started
How does a QR code payment work?
There are two common payment flows, depending on whether the merchant or the customer presents the QR code.
Merchant-presented QR (most common for businesses)
The merchant displays a QR code — either printed on a sign, shown on a till screen, or printed on a receipt. The customer scans it with their phone camera or payment app. Depending on the setup, the customer is either taken to a hosted payment page to choose their method, or the amount is pre-filled and they simply confirm payment through their mobile wallet or banking app. The merchant’s payment provider then authorises and settles the transaction.
Customer-presented QR
The customer opens their banking or payment app and displays their own QR code on their phone screen. The merchant scans this code using a reader or camera-enabled device. The code contains the customer’s account or wallet details, and the merchant’s system initiates the payment request. This model is common with loyalty apps and corporate expense management tools.
Static vs dynamic QR codes
Static QR codes are printed once and reused. They contain fixed details such as your merchant ID or a payment link. The customer must enter the amount themselves, which makes them better suited to fixed-price items, donations, or peer-to-peer transfers. They are cheap and simple to produce, but require customers to input amounts manually — introducing a risk of error and making reconciliation harder.
Dynamic QR codes are generated fresh for each transaction. They contain the exact amount and order details, are typically displayed on a POS screen or receipt, and expire once used. This makes checkout faster, reduces errors, and gives you a complete transaction record for reconciliation.
Open-loop vs closed-loop systems
Open-loop systems work with multiple payment apps and banks, giving customers maximum choice. Closed-loop systems are tied to a single provider or app (like a superapp or retailer’s own wallet), which can limit who can pay but may offer lower fees and loyalty integration.
The underlying payment rail matters
When a QR code payment settles via Open Banking’s Faster Payments network (account-to-account), funds typically arrive in your business bank account within minutes. Card-based QR payments — where the QR code simply triggers a card transaction — usually settle in 1–3 business days under standard acquirer terms. Understanding which rail your provider uses affects your cash flow, your fees, and your fraud liability.
Are QR code payments safe?
QR payments carry strong inherent security when implemented correctly. They benefit from the full security stack of the customer’s smartphone, which is considerably more robust than a plastic payment card.
Security features that protect QR payments
- Two-factor authentication (2FA): Most mobile wallets and banking apps require the customer to approve every payment using at least two verification factors — typically their device PIN plus biometrics (face scan or fingerprint). This means a stolen phone cannot be used for payments without the owner’s biometric.
- Tokenisation: Apple Pay, Google Pay, and most modern mobile wallets store your card or account details as a digital token rather than transmitting your actual card number. The token is meaningless outside its specific transaction cycle, so intercepting a QR payment does not expose your account details.
- Encryption: All payment data transmitted through QR-based flows is encrypted end-to-end, whether the underlying rail is a card network or Open Banking’s Faster Payments system.
- Strong Customer Authentication (SCA): Under the Payment Services Regulations 2017, most electronic payments in the UK require SCA — a two-factor verification combining something you know (passcode), have (device), or are (biometrics). QR payments via compliant providers satisfy this requirement by design.
The risk you do need to know about: quishing
The primary real-world risk with QR payments is a fraud technique called ‘quishing’ — where criminals replace a legitimate QR code with a fraudulent one (often via a printed sticker overlay) that redirects customers to a fake payment page designed to steal their details or redirect funds.
To protect against quishing:
- Regularly inspect any printed QR codes for sticker overlays or signs of tampering.
- Use professionally produced codes with clear branding, so customers can recognise a legitimate payment route.
- Train staff to spot unusual activity and escalate concerns immediately.
- Encourage customers to check that the payment page domain matches your legitimate provider before confirming any transaction.
Liability and reimbursement: what the rules say
Your fraud liability depends on which payment type the QR code triggers:
- Card-based QR payments: Customers may have statutory protection under Section 75 of the Consumer Credit Act 1974 (for credit card transactions between £100 and £30,000) and card scheme chargeback rights. Contact your card acquirer for details.
