Introduction
QR code payments have become an important part of Turkey’s digital payment ecosystem. Consumers can scan a QR code at a physical store, ATM, restaurant, marketplace, invoice screen, payment page, or mobile application and complete a payment without entering card details manually. Merchants can receive payments through QR-enabled POS devices, mobile applications, FAST-based transfers, card payment systems, or other payment service channels. For banks, payment institutions, electronic money institutions, marketplaces, digital wallets, e-commerce platforms, and fintech companies, QR payments provide speed, convenience, and lower friction.
However, QR code payments are not merely a technical feature. In Turkey, QR payments are regulated under the payment services framework, especially Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and the Regulation on the Generation and Use of TR QR Code in Payment Services. The Regulation applies to payment transactions made via QR code that fall within the scope of payment services under Law No. 6493, and its objective is to regulate the procedures and principles for generating and using the TR QR Code in payment services.
The Central Bank of the Republic of Türkiye, known as the CBRT, is the principal authority for payment services and TR QR Code rules. The national standard is known as TR QR Code. According to BKM, TR QR Code is the standard for QR payments in Türkiye, and the rules, regulations, and specifications are provided by the CBRT. BKM is responsible for establishing and operating the TR QR Code Switching System, which allows participants to make TR QR Code transactions when the payer and payee are from different institutions.
This article explains QR code payments in Turkey, including the legal framework, TR QR Code standard, payment service provider obligations, POS, ATM and e-commerce use cases, FAST integration, merchant duties, consumer protection, security risks, KVKK data protection, MASAK compliance, unauthorized transaction disputes, and liability for fintech companies and payment institutions.
1. What Are QR Code Payments?
A QR code payment is a payment transaction initiated by scanning or presenting a QR code. The QR code contains information needed to execute the payment transaction, such as merchant information, account information, payment amount, transaction reference, payment method data, or routing information depending on the technical model.
In Turkey, QR code payments may be used in different channels, including:
POS payments in physical stores
ATM withdrawals
E-commerce checkout
Invoice payments
Mobile wallet payments
FAST merchant payments
Card-based QR payments
Payment link or screen-based QR payments
Person-to-person transfers
Marketplace payments
Mobile operator payment flows
BKM states that TR QR Code can be used in POS, ATM and e-commerce channels, and that TR QR Code payments can be made through payment cards, the CBRT’s FAST instant payment system, and mobile operator payments.
The legal nature of the transaction depends on the underlying payment method. A QR code may be used to initiate a card payment, a bank transfer, a payment from an e-money wallet, a mobile operator payment, or a FAST transfer. Therefore, the QR code is not the whole payment system by itself; it is a standardized initiation and data-transfer tool within the broader payment services framework.
2. Main Legal Framework for QR Code Payments in Turkey
The main legal framework for QR code payments in Turkey consists of:
Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions
Regulation on the Generation and Use of TR QR Code in Payment Services
CBRT secondary legislation on payment services and electronic money
CBRT information systems rules for payment and e-money institutions
BKM technical and switching infrastructure
MASAK anti-money laundering legislation
Law No. 6698 on the Protection of Personal Data
Law No. 6502 on Consumer Protection
Bank card and credit card rules
Commercial and platform contracts
Law No. 6493 regulates payment systems, payment services, payment institutions, and electronic money institutions. Its official English text states that the objective of the law is to regulate procedures and principles regarding payment and securities settlement systems, payment services, payment institutions, and electronic money institutions.
TÖDEB explains that payment services under Law No. 6493 include payment account operations, payment transactions through payment cards or similar instruments, money transfers, issuance or acceptance of payment instruments, remittance, payment order initiation services, and account information services. It also states that payment institutions and electronic money institutions may provide payment services within the scope of the operating license issued by the CBRT.
The QR-specific framework is the TR QR Code Regulation. The Regulation applies to payment transactions made via QR code and falling within payment services under Law No. 6493. This means that QR code payments should not be analyzed only as software or user interface design. If the transaction is a regulated payment service, the relevant provider must comply with the payment services framework.
3. What Is TR QR Code?
TR QR Code is Turkey’s national QR code payment standard. It was introduced to standardize QR-based payments, improve interoperability, reduce fragmentation, and support innovative payment methods.
