Since QR codes can hold arbitrary strings, why not sql injection attacks?
Given that at any time
1) banks would not be the only party interested in tracking money and/or customers,
2) codes would be scanned and entered into database,
3) at some point tracking would become mandatory,
4) there are still sloppy programmers out there building SQL statements by concatenating
I can see, why this could be a not-so-good idea...
Consider the postage stamp: its usefulness consists in the ability to stick to one thing till it gets there. -- Josh Billings