Even seeing the domain name doesn't solve the fundamental trust problem. A malicious actor could post a fake QR code or fake short URL leading to "city-parking-secure.com" or similar legitimate-looking domain.
The real solution is establishing a trusted channel - citizens need to know they should only pay for municipal parking through their city's official domain (e.g., sf.gov/parking). But this isn't possible when it's some random parking company. I don't see a great solution.
That could help, as `.gov` can only be registered by the US government. But... a lot of the millennial and gen X generation have misguided beliefs about the trustworthiness of TLDs. Such as thinking `.com` is more trustworthy than `.net` under the assumption that it can only be registered by a real company.
I'm convinced the only responsible solutions are chip-only payment processors and conventional coin machines, as pricey as they are.
The real solution is establishing a trusted channel - citizens need to know they should only pay for municipal parking through their city's official domain (e.g., sf.gov/parking). But this isn't possible when it's some random parking company. I don't see a great solution.