QR codes are quickly becoming one of the simplest ways to make payments — just scan and go. But behind that simple scan is a sophisticated layer of digital security that makes sure you’re not sending money to a scammer.
The secret? PKI, or Public Key Infrastructure.
What Happens When You Scan a Payment QR Code?
Imagine you’re at a coffee shop. You pull out your phone, scan a QR code on the counter, and send your $4.50 for that vanilla oat milk latte. But before your bank approves the payment, it checks:
✓ Did this QR code really come from the coffee shop?
✓ Has anyone tampered with it?
To answer those questions, it looks for something embedded in the QR code: a digital signature.
What’s a Digital Signature?
Think of a digital signature like a special stamp that proves the QR code came from a trusted source — in this case, the coffee shop’s payment provider.
But how do we know the stamp is real? That’s where public and private keys come in.
- The coffee shop (or their payment provider) signs the QR code using a private key — a secret stamp that only they have.
- Your banking app verifies that stamp using the public key — a kind of decoder that’s shared publicly.
If the signature verifies using the public key, your app knows the QR code is real and untouched.
What’s to Stop a Scammer?
A scammer could create their own QR code, stamp it with their own private key, and include their matching public key. Technically, it would check out.
But the payer’s bank won’t trust it.
That’s because the public key isn’t from a recognized certificate authority — like the financial industry’s trusted X9 PKI.
Enter: The Certificate Authority (CA)
A Certificate Authority is like a highly trusted notary — but for the digital world. Before issuing a public key (known as a digital certificate), it verifies the identity of the requester, authenticates their legitimacy, and authorizes the issuance based on defined security policies.
X9 is working on exactly that: a Financial PKI for QR code payments.
So when your bank sees a public key in a QR Code, it checks:
✓ Was this certificate issued by X9 or another trusted CA?
✓ Has it expired or been revoked?
✓ Does it match the identity it claims to represent?
If the answer is yes, your bank proceeds with the payment. If not? Payment denied.
Why This Matters
PKI establishes trust between two parties sending and receiving money.
When a consumer scans a QR code to pay, their bank evaluates the QR Code to make sure it’s safe and that they trust the source.
Thanks to the X9 Financial PKI and digital certificates, that answer can be a fast “Yes.”