I doesn't look very secure to me. What is stopping someone from having software installed on their device logging QR codes and passwords? It would be far better if it required to approve payment on your mobile device. To not rely on notoriously insecure public wifi, mobile data or to not give away your phone number (SMS confirmation), phones could communicate via NFC or app on customer phone could generate for that particular payment unique QR code which would serve as 1 time only pin code for that transaction.