Since QR codes can hold arbitrary strings, why not sql injection attacks?
Given that at any time
1) banks would not be the only party interested in tracking money and/or customers,
2) codes would be scanned and entered into database,
3) at some point tracking would become mandatory,
4) there are still sloppy programmers out there building SQL statements by concatenating
I can see, why this could be a not-so-good idea...
You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page