EUDIW-4-Payments - Architecture proposal

[cyberphone]

The following is a high-level description of a tentative architecture for an EUDI Wallet intended for payment authorizations in retail (C2B) scenarios. The core idea is supporting multiple account based payment systems through the use of a UNIVERSAL authorization method. The latter makes the wallet comparatively simple. The picture below shows the gist of this proposal:

The wallet is effectively a conceptual extension of EMV, which is currently the only payment authorization scheme enjoying standards status. Features at a glance:

🔸 UX comparable to Apple Pay.
🔸 For privacy reasons user-specific authorization data is encrypted. This also removes the need for a Tokenization Service Provider (TSP).
🔸 Intended to work with any account-based payment system.
🔸 Intended to work equally well online as in a store.
🔸 Receipt option.
🔸 Account balance option.
🔸 Built-in support for authorization of non-direct payments.

For those who are interested in more detailed information, a peek into https://cyberphone.github.io/wallet-core/doc/ is recommended. Note that this scheme predates the ARF by at least 5 years. However, the conversion from JSON to Deterministically Encoded CBOR is quite recent.

Encryption
An interesting (and entirely unexpected) side-effect of encrypting authorizations is that only the encryption solution needs to keep up with advances in cryptography like PQC, here assuming that at least the issuing bank can be trusted for not trying to screw their own customers... Due to a lookup mechanism (required for not becoming stuck with the same encryption key forever), crypto agility can be accomplished without requiring any actions on behalf of the user.
https://cyberphone.github.io/doc/defensive-publications/partial-encryption-full-signature.pdf

[cyberphone]

However, this is not enough; whatever wallet scheme we end-up with, a Person-to-Person (P2P) payment scheme must also be part of the plot in order to be competitive with existing mobile payment systems, including the recently launched Wero wallet (https://epicompany.eu/).

[david-bakker]

Hi @cyberphone, thanks for your contribution and apologies for not answering sooner.

Please have a look at the discussion of Secure Customer Authentication / Secure User Authentication in ARF 2.3.0, more specifically in Section 2.6.4 of the ARF main document and in Topic 20 of Annex 2. Please raise a new issue if you have a comment on the concepts developed there.

[cyberphone]

@david-bakker Since nobody has been assigned by the European Commission or the OpenID Foundation (who creates most of the standards underpinning the ARF), to deal specifically with the EUDIW-4-Payment solution, we are probably talking about Y2030. That is, if there still exists an opportunity.

SCA and PayByBank is already implemented by EU banks so they are highly unlikely to bother with new solutions unless they provide major improvements. However, since there is no [known] product management, we can only guess what a potential EUDIW-4-Payment solution will look like.

I can't imagine that 200 parties making the https://www.webuildconsortium.eu/ could possibly come up with something useful.

@danielfett @paolo-de-rosa

[jtalir]

As part of https://eudiwalletconsortium.org/ there was a lot of work already done and 4 months ago there was even first real live payment using this technology
https://www.linkedin.com/posts/eu-digital-identity-wallet-consortium-ewc_payment-eudiwallet-digitalidentities-activity-7305252864224866304-8mtp/