NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

EWC RFC007: Payment Wallet Attestation

type
Standard
Documentation

Description

Description
Source

Payment Wallet Attestation is a technical specification developed by the EWC Payment Taskforce that enables secure payment authentication for EUDI Wallets (European Digital Identity Wallets). The standard defines how a user's digital wallet can be registered with their Payment Service Provider (PSP) to perform Strong Customer Authentication (SCA) for online payments, as required by PSD2 regulations and eIDAS2.

The specification supports both wallet-initiated and PSP-initiated flows, allowing flexible integration paths while maintaining high security standards. A key feature is the ability to bind payment credentials to specific devices (like mobile phones or security tokens) through device-bound keys, enhancing security by providing a possession factor for authentication.

The standard implements a comprehensive credential issuance process using the OpenID Connect protocol family, specifically leveraging OpenID4VC (OpenID for Verifiable Credentials) specifications. It supports multiple funding sources including:

  • Bank accounts (using IBAN and BIC)
  • Payment cards (using PAN and IIN)
  • Generic payment methods

Key technical components:

  • Credential Format: Uses JSON format with standardized claims
  • Authentication Flow: Supports both pre-authorized code and authorization code flows
  • Cryptographic Binding: Requires cnf (confirmation) claims for holder binding
  • Presentation Protocol: Optional verifiable presentation support for additional authentication

Purpose and Scope:

  • Enable secure registration of EUDI Wallets with PSPs
  • Provide standardized payment attestation credentials
  • Support PSD2 compliance for Strong Customer Authentication
  • Enable interoperability between wallets and payment providers

Technical Specifications:

  • Uses OpenID4VC protocols for credential issuance
  • Implements JWT-based verifiable credentials
  • Requires PaymentWalletAttestation credential type
  • Supports multiple funding source types through structured attributes

Implementation Requirements:

  1. Wallet must support Individual Wallet Attestation
  2. Must implement device-bound key capabilities
  3. Must be certified by an accredited body
  4. Must support standard credential formats and protocols

Security Considerations:

  • Mandatory cryptographic binding to device keys
  • Support for presentation-based authentication
  • Credential expiration management
  • Sensitive data protection (e.g., masked PANs)

Interoperability Features:

  • Standardized credential format
  • Support for multiple payment schemes
  • Cross-device workflow capabilities
  • Common discovery mechanisms

Current Adoption Status:

Being implemented as part of the EWC Large Scale Pilot with participation from major financial institutions and wallet providers across Europe, including Visa, Worldline, and various national banks.

Statistics

Projects Following
Source
0

Under Management at

Projects Following or working on this Standard

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page