As digital payments continue to transform financial ecosystems, resilience and privacy remain key challenges. Resilience requires survivability in the face of unexpected failures for online as well as offline payments. Privacy issues concern individual anonymity to systemic risks stemming from untraceable transactions.

To propose a resilient and flexible architecture that supports both online and offline transactions it is crucial to understand the distinction between the underlying Layer-1 (L1) payment system and Layer-2 (L2) solutions. An L2 solution enhances the overall capabilities of the underlying L1 payment system, offering significant advantages in terms of scalability, resilience, and interoperability. A modular approach is suggested that respects the roles and responsibilities of payment networks, on the one hand, and payment applications, on the other. L2 offline wallets, used by end-users and for some use cases also for merchants, are integrated in payment applications, with mandatory isolated runtime execution environments to mitigate the risk of double spending. Software-based offline terminals, on the other hand, are integrated into the payment network to ensure resilience and load balancing for online payments and network-wide offline payment acceptance.

Crunchfish Digital Cash is a packed-switched layer-2 solution inspired by the design philosophies that was developed by the Defense Advanced Research Projects Agency (DARPA) in the 1970s and became the internet as we know it today. It is an incredible robust protocol based on packet-switching. Crunchfish Digital Cash is based on the same design principles and delivers resilience for digital applications in a similar packed-based way that the internet has done for digital communications.

A Groundbreaking Approach to Payments

Survivability in the Face of Failure in Online Payment Systems

The unprecedented scale of online payments demands new design thinking and approaches that can handle both high transaction volumes and potential system failure scenarios. Resilience means the ability to withstand unexpected failures — be it network outages, infrastructure attacks, or server congestion — ensuring payment service availability under all conditions. Offline wallets and terminals, absent in most online systems, provides the modular functionality that is vital for ensuring survivability in the face of failure in L1 online payment systems.

A packet-switched payment architecture, applied as a L2 solution, introduces a groundbreaking approach to resilience. Transactions are encoded as independent packets of value that move through networks and in wallet-to-wallet or wallet-to-terminal connections. Each packet includes information about the payment (amount, payer, payee, metadata) and is validated cryptographically, ensuring integrity and authenticity even when connection to the underlying L1 payment or settlement service is temporarily unavailable for whatever reason.

It is important to note that online payments will continue to dominate digital transactions. However, an L2 packet-switched architectures with offline modules offers a solution to mitigate inherent vulnerabilities in traditional L1 online systems. An L2 packet may be validated and batched by a payee offline, but also by any backend server before settlement if the L1 payment rail is temporarily not available. This provides resilience, but also load balancing, as congestion can be avoided by batched processing during online-shopping peaks or large-scale bill payments.

A Layered Approach to Payments

The Underlying L1 Payment System

The L1 payment system refer to the foundational payment infrastructure where transactions are processed directly on the main blockchain or payment network. This is the  core system provided by a payment network that typically supports online payment processing methods. Wallets and transactions are intrinsically linked to a central ledger and authority.

The key characteristics of a L1 payment systems are:

– Centralized Control: Each transaction typically requires direct validation by a central entity or network.

– Direct Payment Processing: L1 wallets and terminals facilitate immediate transactions but generally require robust internet connectivity to authorize and settle payments.

– Limitations: Due to the reliance on centralized processing, L1 payment systems can encounter challenges in scalability, speed, and resilience during peak loads or system outages.

The Augmenting L2 Solution

An L2 solution is built on top of the underlying L1 payment system with the purpose to enhance transaction speed, scalability, and interoperability by enabling off-chain processing while still achieving settlement on the underlying L1. Crunchfish core technology is a L2 solution, which combines the benefits of offline functionality with added resilience for online transactions.

The key characteristics or the augmenting L2 solution are:

– Isolation and Flexibility: L2 offline wallets create packet-switched payments from a secure and isolated runtime execution environment locally on a mobile device or card, allowing off-chain processes to occur, separating the logic of authentication from settlement, without affecting the underlying and often centralized L1 payment solution.