BKM describes TR QR Code as the standard for QR payments in Türkiye and states that the rules, regulations and specifications are provided by the CBRT. BKM has been given responsibility to establish and operate the TR QR Code Switching System, which allows participants to execute TR QR Code transactions where the payer and payee are from different institutions.
The TR QR Code Regulation defines several important concepts, including dynamic QR code, merchant, merchant-presented QR code, QR Code Generator ID, and QR Code Switching System. The Regulation also provides that the QR Code Switching System enables the transfer of QR codes and information contained between payment service providers.
The policy objective is interoperability. If every bank, wallet provider, payment institution, merchant, ATM operator, or platform used a different QR format, QR payments would become fragmented and inconvenient. A common standard allows broader acceptance and more efficient payment routing.
4. Static QR Code and Dynamic QR Code
QR code payment systems may use static or dynamic QR codes. The distinction is important for security and liability.
A static QR code usually contains fixed payment information. It may be printed and placed at a merchant location. It may identify the merchant or payment account, but the transaction amount may need to be entered separately by the user or merchant.
A dynamic QR code is generated for a specific transaction. It may contain the amount, merchant information, transaction reference, expiry data, or other transaction-specific information. The TR QR Code Regulation defines dynamic QR code as a single-use QR code generated specifically for the payment transaction in process.
Dynamic QR codes are generally more secure because they reduce the risk of wrong amount entry, replay, and code tampering. However, they require reliable generation, transmission, display, and validation infrastructure.
For merchants and payment service providers, the choice between static and dynamic QR models affects fraud risk, operational design, authentication, transaction evidence, refund handling, and consumer disputes.
5. Who May Generate TR QR Code?
The TR QR Code Regulation provides that TR QR Code shall be generated by payment service providers and payment system operators approved by the CBRT that own a TR QR Code Generator ID. It also allows payment service providers to outsource TR QR Code generation, but outsourcing does not remove the regulatory responsibilities of the payment service provider.
This is important for fintech companies. A technology company may develop QR code software, but if the QR code is used for regulated payment services, the regulated payment service provider remains responsible for compliance. A merchant app, wallet app, marketplace interface, or checkout provider should not generate payment QR codes outside the regulated structure unless the model is legally reviewed.
A QR Code Generator ID is part of the regulated infrastructure. BKM is involved in determining and publishing the relevant list at the request of payment service providers and approved payment system operators, according to the Regulation.
6. QR Code Payments and Payment Service Providers
The main regulated actors in QR code payments are payment service providers. Under the Turkish payment services framework, payment service providers include banks, payment institutions, electronic money institutions, and other authorized actors under Law No. 6493. TÖDEB states that payment institutions and electronic money institutions may provide payment services within the scope of their CBRT operating license.
QR payment providers may include:
Banks
Payment institutions
Electronic money institutions
Card acquirers
Digital wallet providers
Merchant acquiring providers
Payment initiation service providers
Account information service providers
Mobile operator payment providers
Payment system operators
Marketplace payment facilitators
A company that offers QR code payments must determine whether it is providing a regulated payment service. If it accepts payment instruments, initiates payments, operates payment accounts, facilitates merchant payments, transfers funds, or manages settlement, it may need CBRT authorization or must operate through a licensed provider.
A software-only provider may avoid direct licensing if it merely supplies technical tools to a licensed institution and does not control regulated payment functions. However, the contract, user interface, branding, fund flow, and operational reality must support that position.
7. QR Code Payments at POS
POS-based QR code payments are common in physical stores. A merchant may present a QR code on a POS terminal, printed receipt, tablet, display screen, or mobile application. The customer scans the QR code with a banking app, wallet app, or payment app and authorizes the transaction.
BKM states that TR QR Code can be used in POS channels. The CBRT’s 2023 Annual Report also stated that, as a result of technical development and expansion work, card payments with TR QR Code had become possible at 85% of existing POS machines, and technical preparations for FAST TR QR Code payments had reached 80% of POS machines.
POS QR payments raise several legal and operational questions:
Who is the merchant acquirer?
Which payment service provider generates the QR code?
