Since QR codes can hold arbitrary strings, why not sql injection attacks?
Given that at any time
1) banks would not be the only party interested in tracking money and/or customers,
2) codes would be scanned and entered into database,
3) at some point tracking would become mandatory,
4) there are still sloppy programmers out there building SQL statements by concatenating
I can see, why this could be a not-so-good idea...
Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984