Safely enabling credit/debit card payments on blockchains using Verified Credentials
Combining payment card infrastructure with blockchains has many challenges, the 3 biggest being information security, payment speed, and reversibility/revocability of transaction authorization.
All payment cards use an international standard called ISO-8583. Unfortunately, we can't just use this standard with the blockchain as it has plain text, unencrypted payment card numbers, cvvs, and all of a user's sensitive financial details and so it can't be used on permanent, permissionless, open blockchains.
Payment cards need real time processing speeds so users can swipe, get the transaction authorized and go on with their day. A standard interaction with a smart contract isn't feasible as that requires a long process that takes dozens of seconds to multiple minutes in some cases to be confirmed. Credit card transaction processing speeds are on the order of seconds, and using an off-chain VC issuance process allows us to offer comparable speeds to TradFi rails (a few seconds for authorization).
Finally, payment card transactions are required to have a dispute process to resolve fraud, chargebacks, and many other events requiring both the revocation or even reversal of a transaction's authorization.
Zero-knowledge proof powered verified credentials allow us to solve all 3 of these major challenges. These credentials can be generated off chain which allows us to offer near real time authorization of transactions. Furthermore, the verified credentials only contain insensative financial details information, but still allow a merchant to prove that there was a valid transaction and execute a transfer during their nightly settlement process. Finally, an issuer can revoke a verified credential or even generate a reversal if need be allowing the issuer to mediate in a dispute, and take the necessary action.
In this Proof of concept, a merchant is granted a verified credential that entitles them to a payment from the card holder. This is secured by a verified credential that can be used to conduct a transaction on-chain, moving assets from the cardholder's digital account to the merchant's account.
These benefits will hopefully allow us to integrate the ubiquitous payment card infrastructure and technology with on-chain digital assets, thereby dramatically reducing the complexity required to spend digital assets.
While the use case illustrated here is merchant payments, having verified credentials for transactions allows a wide variety of use cases, as an example, industry associations can set up a rewards program for users that only requires them to submit their transaction VC. This would be much easier than managing logins and rewards programs at each individual industry member. There are a wide variety of use cases when users can provably demonstrate their purchases, and since it requires the user to present the VC which is stored off-chain in their wallet, there is an element of privacy and anonymity as users can simply opt out by not opting to share their verified credentials. This is in contrast to standard smart contract transactions where every action is on-chain and therefore has a clear cryptographic trail.
There are several technologies used here with a heavy reliance on verified credentials. While ISO-8583 is irrelevant to the the blockchain component as it is too insecure for on-chain use, it is an incredibly important technology to understand in order to seamlessly connect payment cards to blockchain infrastructure.
On the blockchain side, we used Polygon's digital ID. Though, this is a nearly fully custom implementation with it's own issuer node, custom credential schema, and a novel use case of individual transaction authorization instead of as a proof of identity. In order to demonstrate this technology, we used a very basic website and manually stepped through the process with cURL commands. In an actual implementation that would all be completely automated. Humans wouldn't be in the loop at all, verified credentials would simply be automatically generated and stored in wallets, and then their balances and transfers executed automatically as part of the merchant's nightly settlement process. This would just be a part of the existing nightly settlement process for merchants that already has to occur even for traditional payment card flows.
Verified credentials conform to a standard set by W3C, and are in a JSON-LD format. While not trivial, Polygon ID made it possible to implement VCs given the extremely short timeline of this hackathon and the fact that I am hacking solo.
The way this works is the ISO8583 package hits the card issuer, coming through the standard TradFI rails. This ISO-8583 message can't be put on any blockchain as it has plaintext card details. This project uses a VC to manage that process.
As soon as the ISO8583 message posts, we use a custom verified credential to confirm a transaction authorization and transmit that verified credential back to the merchants wallet. The card issuer confirms there is enough balance in the user's on-chain assets and with already issued but pre-settlement verified credentials.
At night, the merchant will use this verified credential in their nightly batched process to conduct a transaction on the smart contract that transfers the balances they are owed from the user's digital accounts to the merchants.
While this demo is extremely manual, that is only for the sake of the hackathon so users and judges can see the individual steps. In production, NONE of this would ever be surfaced to users or merchants. It would work as seamlessly as a credit card transaction does today, users simply tap their card and walk away once the transaction is authorized and the merchant receives their payment through a nightly batch process exactly as they do today. In fact, a nightly batch and settlement process might even be faster than merchants are typically used to depending on their payment processor.