Is the QR code dynamic or static?
How is the amount verified?
How does the customer authorize the payment?
How is the payment confirmation delivered to the merchant?
Who handles refunds?
Who bears fraud risk?
What happens if the customer scans a fake QR code?
How are transaction logs preserved?
A merchant should not display QR codes in a way that can easily be replaced, tampered with, or misdirected. A payment service provider should require merchants to take reasonable measures for the physical security and readability of QR codes.
8. QR Code Payments in E-Commerce
QR payments can also be used in e-commerce. Instead of entering card details, a consumer may scan a QR code displayed on the checkout screen using a mobile banking or wallet app. This can reduce card data exposure and improve customer experience.
E-commerce QR payments may be useful for:
Online stores
Marketplaces
Subscription platforms
Food delivery apps
Travel booking platforms
Digital goods platforms
Gaming platforms
Invoice payment portals
Mobile-first checkout
The legal risks include payment confirmation errors, fake checkout pages, phishing, expired QR codes, wrong merchant identity, refund disputes, chargebacks, and data protection issues.
A compliant e-commerce QR payment flow should display:
Merchant identity
Payment amount
Currency
Order reference
Payment service provider identity
Expiration time for dynamic QR code
Refund and cancellation rules
Consumer contact channel
Secure domain and app verification
Transaction confirmation screen
Payment service providers should design e-commerce QR codes to reduce phishing risk. Consumers should be warned not to scan QR codes from suspicious links or unofficial websites.
9. QR Code Payments at ATMs
QR code technology is also used in ATM transactions, particularly cardless cash withdrawal. BKM states that TR QR Code can be used in ATM channels. The CBRT’s 2023 Annual Report noted that card payments with TR QR Code became possible across a large share of existing POS machines and that money withdrawal with TR QR Code had become possible from almost all ATMs in Türkiye.
ATM QR transactions may reduce the need for physical cards, but they also create security risks:
Shoulder surfing
Fake ATM overlays
QR code replacement
Mobile app compromise
Session hijacking
Wrong transaction confirmation
Unauthorized withdrawal after account takeover
Social engineering
Strong customer authentication is critical. The user should confirm the transaction inside a trusted banking or wallet application. The app should show the ATM identity, amount, transaction type, and confirmation step before authorization.
10. FAST and TR QR Code
The FAST system, developed by the CBRT, is Turkey’s instant payment system. The CBRT’s 2023 Annual Report states that FAST operates 24/7 and enables end-to-end retail payment transfers within seconds. It also states that FAST allows person-to-person money transfers and merchant payments without requiring IBAN information by using TR QR Code generated in accordance with standards.
FAST-based TR QR payments are important because they can enable direct account-to-account payment flows. This may reduce reliance on card-based payment acceptance in certain contexts and support instant merchant payments.
The CBRT’s 2023 Annual Report also referred to transaction limit increases for FAST, including merchant payments with dynamic verification using TR QR Code. On 21 December 2023, the limit for merchant payments using dynamic QR codes was increased to TRY 100,000.
FAST QR payments create their own legal and operational issues:
Transaction finality
Wrong recipient risk
Instant settlement
Refund process
Merchant confirmation
Fraud monitoring
Payment initiation consent
Risk information sharing
Dynamic verification
Customer notification
Because FAST transfers are executed quickly, fraud prevention and transaction verification must occur before authorization. Post-transaction recovery can be more difficult.
11. QR Code Switching System
BKM is responsible for the TR QR Code Switching System, which enables TR QR Code transactions between participants when payer and payee are from different institutions. This switching infrastructure supports interoperability.
A switching system matters because QR payments often involve different institutions:
The payer’s bank or wallet provider
The merchant’s payment service provider
The payment system operator
The QR code generator
The acquiring institution
The settlement infrastructure
Without a switching mechanism, QR payments could remain within closed ecosystems. Interoperability supports competition, consumer convenience, and merchant acceptance.
From a legal perspective, switching systems also raise questions about transaction data, operational reliability, cybersecurity, dispute routing, transaction evidence, and responsibilities of each participant. Contracts and technical rules should define how participants communicate, authenticate, route, settle, and resolve errors.
