New Delhi: India’s upgraded PAN 2.0 system is facing scrutiny after independent analysts reported that the QR code on the new PAN cards may be readable through common QR tools, contrary to government claims.
Government agencies say the encrypted QR code is accessible only through an authorised “PAN QR Reader” app, but cybersecurity researchers argue that the data embedded in the code is already being decoded by third-party software.
The PAN 2.0 upgrade, approved by the Union Cabinet, aims to strengthen identity verification by embedding encrypted personal data such as the cardholder’s name, date of birth, photo and signature. Authorities have positioned the QR element as an added security layer intended to reduce tampering and fraud. Existing PAN cards remain valid, and the new format was presented as a more secure alternative.
However, researchers note that if the QR code is not protected with robust encryption, any capable QR reader can extract its contents. Early assessments suggest that the data may be stored in a format that can be decoded by widely available tools, raising concerns that fraudsters could access personal information without the official scanner. Analysts warn this could enable identity theft or bulk data harvesting, particularly in offline settings where cards are frequently shown for verification.
The divergence between official assurances and technical observations has prompted questions about the strength of the encryption used and whether the “official-app-only” claim is realistic. Cybersecurity experts argue that overstating the exclusivity of the scanner may give users misplaced confidence in the system’s security.
For now, users are advised to treat the PAN QR code with caution, avoid allowing unknown apps to scan it and stay alert to advisories from tax authorities. The emerging concerns may push regulators to re-evaluate the encryption standards and the type of information stored in the code to prevent misuse.
Discussion about this post