What is a merchant payment QR?

The QR on a restaurant table, market stall, parking meter, or invoice that you scan to pay. Globally, almost every one of these uses EMVCo's MPM (Merchant-Presented Mode) or CPM (Consumer-Presented Mode) format — a Tag-Length-Value text payload that carries the merchant name, city, country, currency, amount, recipient account, and a 4-character CRC checksum.

What is the sticker-swap attack?

The highest-volume QR fraud globally. An attacker covers a legitimate merchant's QR (on a parking meter, a restaurant table, a market stall, a charity collection box) with a sticker carrying their own QR. Every customer who scans the sticker pays the attacker. The display in the customer's wallet usually says the merchant name encoded in the swapped QR — which the attacker controls — so the user has no easy way to tell it's not the real merchant.

How does the CRC checksum help?

EMVCo MPM payloads carry a CRC-16/CCITT-FALSE checksum in the last 4 characters (tag 63). When the QR is altered, the checksum no longer matches. Our scanner validates the CRC and flags the verdict as suspicious when it fails — a strong indicator that the QR was tampered with or printed incorrectly. Note that an attacker can recompute the CRC after substituting their own merchant info, so a valid CRC doesn't prove authenticity; an invalid one definitely proves tampering or corruption.

What's the safest way to pay a merchant QR?

Verify the merchant name and city our scanner extracts MATCH the storefront you're physically standing in. Use a payment app that shows the recipient's name BEFORE confirming the transfer. Look at the QR's physical integrity — is the sticker peeling, freshly applied, on top of another sticker? If anything is off, pay another way (card, cash, or the merchant's app directly).

Standards · EMVCo merchant payment QR

Is this merchant payment QR safe to pay?

The QR on a restaurant table or parking meter or market stall almost always runs on EMVCo's TLV format. It carries the merchant name, city, country, currency, optional amount, and a CRC-16 checksum that fails if the payload was altered. The sticker-swap attack — covering a real merchant's QR with the attacker's QR — is the most common QR fraud worldwide. Decoding the QR before you pay shows you who you're actually paying.

Scan a merchant QR → All standards →

What's the format

The standard is EMVCo QR Code Specification, published by the same EMVCo consortium that defined chip-and-pin cards. Two flavors share most of the format:

MPM (Merchant-Presented Mode) — the merchant displays the QR, you scan and pay. This is what you see at restaurants, market stalls, and parking meters.
CPM (Consumer-Presented Mode) — your wallet displays the QR, the merchant scans it. Less common; used at some staffed checkouts and in transit fare gates.

Almost every country's instant-payment scheme is built on top of EMVCo MPM with a few country-specific tags layered on:

Pix (Brazil) — world's largest by transaction volume
UPI (India) — world's largest by user count
PromptPay (Thailand) · PayNow (Singapore) · DuitNow (Malaysia) · QRIS (Indonesia)
Bizum (Spain) · Swish (Sweden) · BLIK (Poland) · MB WAY (Portugal)
Wero (EU multi-country) and several dozen more — 54 countries' worth in our analyzer catalog

The format is Tag-Length-Value text, no encryption, decodable by any QR scanner. The merchant identity is encoded in plain text and is what your wallet app displays.

Anatomy of a merchant payment QR

Every EMVCo payload starts with 000201 (Payload Format Indicator). What follows is a sequence of TLV records — two-character tag, two-digit length, value of that length, repeated.

Tag 01 — Point of Initiation

11 = static QR (reusable, you enter the amount yourself).
12 = dynamic QR (one-shot, amount pre-filled by the merchant POS).

Tags 26-51 — Merchant Account Info

Country-specific recipient identifier. Pix Key (CPF / CNPJ / email / phone / EVP UUID), UPI Virtual Payment Address, PromptPay phone or national ID, etc.

Tag 52 — Merchant Category Code (MCC)

ISO 18245 4-digit category. 5812 = restaurant, 5411 = grocery, 7011 = lodging, 5541 = gas station, etc.