12. Security Standards for QR Payments
Security is one of the most important legal issues in QR code payments. QR codes are easy to display, copy, print, share, or replace. This makes them convenient but also vulnerable to manipulation.
Common QR payment risks include:
Fake QR codes placed over legitimate merchant codes
Phishing QR codes sent by SMS or e-mail
Malicious QR codes redirecting users to fake payment pages
Wrong merchant identity
Wrong payment amount
Replay of static QR codes
Expired dynamic QR code reuse
Compromised merchant device
Compromised customer phone
Account takeover
Social engineering
Fraudulent refund requests
Payment confirmation spoofing
The TR QR Code Regulation requires TR QR Codes to comply with technical principles and rules, and the CBRT may determine technical guidelines. Payment service providers should also pay attention to physical security and readability of QR codes and include necessary merchant obligations in framework agreements.
A legally sound QR payment system should include:
Dynamic QR codes for higher-risk transactions
Secure QR generation
Transaction-specific identifiers
Amount verification
Merchant identity display
App-based customer confirmation
QR code expiration
Replay protection
Device security
Fraud monitoring
Transaction notifications
Tamper-resistant logs
Merchant education
Consumer warnings
Incident response procedures
Security failures can create liability for payment service providers, merchants, software vendors, or users depending on fault, causation, and evidence.
13. Consumer Protection in QR Code Payments
QR payments are convenient, but consumers must be protected against unauthorized transactions, misleading merchants, wrong amounts, fake QR codes, failed refunds, and unclear complaint channels.
Consumer-facing QR payment journeys should clearly show:
Merchant name
Payment amount
Currency
Payment method
Account or card to be charged
Transaction type
Confirmation step
Refund information
Transaction receipt
Complaint channel
A consumer should never be expected to approve a payment without seeing what they are paying, to whom, and through which account or instrument. App screens should not show vague text such as “confirm transaction” without merchant identity and amount.
Consumer protection is also relevant under Law No. 6502 where the QR payment is linked to a consumer purchase. If the merchant fails to deliver goods or services, the consumer’s primary claim may be against the merchant. However, if the payment provider’s system caused an unauthorized or incorrect transaction, the payment service provider may also face liability.
14. Unauthorized QR Transactions
Unauthorized QR transactions are one of the main dispute risks. A consumer may claim that a QR payment was made without consent, that the QR code was fake, that the amount was changed, or that the payment was routed to the wrong recipient.
Important evidence includes:
QR code content
Transaction timestamp
Merchant ID
Payment service provider logs
Customer device information
IP address
Application login logs
Authentication records
Payment confirmation screen
Push notification records
SMS/OTP records
FAST or card transaction reference
Merchant settlement records
Complaint timestamp
The central question is whether the customer authorized the transaction and whether the payment provider applied proper security measures. If the customer scanned a malicious QR code outside the official merchant environment, user negligence may be argued. If the merchant failed to protect its displayed QR code from tampering, merchant liability may arise. If the payment app failed to show merchant identity or amount before confirmation, payment provider liability may arise.
A provider defending an unauthorized transaction claim should produce a complete audit trail. Without transaction logs, authentication records, and confirmation evidence, it may be difficult to prove valid authorization.
15. Merchant Duties in QR Code Payments
Merchants play a major role in QR payment security. A merchant may display a QR code at the cashier, on a table, on a printed invoice, on a payment page, or inside an app. If that QR code is replaced, manipulated, expired, or displayed incorrectly, customer loss may occur.
Merchants should:
Use QR codes provided through authorized payment service providers
Avoid displaying unofficial or manually generated payment QR codes
Protect printed QR codes from physical replacement
Regularly inspect displayed QR codes
Use dynamic QR codes where possible
Confirm payment receipt through official merchant systems
Train employees not to rely on screenshots or customer claims alone
Preserve payment receipts
Maintain refund records
Notify the payment provider of suspicious incidents
Avoid misleading customers about payment recipient or amount
Merchant agreements should contain QR security obligations. The TR QR Code Regulation contemplates that payment service providers should include necessary provisions in merchant framework contracts for merchants to take required security measures.