- Account-to-account (Open Banking) QR payments: Since October 2024, the Payment Systems Regulator’s (PSR) APP (Authorised Push Payment) fraud reimbursement framework applies to Faster Payments transactions. Eligible victims of APP fraud are entitled to reimbursement up to £85,000 from their payment service provider under the scheme rules, subject to eligibility criteria. This represents a significant improvement in consumer protection compared to the previous voluntary code.
What are the benefits and drawbacks of QR code payments?
Key benefits
- Lower transaction fees: Account-to-account QR payments via Open Banking can cost significantly less than card-based payments — often under 0.3% fixed versus 1.4–1.75% for card transactions. For high-volume or low-margin businesses, this difference is material.
- Faster settlement: A2A payments via Faster Payments typically arrive in minutes, improving cash flow compared to standard card settlement cycles of 1–3 business days.
- Minimal hardware costs: A static QR code requires nothing more than a printed sign. Even dynamic QR solutions only require a POS screen or tablet — no dedicated card terminal is necessary for non-card payment flows.
- Easy data capture: Because customers are already on their smartphones, QR payment flows can be designed to capture email addresses, offer digital receipts, or prompt marketing opt-ins at the point of sale.
- Contact-free and hygienic: No shared PIN pad or physical card reader — particularly valued in food service environments.
- Global precedent: The success of WeChat Pay and Alipay demonstrates that QR payments can operate at a massive scale, providing a technology blueprint that Western providers are now following.
Potential drawbacks
- Customer hesitation: Some customers — particularly older demographics — prefer tapping a card and may be wary of scanning unfamiliar codes. Always maintain an alternative payment method.
- Internet dependency: QR payments require live internet connectivity. If your Wi-Fi fails during a busy service, transactions cannot be authorised until connectivity is restored.
- Reconciliation risks with static codes: If customers enter amounts manually, errors are hard to catch in real time. Dynamic codes eliminate this problem.
- Integration complexity: Linking dynamic QR codes directly to your POS or accounting software requires technical setup and ongoing maintenance.
- Security vigilance: The quishing risk means QR codes require regular physical inspection — a discipline that card terminals do not demand.
How much do QR code payments cost? Provider comparison
Understanding the true cost of QR payments means looking beyond the headline transaction rate. Setup costs, hardware requirements, settlement terms, and integration fees all affect your total cost of acceptance. The table below compares leading UK providers. Always verify exact pricing directly with each provider, as commercial terms vary and are subject to change.
| Provider | Transaction Fee | Dynamic QR | Settlement Speed | UK Regulated | Free Plan | Learn More |
|---|---|---|---|---|---|---|
| Stripe | 1.4% + 30p (EU cards) | Yes | 2 business days | Yes (FCA) | Yes (free tier) | Visit Stripe |
| SumUp | 1.69% per transaction | Via app | 1–3 business days | Yes (FCA) | Yes | Visit SumUp |
| Square | 1.75% in-person | Yes | Next business day | Yes (FCA) | Yes | Visit Square |
| Epos Now | From 1.2% (negotiable) | Yes | Next business day | Yes | No | Visit Epos Now |
| Open Banking (e.g. Volt, Banked) | Typically < 0.3% fixed | Yes | Minutes (Faster Payments) | Yes (FCA authorised) | Varies by provider | Visit Volt |
A note on Open Banking providers: the fee structure differs fundamentally from card-based solutions. Rather than a percentage of transaction value, most Open Banking QR providers charge a fixed fee per transaction (often 2–20p depending on volume). This makes them exceptionally cost-effective for high-value transactions, where a 0.3p fixed fee versus 1.75% on a £500 transaction represents an £8.75 saving per transaction.
What to watch for in the contract
- Transaction fee structure — percentage vs fixed vs blended, and whether it varies by card type
- Settlement terms — how quickly funds reach your account, and whether there is a delay or rolling reserve
- Monthly service or platform fees — charged regardless of volume
- Minimum processing volumes — some providers impose monthly minimums
- Early termination clauses — check whether you can exit without penalty if the solution does not work for you
- PCI DSS compliance scope — confirm how much compliance responsibility stays with you vs the provider
How do I set up QR code payments for my business?
