.png)
There is one technology that quietly and steadily slipped into our everyday life and has been a part of it ever since - we are talking about QR codes. From scanning a menu at a café to making a payment at a grocery store, 2D QR codes are everywhere.
When talking about the global retail and supply chain, this industry is now entering a significant transition. The transition is the shift from traditional 1D barcodes to 2D QR codes enabled by the GS1 Digital Link standard. This shift is much more than just packaging. It showcases a change in the foundation of how products are identified, access is authenticated, and even how products are connected to digital information. With the GS1 Sunrise 2027 initiative, businesses are now starting to modernise their packaging, persistence, and data-management processes to support this new standard.
As 2D codes redefine product identity and supply-chain transparency, they also play a major role in PCI DSS - especially when QR codes are used in payments.
Understanding the GS1 Digital Link Standard and the Sunrise 2027 Initiative
For almost half a century, traditional barcodes have been the backbone of retail. They helped automate checkouts and improve supply-chain efficiency; however, their limitations are increasingly clear in today’s environment.
The modern supply chain requires even more accessibility across a product’s lifecycle - real-time access to manufacturing, transparency about ingredients and sustainability, multi-market regulatory compliance, and much more. A 1D barcode cannot hold this amount or depth of information; however, a 2D QR code can easily encode more data. This QR code can serve both operational and consumer-facing processes simultaneously - something not possible with a 1D barcode.
The GS1 Digital Link standard is designed to modernise and make product identification more efficient for the digital world. Traditional 1D barcodes could carry only a single numeric identifier, which limited how much information they could convey. In contrast, GS1 Digital Link enables this identifier to become a web-addressable string. A single QR code can carry various details ranging from the product ID to batch information to expiry dates. This essentially means that the same QR code scanned at a retail POS system, by a warehouse worker, or by a consumer can return different information based on the context.
Sunrise 2027 is GS1’s global initiative to transition from 1D to 2D codes and prepare industries for it. By 2027, point-of-sale systems are expected to be able to scan and process GS1-compliant 2D QR codes, even though 1D barcodes will continue to work during the transition period.
This shift is driven by the advantages that 2D codes bring. As mentioned earlier, they store more information than 1D barcodes. During the transition years, Sunrise 2027 expects manufacturers to use dual barcoding-printing both the 1D barcode and the new 2D barcode on packaging. Retailers must upgrade their POS scanners to read 2D barcodes, and manufacturers must upgrade printing systems to ensure high-accuracy 2D code placement. The goal is to reach a strong level of readiness by 2027 so that 2D scanning becomes a normal part of global retail environments.
Where PCI DSS Fits In: When 2D QR Codes Are Part of Payments
Even though GS1 Digital Link and Sunrise 2027 focus primarily on product identity rather than payments, many organisations use QR codes for payment processes. This is where PCI DSS becomes relevant.
PCI DSS applies whenever cardholder data or sensitive authentication data is stored, processed, or transmitted. If any QR code carries such information, it automatically becomes part of the cardholder-data environment, which means PCI DSS controls apply to how the QR code is created, displayed, stored, and transmitted.
The impact of PCI DSS varies depending on the information the QR code contains, such as:
- If the QR code directly encodes card data (such as full PAN, expiry date, or track data), it fully falls under the scope of PCI DSS.
- If the QR code contains tokenised values, it may still fall in scope depending on whether the tokens can be reversed.
- If the QR code contains only a URL directing the customer to a hosted payment page, the QR code itself is not the problem-but the linked payment page must be PCI DSS compliant.
- If the QR code is static and contains only non-sensitive references, PCI DSS does not directly apply, although businesses should still protect such QR codes against tampering and redirection.
Conclusion
The shift to 2D QR codes supported by the GS1 Digital Link standard marks one of the most significant changes in product identification. With Sunrise 2027, brands and retailers are preparing for a future where packaging connects to digital ecosystems with better transparency, traceability, and consumer engagement. At the same time, organisations using QR codes in payment processes must understand how PCI DSS applies to them based on the data processed through the QR code.
As the adoption of QR codes grows across various industries, ensuring compliance and consumer trust becomes even more important. 2D codes are more than just updated barcodes-they form a smarter and more connected retail landscape.
If you would like to get in touch with us to discuss how we can support your cybersecurity needs - please reach out to us: hello@onecybervalley.com
By 1 Cyber Valley | December 10th, 2025 | Harshita Yadav