16. Payment Service Provider Duties
Payment service providers have broader duties because they design and operate the payment infrastructure. Their obligations include regulatory compliance, technical security, customer authentication, merchant onboarding, transaction monitoring, fund safeguarding, complaint handling, and audit trails.
TÖDEB states that payment institutions and e-money institutions need a CBRT operating license and must have sufficient personnel and technical equipment, establish complaint and appeal units, ensure activity continuity, and take security and confidentiality measures for funds and information regarding payment service users.
For QR payments, providers should:
Generate TR QR Codes according to applicable rules
Use QR Code Generator IDs where required
Ensure interoperability through BKM infrastructure where applicable
Apply strong customer authentication
Display merchant and amount information before approval
Use dynamic verification for higher-risk cases
Monitor suspicious QR payment patterns
Protect transaction data
Preserve logs
Handle complaints quickly
Contractually impose merchant security duties
Maintain refund and reversal procedures
Protect customer funds
Cooperate with regulators and payment system operators
The provider’s system should be designed for both security and evidence. In a dispute, the provider must show how the payment was initiated, authenticated, routed, authorized, and settled.
17. Fund Protection and Settlement
QR code payments may involve funds received from customers, payment institutions, e-money institutions, merchants, and settlement accounts. Where payment institutions or e-money institutions hold funds for payment execution, fund safeguarding rules become important.
TÖDEB explains that funds collected for payment services and funds collected for issuing electronic money must be protected under regulatory procedures. It also states that payment institutions and e-money institutions must separate redemption funds from other funds, use them only for payment transactions, and reconcile preservation account records with bank statements daily.
In QR merchant payments, the system must distinguish:
Customer payment amount
Merchant receivable
Payment provider fee
Marketplace commission
Refund amount
Chargeback amount
Settlement reserve
E-money balance if applicable
Customer funds not yet paid to the receiver
Provider revenue
A provider should not treat customer funds or merchant settlement amounts as ordinary operating income. Fund misclassification can create regulatory, tax, accounting, and civil liability risks.
18. MASAK and AML Risks
QR payments may appear low-risk because they are often small retail transactions. However, high-volume QR payments can be misused for fraud, illegal betting, mule accounts, fake merchants, layered transactions, or laundering proceeds of crime.
Payment and e-money institutions are subject to MASAK liability audits according to TÖDEB’s sector guidance. QR payment providers should implement AML/KYC controls proportionate to their business model.
AML red flags in QR payments may include:
Many QR payments to newly onboarded merchants
High transaction volume inconsistent with merchant profile
Repeated payments just below limits
Refunds to different accounts
Merchant category mismatch
QR payments linked to illegal betting indicators
Multiple merchants using the same beneficial owner
Unusual night-time transaction spikes
Rapid merchant onboarding and closure
Repeated failed QR transactions followed by successful payments
Suspicious cross-border QR use
Merchant onboarding and transaction monitoring should be integrated. A QR payment provider should know who the merchant is, what goods or services are sold, what transaction volume is expected, and whether actual activity matches the profile.
19. KVKK and QR Payment Data
QR payments involve personal data and transaction data. A QR payment system may process customer identity data, device identifiers, IP addresses, payment account information, card data tokens, merchant information, transaction amount, location indicators, and behavioral data.
Under Law No. 6698 on the Protection of Personal Data, known as KVKK, personal data must be processed lawfully and securely. Payment service providers and merchants should identify whether they act as data controllers or processors for specific data flows.
QR payment data protection risks include:
Excessive collection of location data
Unclear privacy notices
Use of transaction data for marketing without proper basis
Sharing customer data with merchants or partners unnecessarily
Foreign cloud processing without transfer safeguards
Insecure QR payment logs
Data breach involving transaction histories
Insufficient retention and deletion policies
Unrestricted employee access to payment data
A QR payment provider should prepare privacy notices, data processing inventories, vendor agreements, retention policies, data subject request procedures, breach response plans, and cross-border transfer assessments.
Payment data can reveal sensitive behavioral patterns. A consumer’s QR payment history may show where they shop, eat, travel, receive services, or make personal payments. This data must be protected carefully.
