YinkoShield
Brief

principles · the opinions encoded in the spec

Six design decisions. Stated explicitly because they were not free.

These are the architectural trade-offs we have debated, tested in production, and held. They explain why the substrate looks the way it does — and what we declined to build.

  • ·01 Evidence without enforcement
  • ·02 What, not how
  • + ·03 Additive, not disruptive
  • ✕→ ·04 Scheme-agnostic by design
  • ·05 Offline-first
  • ·06 Privacy by design
the decisions, in detail
  1. ·01

    Evidence without enforcement

    We supply evidence. The operator owns all policy.

    is

    evidence supplier

    is not

    policy decider

    The same evidence record is consumed by a gateway, an issuer, a dispute platform, and a forensic investigator — each applying their own thresholds, their own rules.

  2. ·02

    What, not how

    The format describes what is observed, not how it is acquired.

    is

    observed signal in the spec

    is not

    detection mechanism in the spec

    Detection mechanisms — accessibility-service abuse, overlay, hooking — stay in the runtime. The consuming system sees a signed signal, not a mechanism.

  3. ·03 +

    Additive, not disruptive

    EEI introduces a new evidence channel. It does not modify existing message formats.

    is

    new evidence channel

    is not

    modification of existing formats

    A backend that does not yet consume evidence ignores it without impact. Adoption is incremental.

  4. ·04 ✕→

    Scheme-agnostic by design

    No scheme-specific fields appear in the format.

    is

    portable across schemes

    is not

    scheme-specific

    The same token operates across schemes, geographies, and platforms. The spec documents ISO 8583 embedding via the `0xF0` BER-TLV envelope — chosen because it does not conflict with defined Mastercard or Visa subelement ranges — plus three integration profiles: `iso8583-de48-minimal` (card rails, tight DE 48 budget), `mobile-wallet-retail` (richer Standard Profile when bandwidth allows), `agent-assisted-channel` (distinct events for customer vs agent). Scheme-portable by design, not by distance.

  5. ·05

    Offline-first

    Evidence generation does not require connectivity.

    is

    local-first ledger

    is not

    connectivity-dependent

    The Local Evidence Ledger accumulates coherent records during partition. The ledger is the primary evidence store, not a cache.

  6. ·06

    Privacy by design

    No customer PII in evidence. Operator owns the data lifecycle end-to-end.

    is

    pseudonymous device identity

    is not

    customer PII

    Device identifiers are pseudonymous. Network identity signals detect continuity changes without raw SIM or network identifiers. The ledger never leaves the device without an explicit operator-initiated request.

For as long as mobile devices have been payment endpoints, the execution interval between device action and network receipt has been the structural blind spot of payment infrastructure. The principles above are why our answer holds.