IS 19671 : 2026 / ISO 5201 : 2024

Financial Services — Code-Scanning Payment Security

This Indian Standard specifies the requirements for ensuring security in code-scanning payment systems used in financial services, with the objective of safeguarding mobile-based transactions against fraud, data breaches, and operational risks. It has been developed in alignment with international best practices and adopts a risk-based approach to address the growing use of QR codes and similar technologies in digital payments. The standard focuses on transactions where payment codes are scanned either by the payer or the payee using mobile devices.

It outlines a structured framework for code-scanning payments, identifying key participants such as payer, payee, payment service providers, and code service providers, along with their respective roles. The standard categorizes payment implementations into two primary modes: payer-presented and payee-presented, and defines the mandatory steps involved in initiating and completing transactions under both modes.

This emphasizes comprehensive risk assessment by identifying common and mode-specific threats such as unauthorized access, tampering of code images, data leakage, and insecure communication. It provides detailed security objectives to ensure that only authorized parties initiate and receive payments, and that transaction data remains confidential and accurate.

It further prescribes minimum security requirements and additional guidelines, including authentication mechanisms, encryption practices, secure code generation, and protection against cyberattacks. Overall, it establishes a robust framework to enhance the security, reliability, and trustworthiness of code-scanning payment systems in the digital financial ecosystem.

Last Updated on April 10, 2026