Setting up QR payments is straightforward if you follow a clear sequence. For most small businesses, the entire process — from selecting a provider to accepting your first live payment — can be completed within a week.
Step 1: Choose your implementation path
| Option | Best For | Complexity | Time to Launch | Recommended? |
|---|---|---|---|---|
| Plug-and-Play App | Sole traders, pop-ups, micro-businesses | Low — no coding | A few days | ✓ Start here |
| POS Add-On Module | Retail / hospitality with existing POS | Moderate — config required | Days to a few weeks | ✓ For established sites |
| Custom / API Build | Multi-site operators, tech-led businesses | High — dev resource needed | Weeks to months | Only if you have in-house IT |
For most small and medium businesses, the plug-and-play or POS add-on route offers the fastest and lowest-risk path. Before deciding, confirm whether your current payment provider already supports QR functionality — many major acquirers have added QR capabilities to existing merchant accounts in the past two years.
Step 2: Prepare your hardware and printing
- Static codes: Print on durable, weatherproof material for front-of-house use. Ensure sufficient resolution (minimum 300 DPI) so the code scans cleanly even when printed large. Display where customers naturally pause — at the till, on tables, on menus.
- Dynamic codes: Ensure your POS terminal or device screen can generate and display a unique code for each transaction. Test in your actual payment environment — check for glare from overhead lighting, which is a common cause of scan failures.
- Signage: Use clear, branded signage with a simple instruction (‘Scan here to pay’). Avoid displaying multiple QR codes in the same space, which creates confusion.
Step 3: Configure your payment gateway
- Register your business with your chosen provider and link your UK business bank account.
- Set your settlement preferences — how and when funds are paid out — subject to your provider’s terms.
- Integrate with your POS or accounting software if supported. This automates reconciliation and reduces manual bookkeeping.
- Confirm PCI DSS compliance status — if your QR codes trigger card payments, confirm your provider is PCI DSS certified and clarify your own compliance obligations.
Step 4: Train your staff
- Walk staff through the complete customer payment journey from scan to confirmation.
- Show them how to spot tampering — in particular, sticker overlays placed over genuine codes.
- Cover basic troubleshooting: checking Wi-Fi connectivity, guiding customers through app-based payments, and what to do if a scan fails repeatedly.
- Explain the refund process for your specific payment type before you go live.
Step 5: Test before launch
- Run test transactions across multiple devices — both iOS and Android — and across different payment apps.
- Verify that each test payment appears correctly in your system with the right amount and transaction reference.
- Test refunds if your provider supports them.
- Simulate a connectivity failure to understand how your POS handles it.
Step 6: Launch and monitor
- Go live during a quieter period to give staff time to adapt without pressure.
- Watch for customer confusion at checkout — adjust signage or verbal instructions as needed.
- Inspect physical QR codes regularly for wear or tampering. Replace immediately if anything looks wrong.
- Review reconciliation reports daily for the first two weeks to catch any mismatches early.
QR code payments vs NFC: which should you choose?
NFC (Near Field Communication) is the technology behind contactless card payments — the tap-to-pay most UK customers use dozens of times a week. Both QR and NFC are valid, secure, and widely supported. The right choice depends on your specific business context.
