QR codes: the complete guide from generation to security

The surprising history of the QR code

In 1994, an engineering team at Denso Wave — a Toyota subsidiary — was looking for a solution to a concrete logistics problem: 1D barcodes (EAN-13, Code 39) could only encode a few dozen characters. Tracking automotive parts across Japanese assembly lines required dense information on small labels. Engineer Masahiro Hara and his team invented the Quick Response Code, patented under the QR code name. Storage capacity leapt forward: up to 7,089 digits or 2,953 bytes — dozens of times more than a conventional barcode.

What is remarkable — and often overlooked — is that Denso Wave voluntarily released its patents in 2002, deciding not to collect royalties. This strategic decision largely explains the format's worldwide dominance: any developer can implement a QR reader or generator without paying a license fee. The international standard was published under reference ISO/IEC 18004, revised in 2015.

Throughout the 2000s, QR codes remained confined to industry and Japan, where magazines used them to bridge print and the web. The global explosion came from two successive shocks. The first was Chinese mobile payments: WeChat Pay and Alipay, between 2013 and 2016, made QR scanning the dominant payment method in China, with annual volumes exceeding one trillion dollars by 2019. The Chinese population, largely without traditional banking infrastructure, adopted the mobile wallet en masse — and the QR code was the universal interface. The second shock was the COVID-19 pandemic in 2020: in Western countries, restaurants replaced their paper menus with QR codes to avoid physical contact. Hundreds of millions of consumers scanned their first QR code in this context.

By 2026, the QR code is ubiquitous: business cards, advertising billboards, transit tickets, product labels, cryptocurrency wallets, two-factor authentication, Wi-Fi setup. The format, now 32 years old, has never been more widely used.

Anatomy of a QR code

To understand how the QR code works — and why it is so robust — you need to decompose its structure. A QR code is not a random arrangement of black and white pixels: every zone serves a specific purpose, defined by ISO/IEC 18004.

The three positioning squares

In three corners (top-left, top-right, bottom-left), three finder patterns appear — concentric black-and-white squares of fixed size (7 × 7 modules). Their role is critical: the decoder locates them first to determine the orientation and perspective of the code. Even if the image is rotated 90°, flipped, or photographed at a slight angle, the three finder patterns allow the decoder to recalibrate the grid. A fourth, smaller pattern — the alignment pattern — appears in version 2 and higher codes to correct distortions caused by curved or non-flat surfaces.

Timing patterns

Two lines of alternating modules (black-white-black-white...) connect the finder patterns horizontally and vertically. These timing patterns serve as coordinate references: they allow the decoder to count modules precisely, which is essential for locating each data bit within the grid.

Data and Reed-Solomon error correction

The central area encodes the data itself, interleaved with error correction bytes produced by the Reed-Solomon algorithm. Developed in 1960 by Irving Reed and Gustave Solomon at MIT Lincoln Laboratory, this algorithm is used in CDs, DVDs, deep-space communications, and QR codes. It enables the reconstruction of original data even when part of the code is damaged, obscured, or misread — this is the fundamental principle that allows logos to appear at the center of QR codes.

Format, version and capacity

A QR code can exist in 40 versions, from version 1 (21 × 21 modules, minimum capacity) to version 40 (177 × 177 modules, maximum capacity). The version is chosen automatically by the generator based on the amount of data to encode and the selected error correction level.

Four encoding modes are defined by the standard, each optimized for a specific data type:

• Numeric — digits 0-9 only (3.33 bits/character). Maximum capacity: 7,089 digits (version 40, level L).
• Alphanumeric — digits + uppercase letters + a few symbols (5.5 bits/character). Capacity: 4,296 characters.
• Byte — any ISO-8859-1 or UTF-8 byte (8 bits/character). Capacity: 2,953 bytes. This is the default mode for URLs.
• Kanji — Japanese Shift JIS characters (13 bits/character). Capacity: 1,817 Kanji characters.

Error correction levels L, M, Q and H

ISO/IEC 18004 defines four error correction levels, designated by the letters L, M, Q and H. Each level determines the maximum fraction of the code's data that can be lost or damaged while still remaining decodable.

The trade-off is direct: a higher correction level increases the number of redundancy modules, which enlarges the code for the same amount of data. For a QR code displayed on screen or printed on clean paper in an office setting, level L or M is more than adequate. For a warehouse label likely to be scratched or smudged, level Q or H is appropriate. And if you embed a logo at the center — common in marketing — level H is mandatory: the logo physically masks modules, and only maximum redundancy allows the decoder to reconstitute the obscured data.

A common mistake is using level H reflexively as a precaution. The result is a denser code that is harder to scan at small sizes. Choose the level suited to your actual context, not the maximum level by default.

Static vs dynamic QR codes

The distinction between static and dynamic QR codes is fundamental for any professional use, yet frequently misunderstood.