– Service Availability: The architecture permits offline capabilities, meaning transactions can be made without relying solely on constant connectivity, addressing service availability issues in various environments.

– Enhanced Scalability: The augmenting L2 solution is able to handle much higher transaction volumes compared to the L1 payment solutions, thanks to the distributed processing of packet-switched payments from L2 offline wallets.

A Modular Approach to Payments

 Offline Wallets in Payment Applications

L2 offline wallets provides resilience of online payments, even when data connectivity is available. With trust established in the L2 offline wallet, the L1 backend servers can receive and validate the payment intent in the backend for further processing and allow settlement to occur whenever backend servers are operational. This capability ensures that end-user transactions are reliably captured and processed, mitigating risks associated with unexpected L1 backend server failures.

Incorporating Offline Terminals into the L1 Common Library

The L1 payment network provides a Common Library (CL) to enable payment applications with the ability to pay online on the payment rail. By incorporating a software-based offline terminal in the L1 CL enables all end-users who can pay online with the additional ability to receive offline payments. This enhancement in the L1 CL solves the acquiring side for L2 offline payment network-wide and ensures a seamless transaction experience, bridging the gap between online and offline functionalities, providing added reslience and convenience for end-users and merchants .

The benefits of incorporating an offline terminal into the L1 CL are:

– Universal Accessibility: An immediate ability to receive offline payments widely in the payment ecosystem. End-users and merchants a like can accept offline payments without facing additional infrastructural challenges.

– Enhanced Customer Experience: End-users enjoy the flexibility of transacting seamlessly in multiple ways, whether online or offline, fostering broader adoption of the payment system.

– Extended Reach: Particularly beneficial in environments with limited internet access, enabling person-to-person payments and ensures that merchants can reliably serve their customers.

L2 Offline Wallet Payments in L1 Payment Networks

The interaction between the underlying L1 payment system and the augmenting L2 solution form the crux of many modern payment systems, particularly in contexts that require enhanced efficiency and resilience. This is a generic transaction flow where the packed-switched payments are initiated by an L2 offline wallet, transported in the L2 network, and later validated and processed in the underlying L1 payment network.

The process is essentially following the below steps:

Implementation Requirements for L2 Offline Wallets

The L2 payment packet may be seen as an issuer guaranteed Digital IOUs. A cryptographically signed transaction packet that may use for online as well as offline payments as they can be stored securely by any node until L1 settlement occurs online. Digital IOUs enable offline transactions to function as smart contracts that can be validated by L1 or L2 offline terminals, L2 offline wallets. and by an offline backend.

To mitigate many attack vectors that may cause double spending an L2 offline wallet must operate within an isolated runtime execution environment. This ensures:

• Protection of Sensitive Execution: Distributed trust in clients operating in mandatory isolated runtime execution environments ensures data integrity in operations on transaction metadata, balances, risk rules, cryptographic keys, and Digital IOUs.
• Rollback Attack Prevention: Runtime isolation mitigates many attacks that attempt to manipulate offline wallet states (e.g., resetting balances or risk rules), but additional rollback prevention methods are necessary to ensure data integrity at rest.
• End-to-End Security: An isolated runtime is also key to securely sign L2 payment packets cryptographically to data integrity in transit. PKI ensures distributed validation even during offline states with no backend communication.

Please note as an additional groundbreaking feature Crunchfish Digital Cash offline wallet provides a certified digital identification system native within the payment application. This is an important feature for any payment system to avoid reliance on a centralized online e-ID system, and thereby a single-point of failure risk for the payment system.

Implementation Options for L2 Offline Wallets

Software-based virtual secure elements are the preferred implementation option for L2 offline wallets as the only secure and scalable option that enables distribution and upgrades of L2 offline wallets through AppStore ecosystems to ensure streamlined adoption. It provides secure runtime execution isolation and encryption of data at rest for L2 offline wallets, without requiring specialized hardware, making it ideal for mobile-first environments.