20. QR Payments and Cybersecurity
QR payment systems rely on mobile applications, APIs, POS terminals, merchant dashboards, payment gateways, settlement systems, customer authentication tools, and switching infrastructure. Cybersecurity failures can lead to unauthorized payments, data breaches, merchant account takeover, fake QR generation, and settlement fraud.
Cybersecurity controls should include:
Secure QR generation
Encryption
Application integrity checks
Secure APIs
Strong customer authentication
Device binding
Merchant dashboard security
Admin access control
QR code expiration
Fraud monitoring
Tamper-resistant logs
Penetration testing
Incident response
Business continuity
Merchant bank account change controls
Employee access controls
Payment institutions and e-money institutions are subject to information systems audit obligations. TÖDEB notes that annual independent financial audits are required and that information systems audits are conducted every two years according to CBRT principles.
Cybersecurity should be considered a legal compliance requirement, not only an IT issue.
21. QR Payment Disputes
QR payment disputes may arise between consumers, merchants, payment service providers, banks, wallet providers, marketplaces, and software vendors.
Common disputes include:
Unauthorized QR payment
Fake QR code fraud
Wrong merchant payment
Wrong amount
Duplicate payment
Payment shown as failed but money debited
Merchant claims non-receipt
Consumer claims non-delivery of goods
Refund delay
Settlement delay
QR code generation error
Expired QR code accepted
Payment app did not show correct details
ATM QR withdrawal dispute
FAST QR transfer sent to wrong recipient
Data breach
Merchant dashboard compromise
Dispute resolution depends on evidence. The key evidence includes QR code data, payment order, transaction logs, authentication records, merchant confirmation, settlement records, app screenshots, consumer notifications, and complaint timestamps.
A provider should have a clear internal dispute workflow. Small payment disputes can become legal claims if the provider cannot provide a coherent explanation.
22. Refunds and Reversals
Refunds are important in QR payments, especially in retail, e-commerce, marketplace, and restaurant transactions. The refund process depends on the underlying payment method. A card-based QR payment may follow card refund rules. A FAST QR payment may require a different transfer or reversal process. A wallet-based QR payment may be refunded to the wallet balance.
Refund rules should address:
Who may initiate the refund
Whether partial refunds are possible
Where the refund is credited
How long refund processing takes
What happens if merchant settlement already occurred
Whether provider fees are returned
How consumer cancellation rights are handled
How duplicate payments are resolved
How failed QR transactions are corrected
A merchant should not ask the customer to make a second QR payment before confirming whether the first payment failed. Duplicate payments are a common dispute risk.
23. QR Payments in Marketplaces
Marketplaces may use QR payments for in-person pickup, delivery, restaurant orders, courier payments, event tickets, or offline-to-online transactions. Marketplace QR payments create added complexity because there may be multiple actors: customer, marketplace, merchant, courier, payment institution, bank, wallet provider, and seller.
Marketplace QR payment terms should define:
Who is the seller
Who generates the QR code
Who receives payment
Who settles the merchant
Who handles refunds
Who handles consumer complaints
Who bears chargeback or fraud risk
Whether marketplace commission is deducted
Whether seller balances are held
How suspicious merchants are blocked
How transaction evidence is stored
A marketplace should avoid confusing consumers about whether they are paying the platform or the merchant. The payment app should show the correct payee identity.
24. Cross-Border QR Payments
The CBRT’s 2023 Annual Report noted initiatives by payment service providers to enable cross-border payments with innovative payment methods such as TR QR Code, and stated that work was being carried out under BKM coordination to determine flows and technical steps for interoperable cross-border QR payments.
Cross-border QR payments raise additional legal issues:
Foreign payment service provider involvement
Currency conversion
Cross-border data transfer
AML and sanctions screening
Foreign merchant identity
Consumer dispute jurisdiction
Tax treatment
Refund timing
Exchange rate transparency
Payment system interoperability
Regulatory permissions
A foreign QR payment provider cannot assume that its foreign license is sufficient for Turkish payment activity. Turkish regulatory analysis is required if Turkish users, Turkish merchants, Turkish lira, or Turkish payment infrastructure are involved.
25. Liability in QR Payment Transactions
Liability in QR payments depends on the facts. Possible liable parties include the payment service provider, merchant, wallet provider, bank, marketplace, software vendor, or user.