Tag 53 — Currency

ISO 4217 numeric code. 840 = USD, 978 = EUR, 826 = GBP, 986 = BRL (Brazilian real), 356 = INR (Indian rupee).

Tag 54 — Amount

Optional. Present in dynamic QRs (the merchant pre-filled it), absent in static QRs (you enter it yourself).

Tags 55-57 — Tip / Convenience Fee

Optional. 55 indicates whether a tip prompt should appear; 56 / 57 carry a fixed-amount or percentage convenience fee.

Tag 58 — Country

ISO 3166-1 alpha-2 country code. Useful when payment apps support cross-border transfer.

Tag 59 — Merchant Name

Up to 25 chars. This is the field your wallet app displays as "you're paying ___". The merchant fully controls what goes here. An attacker who creates a sticker-swap puts whatever string they want here.

Tag 60 — Merchant City

Up to 15 chars. Where the merchant is located.

Tag 61 — Postal Code

Optional but useful for fraud-detection: a US merchant whose postal code doesn't match the city is a flag.

Tag 62 — Additional Data Field

Sub-TLV. Inside: bill number, mobile number, store label, loyalty number, reference label, customer label, terminal label, purpose of transaction.

Tag 63 — CRC checksum

CRC-16/CCITT-FALSE over everything preceding (including the "6304" header of the CRC TLV itself). If this doesn't match, the QR was altered or corrupted.

The sticker-swap attack — global QR fraud №1

The technique is depressingly simple:

Attacker prints a QR pointing to their own payment account.
They put the printed QR on a sticker (or print it directly on adhesive paper).
They walk through a market, restaurant district, or parking-meter zone, and stick the swap-QR over the legitimate merchant QR.
Every customer who scans pays the attacker.

The merchant doesn't notice until the day's reconciliation shows the takings are short. The customer doesn't notice because their wallet says "you paid ${attacker_chosen_string}" — and the attacker can put the merchant's real name in tag 59. Or close to it ("Joe's Pizz4", "Joe's Pizzeria 2") — slight variations that a busy customer doesn't catch.

The fraud has been documented in every country where mobile payments are prevalent: Brazil (Pix sticker-swap at parking meters), India (UPI sticker-swap at petrol pumps), China (WeChat Pay sticker-swap on shop windows), Singapore (PayNow at hawker centres), UK (donation-box QR-swap), US (parking meters in Austin, San Francisco, LA).

How to verify a payment QR before paying

What our scanner shows you:

Merchant name + city + country — does this match the storefront you're physically standing in front of? Read it carefully — sticker-swap fraud often uses near-matches.
Currency + amount — does the amount in the QR match the bill?
Static vs dynamic — if it's static, your wallet will ask you to enter the amount. If it's dynamic, the amount is locked in.
MCC category — is the merchant category code consistent with what they sell? A restaurant QR with MCC 7995 (gambling) is suspicious.
National scheme — Pix, UPI, PromptPay, etc. recognized from the country tag.
CRC validation result — if invalid, the QR has been altered or corrupted. Don't pay.
Recipient account info — the Pix key, UPI VPA, PromptPay ID, etc. that the money will route to. If you've paid this merchant before, does it match?

Physical clues to inspect before scanning:

Sticker peeling at the corners? Recent and possibly added by an attacker.
Sticker laid OVER another sticker? Possible swap.
QR printed on cheap paper taped over the merchant's branded printed QR? Almost certainly fraud.
QR posted in a place where the merchant might not check often (back of a parking meter, behind a counter)? Higher swap risk.

Country-specific schemes we identify

Our analyzer recognizes the country tag and labels the verdict with the local scheme name when one applies. Currently covers 54 countries including all the major instant-payment systems. See the standards hub for the full list with per-scheme details.

Scan before you pay

Drop the QR into our scanner. The verdict shows merchant, city, country, amount, currency, and whether the CRC checksum is valid. Takes a few seconds. Could save you the cost of dinner — or an entire month's parking budget.

Open scanner →