| Factor | QR Code Payments | NFC/ Contactless Card |
|---|---|---|
| Transaction fee | Often lower — A2A via Faster Payments can be under 0.3% fixed | Typically 1.4–1.75% + fixed charge under acquirer pricing |
| Hardware cost | Minimal — printed static code or POS screen display | Requires a certified NFC terminal (£40–£300+) |
| Speed at checkout | Dynamic QR: near-instant. Static QR: slower if customer enters amount | Fastest — tap-and-go in under 2 seconds |
| Customer familiarity (UK) | Growing, especially in hospitality and table-ordering contexts | Very high — contactless is the dominant UK payment method |
| Settlement speed | Faster Payments: typically minutes | Card settlement: 1–3 business days |
| Security model | Pop-ups, market stalls, table service, and invoice payments | Chip encryption, PIN above £100; card can be lost/stolen |
| Best use case | Pop-ups, market stalls, table service, invoice payments | Fast-moving retail, high foot traffic, older demographics |
Recommendation
Most businesses benefit from offering both. Use QR codes for table service, pop-ups, invoice payments, and situations where you want to avoid hardware; use NFC terminals for fast-moving retail where customer tap-and-go behaviour is ingrained. The marginal cost of supporting both is low if your POS already handles card payments.
Security and compliance essentials for UK businesses
Meeting security and compliance standards is not optional — it protects your customers, your business, and your legal standing.
PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that stores, processes, or transmits cardholder data — even when QR codes are used as the payment trigger for a card transaction. For most small businesses, using a hosted or redirect-based QR payment provider (where customers complete payment on the provider’s own secure page) substantially reduces your compliance scope. However, you must still verify that your provider holds current PCI DSS certification and that your own systems meet basic cybersecurity controls: secure Wi-Fi networks, strong access credentials, and no storage of raw card data.
UK GDPR and data protection
Any personal data captured during a QR payment flow — email addresses for digital receipts, transaction records, device identifiers — is subject to UK GDPR. Ensure your provider’s data processing agreement covers their handling of customer data, and that your privacy notice describes how payment-related data is used and retained.
FCA authorisation for Open Banking payments
If your QR payment solution uses Open Banking or Faster Payments rails, confirm that your provider is authorised or registered with the Financial Conduct Authority (FCA) as a Payment Institution or Electronic Money Institution. You can verify this on the FCA Register at register.fca.org.uk. Using an unauthorised provider puts your business at legal risk and may invalidate your fraud protections.
The APP fraud reimbursement framework (new from October 2024)
This is the most significant recent change to the UK payment landscape. Since October 2024, the PSR’s mandatory APP fraud reimbursement rules require in-scope payment service providers to reimburse victims of Authorised Push Payment fraud made via Faster Payments, up to £85,000 per claim (subject to eligibility criteria under the scheme rules). This means that if a customer is fraudulently induced to make an Open Banking QR payment to a criminal, their bank is now required to investigate and — if the claim meets the criteria — reimburse them. As a merchant accepting these payments, this framework does not directly obligate you, but it does mean your payment provider has strong commercial incentives to implement robust fraud controls.
How to give customers a smooth QR payment experience
The best QR payment setup is one where customers barely notice it is there. That means clear codes, confident staff, and no dead spots in your Wi-Fi.
- Place codes where customers naturally pause: At the till, on tables, at the entrance to a queue. Avoid placing them at awkward heights or angles.
- Keep signage simple: ‘Scan here to pay’ is enough. Do not add unnecessary logos or instructions that clutter the scan area.
- One code per location: Multiple QR codes in the same field of view create hesitation. Each payment point should have one clear code.
- Test your connectivity: Check Wi-Fi signal strength and mobile data coverage in every payment area. A 4G signal can serve as backup if Wi-Fi is unreliable.
- Know your refund process before you need it: For card-based QR payments, refunds flow through your acquirer under card scheme rules. For A2A payments, a refund is typically a new outbound payment initiated through your provider’s system. Make sure staff can initiate both.
- Maintain physical codes: Replace worn or faded codes promptly. A damaged code that customers cannot scan reflects badly and may cause them to abandon the transaction.
Common pitfalls and how to avoid them
- Relying on static codes for everything: Static codes require customers to enter the amount manually, slowing checkout and complicating end-of-day reconciliation. Use dynamic codes from a POS-integrated system wherever possible.
- Assuming all customers can pay by QR: Not all customers have compatible smartphones, up-to-date banking apps, or mobile data. Always offer an alternative — card terminal, cash, or payment link — so you never turn away a customer.