A payment service provider may be liable if it fails to apply required technical standards, does not show transaction details, lacks proper authentication, loses transaction data, fails to protect funds, or ignores fraud alerts.
A merchant may be liable if it displays a tampered QR code, fails to protect its payment environment, misleads consumers, refuses valid refunds, or confirms receipt incorrectly.
A software vendor may be liable if its system creates QR codes incorrectly, exposes data, or fails to meet contractual security standards.
A user may bear responsibility if they scan suspicious QR codes, approve transactions without checking details, share app credentials, ignore warnings, or delay reporting fraud.
Liability is usually evidence-driven. Courts, consumer authorities, regulators, and internal dispute teams will need transaction logs, confirmation screens, QR data, authentication records, and complaint evidence.
26. Practical Compliance Checklist for QR Payment Providers in Turkey
A QR payment provider should consider:
Confirm whether the activity is a payment service under Law No. 6493.
Operate within the scope of CBRT authorization.
Use TR QR Code standards where applicable.
Obtain and manage QR Code Generator ID where required.
Use BKM switching infrastructure where applicable.
Define whether QR is used for card, FAST, wallet, mobile operator, or other payment flows.
Prefer dynamic QR codes for higher-risk transactions.
Display merchant identity and amount before customer approval.
Apply strong customer authentication.
Preserve transaction logs.
Monitor suspicious QR payment patterns.
Impose merchant QR security obligations by contract.
Train merchants on QR tampering risks.
Prepare refund and reversal procedures.
Protect funds according to regulatory rules.
Comply with KVKK.
Assess MASAK obligations.
Implement cybersecurity controls.
Prepare incident response.
Handle consumer complaints quickly.
Monitor CBRT, BKM, TÖDEB and payment sector updates.
This checklist should be adapted to the exact model. POS QR payments, ATM QR withdrawals, e-commerce QR payments, FAST QR transfers, wallet QR payments, and marketplace QR flows have different risk profiles.
Why Legal Support Is Important
QR code payment law in Turkey combines payment services regulation, CBRT rules, BKM technical infrastructure, merchant acquiring, e-money, FAST payments, consumer protection, MASAK, KVKK, cybersecurity, contract law, and dispute resolution.
A fintech lawyer can assist with:
QR payment regulatory classification
CBRT licensing analysis
TR QR Code compliance review
Merchant agreement drafting
Payment facilitation structure
FAST QR payment review
E-commerce QR payment terms
Refund and dispute rules
KVKK compliance
MASAK and AML procedures
Cybersecurity and incident clauses
Cross-border QR payment analysis
Consumer dispute strategy
Regulatory correspondence
Administrative sanction defense
Legal review should begin before launch. Once merchants are onboarded and QR payments are processed through a non-compliant structure, remediation may require contract revision, merchant re-onboarding, technical redesign, customer communication, and regulatory engagement.
Conclusion
QR code payments are a key part of Turkey’s digital payment transformation. They support fast, mobile, interoperable and convenient payment experiences in POS, ATM, e-commerce, FAST, wallet and marketplace channels. However, QR payments are not merely a user interface feature. They are regulated payment transactions when they fall within the scope of payment services under Law No. 6493.
The TR QR Code Regulation establishes the national framework for generating and using TR QR Code in payment services. BKM operates the TR QR Code Switching System, and the CBRT provides the regulatory rules and specifications.
For payment service providers, the key duties are licensing, technical compliance, secure QR generation, customer authentication, merchant controls, fund protection, transaction monitoring, data protection, AML compliance, cybersecurity, refund procedures, and evidence preservation. For merchants, the key duties are to use authorized QR codes, protect displayed codes, confirm payments through official systems, and cooperate in refunds and disputes. For consumers, the key safety rule is to verify merchant identity and amount inside the trusted payment application before approval.
QR payments will continue to expand in Turkey, especially through FAST, digital wallets, merchant payments, and e-commerce. Companies that build QR payment products with legal compliance, security standards, consumer protection, and audit-ready evidence from the beginning will be better positioned to scale safely in Turkey’s fintech market.
Yanıt yok