The static QR code

In a static QR code, the URL or content is encoded directly into the modules of the code. Once generated and printed, it is immutable. If the destination URL changes, you need to regenerate and reprint. This is the right solution for stable content: home Wi-Fi credentials, personal vCard contact, the URL of a published blog article, a Bitcoin wallet address. A static QR code has no external dependency and will continue working in 20 years, even if the generator that created it no longer exists.

The dynamic QR code

A dynamic QR code does not encode the real destination — it encodes a short redirect URL, for example https://qr.example.com/a8f3k. When the user scans, their smartphone first hits the redirect server, which forwards to the real destination. That destination can be updated at any time in the admin interface without touching the printed QR code.

Advantages of dynamic QR:

• Change the destination without reprinting (seasonal campaign, new page, A/B test)
• Scan analytics (scan count, approximate geolocation, device type, time of day)
• Short URL means a less dense QR code — easier to scan at small sizes

Drawbacks and risks:

• Dependency on the redirect service: if that service shuts down or goes offline, your QR codes become dead ends. Print campaigns on packaging or newspapers have multi-year lifecycles — use a redirect hosted on your own domain.
• Cost: dynamic QR services are often paid beyond a certain scan volume (Bitly, QR Tiger, Beaconstac).
• Privacy: scan analytics collect data about your users. GDPR disclosure in your privacy policy is required.

Practical rule: static QR for personal use or immutable content, dynamic QR on your own domain for any large-scale print marketing. Our QR code generator creates static codes, guaranteeing their longevity with no external dependency.

QR codes and mobile payments worldwide

One of the most transformative applications of the QR code is mobile payment. The geography of this revolution is fascinating and often poorly understood outside Asia.

China: the global laboratory

WeChat Pay (Tencent) and Alipay (Ant Group, Alibaba affiliate) established QR code scanning as the universal payment interface in China between 2013 and 2016. The model works in two directions: the merchant can display a static QR that the customer scans, or the customer displays their own dynamic QR that the merchant scans. By 2023, QR code payment transaction volume in China exceeded 90 trillion yuan (approximately $12 trillion). Street vendors to department stores — QR payment is the universal reflex. Some merchants have even stopped accepting cash.

EMVCo: the attempt at global standardization

Faced with Chinese success, the global banking industry — through EMVCo, a consortium grouping Visa, Mastercard, Amex, JCB, Discover and UnionPay — published the EMV QR Code specification in 2017 for point-of-sale and person-to-person payments. This standard defines a structured QR code format compatible with international payment networks. It has been adopted by several central banks as the technical foundation for their instant payment systems.

PIX (Brazil) and UPI (India)

Two national systems deserve special mention. PIX, launched by the Banco Central do Brasil in November 2020, became in three years the most used payment system in Brazil — ahead of cards. The PIX QR code (EMVCo-based) enables 24/7 instant transfers, free for individuals. By 2024, PIX processes over 40 billion transactions per year. India's UPI (Unified Payments Interface, managed by NPCI) follows a similar model: instant QR-based payments adopted en masse through PhonePe and Google Pay India. With over 100 billion UPI transactions in 2023, India surpasses the United States in digital payment volume.

The Bitcoin QR code

In the cryptocurrency ecosystem, the QR code is the standard interface for sharing a wallet address. A Bitcoin QR code simply encodes the address (and optionally the amount using the BIP-21 protocol: bitcoin:1A1zP1...?amount=0.001). Since visually verifying a 34-character base58 address is error-prone, the QR code dramatically reduces the risk of transcription errors — and therefore irreversible fund loss.

Why Europe was slow to adopt

The slow adoption of QR payment in Europe is explained by the robustness of existing payment infrastructure (chip cards + NFC contactless via Visa/Mastercard) and regulatory fragmentation. Notable exceptions: TWINT in Switzerland (8 million users, nearly the entire adult population), Bizum in Spain (24 million users), and Lyf Pay in France (now integrated into Oney). The pan-European QR payment standard (EPC QR Code for SEPA credit transfers) has existed since 2018 but remains rarely deployed in consumer-facing interfaces.

Professional use cases in 2026

Beyond marketing and payments, QR codes have embedded themselves in professional contexts that are often underestimated.

vCard business cards

A vCard encoded as a QR code transfers name, company, phone, email, website and address in a single scan. The vCard 3.0 format (RFC 2426) is natively recognized by iOS and Android. A minimal example: BEGIN:VCARD\nVERSION:3.0\nFN:Jane Smith\nORG:SAW Concept\nTEL:+33612345678\nEMAIL:jane@example.com\nEND:VCARD. The recipient scans and adds the contact directly to their address book without typing.

Trackable print marketing

A dynamic QR code on a poster, flyer or product packaging enables precise measurement of print campaign ROI — historically untraceable. By assigning a unique QR code per channel (Paris poster, Lyon flyer, magazine insert), marketers can know exactly which version generates the most traffic, with which device, and at what time of day.

