Since QR codes can hold arbitrary strings, why not sql injection attacks?
Given that at any time
1) banks would not be the only party interested in tracking money and/or customers,
2) codes would be scanned and entered into database,
3) at some point tracking would become mandatory,
4) there are still sloppy programmers out there building SQL statements by concatenating
I can see, why this could be a not-so-good idea...
Computers don't actually think. You just think they think. (We think.)