ANSI X9.150

Merchant-Presented QR Code Payments

Published 2026
American National Standard · Financial Services

The US finally has a standard for
secure payment QR codes.

X9.150 defines how merchant-presented, dynamically generated QR codes work — enabling any bank app or wallet to pay any merchant, on any rail.

Issuer  ANSI / ASC X9 Published  2026 Scope  United States Download  ANSI Webstore ↗
The Problem

The US is years behind on instant payments

No standard for payment QR codes meant no interoperability. A fragmented landscape has kept adoption near zero compared to the rest of the world.

🇮🇳
India (UPI)
20B
instant payments / month
🇧🇷
Brazil (Pix)
8B
instant payments / month
🇺🇸
United States
45M
instant payments / month
India
20B
20,000M
Brazil
8B
8,000M
US
45M
Before & After

Not all QR codes are equal

Most QR codes in the US today are static URL codes with no security. X9.150 payment QR codes are fundamentally different.

❌  URL QR Code (today)
Encodes a static URL — anyone can scan
No authentication required
No encryption of payment data
Works in any camera app — no trust checks
Susceptible to QR substitution fraud
No interoperability between networks
VS
✓  X9.150 Payment QR Code
Dynamically generated per transaction
Must be scanned inside an authenticated app
Payload digitally signed with PKI
Both payer and app are verified before unlock
No financial details exposed in the QR itself
Works across FedNow, RTP, ACH, stablecoins
Interactive Flow

How an X9.150 payment works

Step through a complete payment — from QR display to instant settlement.

Merchant generates QR dynamically

For every transaction, the merchant's system (POS, app, or biller portal) generates a fresh QR code. It's not a static image — it contains a digitally signed payment payload specific to this transaction.

🔒 The QR payload contains: merchant ID, transaction amount, timestamp, nonce, and a digital signature from the merchant's X9 PKI certificate.
Dynamic · Expires in 60s
Step 1 of 5
Payment Rails

One QR code, four rails

X9.150 is rail-agnostic. The merchant's QR code is the same regardless of which network settles the payment. Click to explore each.

🏛️
FedNow
Federal Reserve
The Fed's real-time payment network, launched 2023. Available 24/7/365 to any participating bank or credit union.
~5s
Settlement
$500K
Limit
10,000+
FIs
Operated by the Federal Reserve. Participating financial institutions include community banks, credit unions, and large banks. Low per-transaction fees. Strongly supported by the Fed as the infrastructure for widespread instant payment adoption in the US — Amy Burr (EVP, Federal Reserve Financial Services) cited X9.150 directly in the standard's announcement.
RTP
The Clearing House
The private sector real-time payment network, operated by The Clearing House (owned by major US banks). Launched 2017.
~5s
Settlement
$1M
Limit
650+
FIs
Owned by JPMorgan Chase, Bank of America, Wells Fargo, Citi, and others. Strong reach among larger banks. Competes directly with FedNow. The X9.150 standard allows both RTP and FedNow to be supported behind the same merchant QR — FIs participating in either network can process the payment.
🏦
ACH Credit
Nacha
The backbone of US bank-to-bank transfers. Not real-time, but ubiquitous — nearly every bank account can send and receive ACH.
1–2 days
Settlement
No limit
Limit
~11,000
FIs
Included in X9.150 for maximum coverage — especially for smaller financial institutions not yet on FedNow or RTP. Same-day ACH (SDN) is available for qualifying transactions. Including ACH ensures the standard can be adopted broadly before real-time rail coverage is universal.
🪙
Stablecoins
Emerging
Fiat-backed digital currencies (USDC, bank-issued tokenized deposits) on blockchain networks. First-class rail under X9.150.
<1s
Settlement
~$0.01
Fee
24/7/365
Availability
The inclusion of stablecoins in X9.150 is significant. It gives bank-issued stablecoin products the same standard interoperability as FedNow and RTP. A bank or credit union offering stablecoin accounts (via platforms like Stablecore) can expose stablecoin settlement behind the exact same merchant QR code — without merchants needing to change anything.
Security Model

Built on public key cryptography

X9.150 payment QR codes are digitally signed, dynamically generated, and part of the X9 Financial PKI infrastructure — including support for post-quantum signatures.

🔑
Dynamic Generation
Every QR code is freshly generated for a single transaction with a unique nonce and timestamp. Replaying or copying a QR code is cryptographically impossible.
📜
PKI Signatures
Payment payloads are digitally signed using the X9 Financial PKI. Merchants are issued certificates by DigiCert under X9's PKI framework — signatures are verifiable by any compliant app.
🛡️
Post-Quantum Ready
X9.150 signatures use post-quantum cryptography algorithms, future-proofing the standard against advances in quantum computing that would break classical signatures.
📱
App-Level Trust
The QR can only be decoded inside an authenticated banking or wallet app where both the user and the app itself are recognized as trusted by the financial institution.
🚫
No Data in QR
Financial details (account numbers, routing numbers) are never encoded in the QR. The QR is a signed pointer. Sensitive payment data flows through secure server-to-server channels after verification.
🧾
Payment Notifications
X9.150 specifies cryptographically verifiable payment notification messages — both the merchant and the payer receive confirmed receipts that can be audited and retained.