Payment application/service providers may embed L2 offline wallets directly into their mobile payment apps for seamless distribution among their user base. This approach ensures L2 offline wallet access for the entire user base, streamlining adoption, as well as customizable branding with reconciliation opportunity at the payment application level. Integration of L2 offline wallets in a payment application provider level requires backend integration with the provider to handle reconciliation and transaction verification.

L2 offline wallets may also be implemented in hardware-based secure elements as an optional alternative. It provides the isolated runtime execution by embedding L2 offline wallets in hardware secure elements such as SIM cards, embedded secure elements, or other hardware-based solutions. However, scaling the solution across the payment ecosystem is costly and very challenging as there is no available ecosystem to distribute and upgrade L2 offline wallets in hardware-based secure elements in a fragmented market with multiple mobile device models or mobile operators.

It is also possible to implement L2 offline wallets using the isolated runtime execution environment provided by a Trusted Execution Environment (TEE) in a mobile device, but this implementation options comes with similar hardware scalability challenges as stated above for hardware-based secure elements L2 offline wallets.

Provisioning third-party trusted applications to already-deployed mobile devices has long posed significant challenges for the industry—whether targeting Trusted Execution Environments (TEE), embedded Secure Elements (eSE), or SIM cards. Although mature technical standards such as those developed by GlobalPlatform exist to address secure provisioning and lifecycle management, device manufacturers have historically been reluctant to permit third-party applications within their TEE and eSE domains.

However, recent developments signal a potential shift. In 2024, Apple initiated support for select categories of third-party trusted applications within their eSE, marking a noteworthy policy change. In parallel, the GSMA’s Secure Application for Mobile (SAM) initiative presents a promising framework to enable provisioning of third-party applications to eSIMs on consumer devices. While these initiatives represent meaningful progress, their success ultimately depends on broad adoption and implementation by mobile device vendors.

In this evolving landscape, the L2 offline wallet that Crunchfish provides as a Trusted Application distinguishes itself through platform agnosticism — it is designed to operate across a wide range of isolated runtime execution environment, including virtual SE, TEE, eSE, classic smart cards, and eSIMs. Crunchfish Digital Cash L2 offline wallet has been implemented within a virtual SE as it is the only secure environment that brings ecosystem-wide scalability and device-agnostic deployment.

Offline Terminals in the L1 Payment Network and L2 POS terminals / mobile apps

Offline terminals are a key software-based component of the proposed modular architecture that provides universal acceptance of packet-switched L2 offline wallet payments if implemented as a core function in the L1 CL provided to payment service / application providers by the payment network. It acts as an universal receiver for L2 offline payments wherever the end-users can do L1 online payments and a conduit for resilient payments preparing transaction logs for L1 settlement. Offline terminals may also be implemented in other external L2 software- and hardware-based environments.

• Offline Terminals in L1 CL: Integrated as light-weight receivers embedded within L1 CL to enable payees and merchants to receive offline payments (L2 offline wallets-to-L1 offline terminals). This integration ensures that anyone that can pay online also can receive payments offline.
• Offline Terminals as L2 implementations: Integrated as light-weight receivers embedded within third-party merchant POS terminals and software-based mobile apps. (L2 offline wallets-to-L2 offline terminals)

The offline terminals may be compared to the role of card terminals in card networks. A critical component on the acquiring side able to accept L2 payments offline, temporarily store the packet-switched payment and then forward to the L1 network for settlement. An infrastructure of offline terminals provides the payment network with survivability in the face of failure. By embedding acceptance in the front-edge, payment systems become resilient, interoperable, and capable of universal reach.

