"QR code is unsafe, and like URL shorteners a great way to lead to malware."
AIUI this system reverses the normal QR situation. The customer, via the phone, presents the QR code to the store. The customer is not at risk of a malicious code and, if the till software is in any way sane, it's not going to interpret the code as a URL. If the code doesn't make sense within the requirements of the payment system it's just going to decline the transaction.
What's not clear in all this is how the system guards against fake codes. I take it there must be some dynamic element in generating the code.