Restaurant menus and food traceability

QR menus, popularized by COVID-19, have persisted in many establishments for their practicality: instant updates without reprinting, dynamic multilingual support, allergen information integration. In the food sector, traceability QR codes allow consumers to trace a product's supply chain back to the producer — an increasingly required feature under evolving EU food regulations.

Wi-Fi configuration

A QR code can encode Wi-Fi connection parameters in a standardized format: WIFI:T:WPA;S:NetworkName;P:Password;;. iOS since version 11 and Android since Android 10 recognize this format natively. The user scans and connects without typing the password. This is practical for welcoming customers or guests, and also a reason to display this QR only in a controlled location — not on the exterior facade of the building.

2FA authentication (TOTP)

Two-factor authentication apps (Google Authenticator, Authy, Aegis) use a QR code to import a TOTP (Time-based One-Time Password) secret key. The encoded format is an otpauth:// URI containing the base32 secret, issuer and algorithm. This QR code must be treated as a secret: photographing or sharing it is equivalent to handing over 2FA access to anyone. To generate this type of base32 secret, a base64/base32 encoder can serve as an intermediate tool. After enrollment, delete every copy of the QR code.

Access control and digital tickets

QR codes on event tickets (concerts, trains, flights) typically encode a unique identifier signed cryptographically, verified by the organizer's scanner. The signature prevents counterfeiting, and instant invalidation after the first scan prevents the resale of screenshots. The PKPASS format (Apple Wallet) and Android Passes use this mechanism. In France, SNCF digital tickets encode an identifier using Aztec Code (a QR code competitor, more compact for dense data) — but scanning gates can read both.

Security: the real danger of QR codes

QR codes are perceived as harmless. That is precisely what makes them dangerous. In 2024 and 2025, quishing (QR phishing) attacks exploded, documented by multiple cybersecurity sources including the FBI and various national CERTs.

How quishing works

The attacker generates a QR code pointing to a fraudulent site impersonating a legitimate interface (bank, government portal, social network, corporate VPN). This QR code is sent by email (bypassing anti-phishing filters that cannot analyze an image), by postal mail, or physically placed over a real QR code. The advantage for attackers: most email clients do not preview the destination of a QR code, unlike hyperlinks. The user scans without suspicion, lands on the fraudulent site, and enters their credentials.

The most notable real-world cases

In 2023, fake QR codes were placed on parking meters in San Antonio, Texas, to steal payment data. The US Federal Trade Commission documented direct financial losses tied to this technique. In Europe, fake QR codes have been reported on electric vehicle charging stations in multiple countries. The 2025 Verizon DBIR report identifies quishing as one of the fastest-growing attack techniques, particularly in attacks targeting enterprise employees through their personal smartphones — devices that scan outside the enterprise proxy perimeter.

OS behavior: Android vs iOS

Since iOS 11 (2017), the iPhone camera natively recognizes QR codes and displays a URL preview banner before any page opens. The user must tap on that banner to follow the link. On Android, behavior varies: the Google Camera app with Lens shows the URL, but some third-party camera apps redirect directly without preview. Always verify the URL preview before confirming. If the URL does not match the context (a bank's QR code showing a .ru or .xyz address), do not proceed.

Tamper-proof physical QR codes

For exposed establishments (restaurants, hotels, payment kiosks), tamper-evident QR solutions exist: holographic lamination, printing on security backgrounds difficult to cover cleanly with a sticker, or QR codes engraved in metal. For lower-stakes contexts, regular visual inspection — checking that no sticker has been placed over the original code — is already a reasonable level of protection.

Protecting the accounts behind your QR destination pages also requires strong, unique passwords — our password generator can help secure each individual account.

Customization and design

A black-and-white QR code on a white background is functional, but visually uninspiring in a marketing context. Modern generators allow extensive customization — provided scanability constraints are respected.

Logos at the center

Embedding a logo at the center of a QR code exploits Reed-Solomon error correction. The logo obscures a zone of modules, and the redundancy bytes allow reconstruction of the lost data — only if level H is activated and the logo covers no more than 20-25% of the total surface. A logo that is too large, or paired with an insufficient correction level, produces an undecodable code. Golden rule: after generating, test on at least five different scanners, including one under poor conditions (low light, oblique angle).

Colors and contrast

The standard does not mandate black on white, but defines a minimum contrast between dark modules and the light zone. In practice, dark modules must be significantly darker than the background. Color gradients on modules can fool some decoders, especially older ones. Safety rule: luminosity contrast ≥ 70% between module color and background. The background must always be lighter than the modules. Invert this rule (dark background, light modules) only if your generation library explicitly supports inverted QR codes — some decoders fail on this configuration.