Separating the modules of offline wallets and offline terminals is important as it respects the roles and responsibilities of payment networks and payment service providers in payment ecosystems, allowing for flexibility, scalability, and healthy competition:

– Payment Network Providers (e.g. CBDC implementations and commercial payment networks) set the specifications and offer an interoperable L1 offline terminal infrastructure, seamlessly embedded within payment rails to enable universal offline payment reception from third-party L2 offline wallets.

– Payment Service Providers (e.g. Banks and Third-Party Application Providers) innovate by integrating L2 offline wallets, empowering their end users to make offline payments. An open marketplace is fostered by allowing any third-party L2 offline wallet that follows the specifications set by the L1 payment network.

This modular approach provides fast roll-out to millions end-users of offline payment acceptance in L1 CL provided by the payment network and to also to L2 merchant POS terminals or mobile apps, whilst empowering issuers to offer differentiated L2 offline wallet solutions to their end users. 

A Packet-Switched Approach to Payments 

Any public good in the society like the internet, electricity or telecom must be carefully designed to continue working despite temporary outages of the service. It is hard to understand why digital payments, certainly also a public good, is not as robust as other public goods. Digital payments service must be as robust, inclusive and private as cash payment. Financial regulators should demand that payment networks must fulfil these design criteria to be allowed to operate in the country. Central Banks should take it upon themselves to establish these design goals before making any technology choices for their CBDC implementations, as they tend to limit or even work against to their own desired outcome.

DARPA developed the 1970s a suite of protocols for packet switched networking. These protocols, which include the Internet Protocol (IP) and the Transmission Control Protocol (TCP) are in wide use for commercial networking. Crunchfish Digital Cash L2 solution is inspired by the design philosophies developed by the Defense Advanced Research Projects Agency (DARPA) in the 1970s and became the internet as we know it today. It is an incredible robust protocol for digital communication based on packet switching. Crunchfish Digital Cash is based on the same design principles but applied to the higher-level application protocol. Just as digital communication was circuit-switched before the internet, payment applications only work when everything works and can therefore still be seen as circuit-switched, although the underlying communication is packet-switched.

Digital applications of today are typically designed using a client server network architecture. Although reliant on the very robust internet protocol, access to the digital service is nevertheless uncertain as the end user may not be able to get online access or experience lack of service available due to server failures. Crunchfish has a solution by offering a packet-switched approach with a trusted client using a patent pending Trusted Application Protocol (TAP) that is application and communication network agnostic. A packet-switched approach with TAP has a profound impact on client server applications as it provides trust in clients and batch processing regardless of payment application or communication network.

A Private Approach to Payments 

The shift to digital payments magnifies privacy concerns, as traditional systems often facilitate comprehensive tracking of user transactions. While privacy enhances consumer trust, full anonymity risks enabling financial crimes such as money laundering or fraud. Thus, privacy in payment systems must strike a balance between securing transaction privacy and ensuring system integrity and compliance. Reconciliation mechanisms in payment systems directly impact privacy. Two prominent approaches include:

System-Wide Reconciliation

In system-wide reconciliation, all transactions are aggregated and validated at the centralized L1 infrastructure. This method often requires full transparency to ensure the consistency and accuracy of the global ledger. However, this broad visibility exposes user transactional data to centralized authorities, which risks over-monitoring or breaches of personal privacy. Examples include most centralized real-time processing systems (e.g., RTP networks) and traditional online payment approaches. This comes with a major privacy downside as user behavior can be tracked comprehensively, allowing governments or institutions to monitor spending patterns — raising concerns about potential overreach.

Bank-Driven Reconciliation

Bank-driven reconciliation operates locally, allowing individual banks or trusted intermediaries to oversee transactional data rather than exposing details across the entire system. Packet-switched architectures, for example, validate payment packets cryptographically at the device level or within a payer’s bank infrastructure while maintaining only aggregate reconciliations and shielding the payer’s indentity in L1 transactions. This design prevents transaction metadata from being visible system-wide; instead, granular details stay within the payer’s financial institution. Crunchfish Digital Cash employs this bank-driven privacy model, which is similar to privacy in EMVCo card systems or mobile wallets adapted to individual banks.