- Poor code placement and visibility: Codes in dim lighting, behind obstructions, or at the wrong height will not scan reliably. Test every placement with multiple phone models before going live.
- Skipping staff training: Staff who cannot explain how to scan a code or who miss signs of tampering are your biggest operational risk. Brief training before launch pays dividends daily.
- No contingency for internet outages: QR payments need live connectivity. Have a fallback ready — a manual card terminal, a saved MOTO number, or a clear process for collecting payment details to process later.
- Not checking your provider’s FCA status: Using an unregistered payment provider is a compliance risk. Verify FCA authorisation before signing any contract.
QR Code Payment FAQs
Do I need special hardware or a QR code scanner?
No dedicated scanner is required. Most smartphones can read QR codes natively through the camera app. For businesses, a smartphone, tablet, or POS screen capable of displaying or scanning QR codes is sufficient. Where card payments are involved, you still need a PCI DSS-compliant payment provider — but the QR code itself replaces the need for a separate card reader in many Open Banking-based setups.
How do I handle refunds with QR payments?
It depends on the underlying payment rail. For card-based QR payments, refunds are processed through your acquirer or payment provider in line with card scheme rules — the same process as a standard card refund. For account-to-account payments via Faster Payments, there is no native reversal mechanism; refunds are typically initiated as a new outbound payment through your provider’s system, subject to their procedures.
What if the internet goes down?
Most QR payment flows require active internet connectivity to authorise transactions in real time. If connectivity fails, transactions cannot be completed until service is restored. Some POS systems may queue transactions locally, but authorisation still depends on reconnection. Always have a backup payment method available — a mobile card reader with offline capabilities, or a process for taking payment details by phone.
Can QR payments work in multiple currencies?
Multi-currency capability depends entirely on your payment provider. For card-based QR payments, currency conversion is handled under card scheme and acquirer rules, and dynamic currency conversion may be available. For Open Banking A2A payments, transactions are typically processed in the payer’s and payee’s domestic currency unless your provider offers international payment functionality. Always verify international capabilities directly with your provider if you trade across borders.
Are QR codes used for consumer-to-consumer payments?
Yes. Many banking apps in the UK — including major high street banks and fintechs like Monzo and Starling — allow customers to generate a personal QR code that a friend or family member can scan to send money directly. This is a closed-loop A2A transfer, typically instant and fee-free for personal use. The same technology underpins QR payments in superapp ecosystems like WeChat Pay, where the line between merchant payments and peer-to-peer transfers is seamless.
Is there a developer API for custom QR integrations?
Most regulated payment service providers offer APIs or SDKs that allow QR-based payment flows to be embedded into websites, mobile apps, or bespoke POS systems. The Payment Initiation API under the UK Open Banking framework also provides a standardised route for A2A QR payments. Availability and specific functionality vary by provider — check their technical documentation and confirm the regulatory scope of any API integration before building.
Your Next Step to Getting Started
Moving from interest to implementation is simpler than it might appear. Here is a structured path to follow:
- Review your current payment arrangements. Understand your existing transaction fees, settlement terms, and any contractual obligations — especially early termination clauses.
- Identify your use case. Table service, till payments, invoice payments, and peer-to-peer transfers each call for a different QR solution. Start with the clearest, highest-value use case rather than trying to solve everything at once.
- Shortlist FCA-authorised providers. Verify their regulatory status at register.fca.org.uk and confirm PCI DSS certification if card payments are involved.
- Request a detailed fee breakdown. Ask for the full cost structure: transaction fees, monthly platform fees, settlement terms, integration costs, and any minimum processing commitments.
- Run a controlled pilot. Test with one location or use case before rolling out. Involve staff early, provide brief fraud awareness training, and confirm your UK GDPR data processing obligations are met.
- Monitor, measure, and iterate. Track adoption rates, average transaction values, and any reconciliation issues. Adjust signage, placement, or staff briefings based on what you observe in the first month.