Rounded shapes and advanced design

Libraries like qr-code-styling (JavaScript) or segno (Python) allow rounding module corners, using custom shapes (circles, diamonds) and defining gradients. These aesthetic modifications remain compatible with the standard as long as the finder patterns are preserved intact and contrast remains sufficient. A common mistake is styling the finder patterns to blend them into the design — scanners recognize them by their strict shape, and any modification makes them invisible to the decoder.

QR code vs alternatives

The QR code is not the only 2D code format. Here is how it compares to its main competitors.

Aztec Code deserves special mention: more compact than QR codes for the same data thanks to the absence of a mandatory quiet zone, it has become the de facto standard for transport tickets in Europe. Its concentric center is more reliably located by gate scanners even when a ticket is crumpled or partially damaged. But its consumer adoption is near zero — smartphones do not recognize it natively without a third-party app.

NFC (Near Field Communication) is the technological competitor sometimes presented as the "QR code killer." In practice, the two coexist with different use cases: NFC requires no physical contact but needs a chip in the object (cost), while a QR code can be printed on any surface for a few cents. In marketing, the QR code remains unbeatable on the functionality-to-cost ratio.

Best practices for marketing

A poorly designed QR code is worse than no QR code at all: it frustrates users, damages brand perception and generates zero conversions. Here are the non-negotiable rules for any professional use.

Size and quiet zone

The minimum size for standard scanning at 25 cm is 2 × 2 cm. For a poster read at 1 meter, plan at least 6 × 6 cm. For a billboard at 3 meters, 15 × 15 cm minimum. The quiet zone — the empty white border surrounding the code — must be at least 4 modules wide. On a print, this represents approximately 10-15% of the code size. A QR placed edge-to-edge with other graphic elements is often unreadable, as the decoder fails to detect the finder patterns.

Always test before printing

Test your QR code on a physical print (not on screen) with multiple devices: recent iPhone, older iPhone, Samsung Android, entry-level Android (weaker camera), Huawei without Google Mobile Services. A QR that scans perfectly on your iPhone may fail on a budget Android with a mediocre camera. Also test at the actual angle of use: if the code is on the floor (store floor graphics), test looking down at it slightly from the side.

Short URL and mobile-friendly landing page

The encoded URL should be as short as possible: less data means a less dense code and easier scanning. If your URL is long, use a shortener (preferably on your own domain). The landing page must be 100% mobile-friendly — users who scan a QR always land on a phone. A non-responsive or slow page (LCP above 2.5 s) destroys the value of the print marketing effort.

Contrast and background

Always print in solid black on a white or very light background. Gray-toned prints, textured backgrounds or printing on colored paper reduce contrast and degrade readability. If your brand guidelines require a specific color, test rigorously before sign-off. Once 10,000 brochures are printed, it is too late to fix an unreadable QR code.

The future: augmented QR codes and new frontiers

The QR code continues to evolve. Several technological directions are emerging for 2026-2030.

Rich link previews and embedded metadata

Mobile browsers on iOS and Android already enrich QR link previews with Open Graph metadata (title, image, description). Emerging standards aim to encode even more information directly in the QR or retrieve it dynamically at scan time. The GS1 Digital Link initiative (ISO/IEC 18975) extends the traditional QR code for consumer goods: a single QR code can redirect to a product page, ingredient sheet, daily promotion or authenticity verification depending on the scan context.

QR codes in augmented reality

Snap Inc. (Snapchat) popularized Snapcodes — visual codes recognized by the app's AR camera to trigger Lenses. TikTok uses a similar system. These codes combine QR-style optical recognition with AR triggers, opening the door to immersive print experiences. Brands including Pepsi and IKEA have already tested campaigns where scanning a special QR code triggers an AR animation through the app.

QR codes in secure communications

Enrolling cryptographic keys (2FA TOTP, IoT device certificates, FIDO2 passwordless authentication) increasingly uses the QR code as a secure out-of-band channel. The logic is straightforward: an attacker intercepting your emails cannot read a QR code displayed on your screen. This out-of-band use is recommended by NIST (SP 800-63B) for certain enrollment scenarios. It places the QR code at the heart of modern security architectures, far from its reputation as a consumer marketing tool.

Conclusion: generate, verify, protect

The QR code is a 30-year-old technology that has never been more relevant. Understood technically — its encoding modes, error correction levels, capacity limits — it becomes a powerful tool for marketing, logistics, security and payments. Used carelessly, or with its security dimension ignored, it becomes an underestimated attack vector.

Key takeaways: choose the error correction level suited to your context (H only for logos or industrial use), use dynamic QR on your own domain for large print campaigns, always test on multiple devices before large-scale printing, and always verify the URL preview before scanning a code in an unknown context.

To create QR codes instantly, without login, without tracking, directly in your browser: use our free QR code generator. Data stays local — we see nothing of what you encode.