While full anonymity (like cash) may seem desirable, it is not always practical or beneficial for modern financial systems due to a potential systemic risks. Untraceable transactions can support illicit activities, including tax evasion, money laundering, or terrorism financing. This undermines the financial system’s integrity and regulatory transparency. Central banks have resisted full anonymity for digital currencies due to these systemic risks, making traceable systems a more likely design evolution for CBDC implementations.

Rather than enforcing complete anonymity, bank-driven privacy allows for selective traceability and regulatory compliance. For example, small transactions (e.g., under $500) may be conducted anonymously offline, while larger transactions (e.g., cross-border payments) can trigger traceability protocols during reconciliation. This approach aligns with current payment services such as debit cards, where users trust banks with maintaining privacy while sharing essential data for fraud prevention and auditing.

Packet-switched architectures naturally facilitate configurable privacy. Small offline transactions remain private to the payer and payee, mimicking cash-like anonymity, wheras Larger offline or online payments transmit metadata for reconciliation in compliance with laws like AML (Anti-Money Laundering) or KYC (Know Your Customer).

A Detailed Payment System Comparison 

Detailed Analysis of Five Payment Systems

Multiple aspects of five payment systems, categorized by design, security and implementation, are analyzed in detail in the matrix below:

Ranking of System Design, Security and Implementation

The below ranking reinforces Crunchfish Digital Cash L2 solution as the most well-rounded, future-proof solution, excelling across solution design, security, and implementation. While legacy systems like EMVCo and RTP retain their relevance in online contexts, CBDCs and hybrid L2 implementations promise new possibilities, especially with added resilience and privacy configurability. Payment networks should prioritize hybrid architectures that blend online scalability with offline survivability to meet the demands of modern payment systems.

Overall Rankings:

1. Crunchfish Digital Cash L2 solution: Excels in all categories — solution design, security, and implementation — by providing a scalable, resilient, and cost-effective L2 hybrid architecture suitable for both online and offline payments.

2. CBDC L1 Systems: Strong in solution design and security but falters under implementation complexity and cost. Incorporating L2 hybridization with Crunchfish would greatly enhance CBDC performance.

3. EMVCo Bank Issued ICC Cards: Reliable for traditional transaction environments, yet constrained by limited configurability and high implementation costs in the evolving financial ecosystem.

4. EMVCo XPay (HCE): Performs moderately across all categories but lacks the scalability, resilience, and configurability needed for future-proof designs.

5. Real-Time Payment (RTP): Great for real-time transactional volumes in connected environments but lags in offline resilience, programmability, and advanced features necessary for hybrid ecosystems.

