How can Labs and Testing organisations implement and integrate NABL Mandate on QR Codes ?

  • Rajesh Soundararajan
  • Aug 17, 2021
  • 6 min read
How can Labs and Testing organisations implement and integrate NABL Mandate on QR Codes ?

Questions to ask and Checklist to follow

Tampered and fake test reports are a global predicament. The problem of fake reports has been seen from Cyprus to Bangladesh, and governments are struggling to integrate document security into test and lab reports.

India’s national accreditation body, National Accreditation Board for Testing and Calibration Laboratories (NABL), has issued notifications that test reports must carry QR codes that can be scanned with a QR scanning application on mobile and other devices. The proposal would prevent the manipulation of documents and test reports.

Reasons to adopt document security for laboratory certificates

  1. Ensure that certificates issued are tamper-proof to be used for the purposes desired with complete trust. This is in the interest of the end-user, customer, and other stakeholders, including authorities, government agencies, etc.

  2. Not only does this security help in smooth processing, but it also helps to maintain & protect the reputation of the laboratory.

How are Secure QR Codes different from ’normal’ QR codes?

  1. Offers blockchain-like security at a fraction of its cost, greater flexibility, and simplicity.

  2. Offline verification for air-gapped environments or where data connectivity is non-existent or unstable.

  3. Offers seamless embedded security compared to URL based QR codes (which are prone to QR phishing) and hence maintains the integrity of your information without the need for database connectivity.

  4. Ability to revoke/ update the document by the authorised issuer.

  5. Affordable Integration with existing LIS or other document production systems for both on-premise or cloud deployment.

  6. Digital-Physical Certificates without loss of security.

Unless the QR code is made secure at the source, bad actors will take advantage of its simplicity and lack of security in their malicious intent to either create fake documents or tamper them by replacing with their own ’new QR code’ which would defeat the very purpose of preventing manipulation of such documents.

Let us look at some key questions to be answered and factors to be considered when making a decision on incorporating QR codes for such reports and certificates.

Four Questions to consider before implementation

There are four questions to ask yourself before you venture into implementing QR codes for document security and verification in such a scenario.

  1. Verified By Authorised Apps Vs. Any Generic QR Code Reader

  2. Offline Vs. Online Verification

  3. Cloud Vs. On-Premise

  4. All Reports Vs. Specific Reports

Lets look at each of these in some detail

  1. Verified By Authorised Apps Vs. Any Generic QR Code Reader

Universal scanning (by generic QR readers) for all its advantages has one significant disadvantage - the inability to build security in such QR codes. This may lead to QR phishing posing. Moreover, many of these generic readers capture very sensitive personal data about the user, which is a privacy and security risk.

Scanning with authorised apps delivers remarkably high security, while maintaining the privacy and security. Such an implementation also prevents QR phishing, which is rampant today.

Our recommendation: Go for authorised apps to scan to deliver decentralised verification while providing the highest level of security for your document

  1. Offline Vs. Online Verification

The secure QR code technology works offline (through a self-contained code called PDC or primary data code at Qryptal) and online (through extended data codes or EDC). Offline PDC modes work well with laboratory test reports since these reports contain only textual information and are typically valid for a short duration. Hence, they may not need to be revoked or modified, which is a feature that EDC codes can handle. But is usually not required for this

PDC codes work in air-gapped environments, for example, at immigration and border control. The verifier does not need to be connected online to check the document’s authenticity. Thus, such an implementation reduces the burden on your validation server. Moreover, the information is directly available on the document itself in both physical and digital format.

Our recommendation: Offline validation with total security and privacy and which can work even in air-gapped environments unless there is specific requirements which need EDC code.

  1. Cloud Vs. On-Premise

If ease and speed of implementation with the ability to scale up and down is required, cloud implementation is the go-to option. You would save on complexity of managing infrastructure, saving upfront investment in hardware & other costs, and IT personnel and support.

However, you could do on-premises deployment and optimise your infrastructure if you already have a well established IT infrastructure and personnel to manage new systems such as QR code generation and integration.

Our recommendation: Cloud implementations help you start small and scale-up.

  1. All Reports Vs. Specific types of Reports

With constantly changing needs of the industry and the rising cases of fraudulent documents, the verifiers may randomly look to crosscheck multiple documents and ensure authenticity. If all your reports don’t carry the QR code, there is a good chance that some unscrupulous person can take the non QR coded report & modify it to dupe the authorities. Once it is known that all your test and lab reports carry your QR (and a secure QR preferably), it is easy for the authorities to verify the authenticity. Hence it is prudent to ensure Secure QR codes across all the documents you generate, rather than limit yourself to specific categories of reports.

Our recommendation: Have secure QR on all reports and certificates instead of being selective.

Implementation Choices

A Sample checklist to consider before implementation of QR Codes

Integrating Document Security into Covid Test Reports?

There are a few integration options available

  1. The first way is API integration with your Laboratory Information System (LIS). This is the most desirable and easy method. You can generate a QR code and then add it to the reports programmatically. You will require a developer to integrate the API with LIS. Reports are generated as before but will carry the Secure QR code, which can be scanned to validate on demand.

If LIS integration via the API method is not possible then the alternative is to go in for Manual /batch method and there are several options under this

  1. QR Only integration where the critical data is manually typed or uploaded via CSV file (spreadsheet).

  2. PDF generation is another method where you only supply the data and a finished PDF is generated. For example, the Qryptal QR system will create the full PDF based on a pre-agreed template. Please note that this is a cloud-only service that we offer.

  3. PDF Stamping is an option when you want a secure QR added to an existing PDF/ PCL report. This just “stamps” the current report with the necessary details and the full report itself captured in a secure QR. Then, when you scan the QR, you can see the report.

  4. Data Extraction from an existing PDF or PCL or batch of zipped PDFs. Upload the PDF/PCL or even a batch of zipped PDFs. Our systems will parse the files and extract the data, which is then captured in a secure QR code and made a part of the PDF report.

Options for Integration

Summary of the integration options to incorporate Secure QR Code for Test & Lab reports

Sample Lab Report

Sample Lab Report with Secure QR Code


You may also be interested in -



Suggested further reading

Why NABL Mandated QR Codes for Document Security

Why NABL Mandated QR Codes for Document Security

  • Jul 27, 2021
  • 6 min read

When National Accreditation Board For Testing And Calibration Laboratories (NABL) issued a notification on consecutive days on May 18 and May 19, first for test reports and calibration certificates and then for Medical lab reports to carry QR codes, it shouldn’t have come as a surprise to those who have been following the document security space.

Continue Reading
Hybrids in QR Code – a reality with HDC

Hybrids in QR Code – a reality with HDC

  • Jul 20, 2021
  • 3 min read

In our last article, Solved: Ability to include Photographs in Secure PDC QR codes, we spoke about how the PDC vs EDC debate takes a new turn with the ability to include photographs. We also touched upon how PDC or Primary Data Code is a self-contained QR code with textual data and can be verified offline. We mentioned how EDC or Extended Data Code is used for images and files. Since these are larger, they are not stored inside the QR code but stored as encrypted blobs in storage (like AWS S3 or Azure Blob Storage) and fetched and decrypted using the key in the QR code. Hence there is a need for network/data connectivity to make EDC codes work.

Continue Reading