Analysis and Best Practice Ranking for Eight Key Design Objectives

Design Objectives	Definition	Analysis	Recommendation
Security	Assesses the strength of measures protecting payment solutions against fraud, unauthorized access, tampering, and data breaches. Includes encryption standards, runtime isolation, rollback protection, and quantum-safe mechanisms.	Security is paramount for safeguarding transactional data. Solutions like Crunchfish Digital Cash and CBDC solutions excel due to device isolated runtime execution environments and systemic quantum-safe cryptography. EMVCo ICC and XPay rely heavily on hardware like Secure Elements (SEs), which offer substantial protection but limit scalability and universality, while RTP systems struggle due to no support for offline use cases and resilience issues.	Crunchfish Digital Cash L2 solution and CBDC L1 systems
Scalability	Evaluates the ability of payment solutions to process increasing transaction volumes and expand infrastructure without performance degradation. Includes online and offline scalability.	Crunchfish Digital Cash leads scalability due to its L2 design, enabling offline transactions and asynchronous reconciliation for virtually infinite payment streams. RTP performs well for strictly online high-frequency payments. EMVCo (cards and XPay) and CBDCs have scalability issues when offline operability is required.	Crunchfish Digital Cash L2 solution
Resilience	Reflects the ability of payment systems to withstand systemic failures, including offline operability and continued functionality during network, power and server outages.	Only Crunchfish Digital Cash achieves very high resilience by its packet-switched architecture and allowing consecutive offline payment cycles, ensuring operability during systemic failures. CBDC solutions fare moderately well but typically depend heavily on centralized backend systems for reconciliation. Other solutions (RTP, XPay, and EMVCo ICC) suffer due to their reliance on online infrastructure.	Crunchfish Digital Cash L2 solution
Privacy	Examines how well the payment system protects users’ transactional data from exposure, ensuring anonymity or configurable privacy settings.	Crunchfish Digital Cash offers configurable privacy, balancing user anonymity for low-value payments with traceability for regulatory requirements. CBDC solutions may match this with privacy thresholds driven by central bank policies, but token/account-based designs need careful planning. Other systems have inherent traceability due to online network dependencies.	Crunchfish Digital Cash L2 solution and CBDC L1 system
Universality	Measures acceptance and compatibility across geographies, populations, and device types, including accessibility in low-tech or underbanked environments.	Universal acceptance across devices and environments makes Crunchfish Digital Cash a leader. Supporting multiple proximity methods (QR, BLE, NFC, ultrasound) ensures it adapts to diverse infrastructure. CBDC solutions could achieve similar universality but rely heavily on centralized policies and NFC proximity methods.	Crunchfish Digital Cash L2 solution
Interoperability	Refers to the solution’s ability to integrate across platforms, devices, and networks to ensure seamless cross-system compatibility.	Interoperability is critical for cross-network operation. Crunchfish Digital Cash excels due to its agnosticism to layer-1 infrastructure, while CBDCs struggle with domestic-only designs (though interoperability could improve with cross-border integration). The other payment system struggle also as being closed payment networks.	Crunchfish Digital Cash L2 solution
Seamlessness	Indicates how frictionless the interaction is between online and offline payment systems, balancing user experience and technical integration across hybrid contexts.	Systems integrating online and offline payments without friction—Crunchfish Digital Cash—achieve excellence. Other solutions fail to deliver seamless transitions, particularly in offline contexts.	Crunchfish Digital Cash L2 solution
Cost	Evaluates cost efficiency in terms of implementation complexity, hardware/software requirements, wallet/terminal and transactional  expenses, and operational scalability relative to each solution.	Cost efficiency is dominated by Crunchfish Digital Cash, which minimizes hardware/software dependencies while achieving scalability, privacy, and resilience. RTP and EMVCo XPay maintain medium costs, while cards (EMVCo ICC) and CBDCs suffer from much higher infrastructure expenses.	Crunchfish Digital Cash L2 solution

Concluding Design Recommendations

The groundbreaking approach: An L2 packet-switched architecture with offline wallets and terminals mitigates the inherent vulnerabilities in traditional L1 online payment systems. It provides resilience as well as load balancing as congestion can be avoided by batch processing during peak load.

The modular approach: Respect the roles and responsibilities of payment networks vs. payment service providers. Clearly separate the modules of offline wallets and offline terminals, allowing for flexibility, scalability, and healthy competition..

The layered approach: Augment L1 Payment Networks with L2 solutions.L2 solutions built on top of L1 infrastructures provides multiple key design objectives, such as resilience, privacy, scalability, and interoperability, by enabling off-chain processing while still achieving reconciliation and settlement on the underlying L1 payment system. Hybrid architectures, e.g. CBDC L1 systems augmented by Crunchfish Digital Cash L2 solution achieve maximum scalability, security, and offline resilience.

The packet-switched approach: Integrate packet-switched architectures for any payment network to ensure survivability in the face of failure, especially for high-volume online payment networks. Emphasize load-balancing mechanisms to distribute validation tasks across localized environments rather than overburdening centralized servers.

Adopt Bank-Driven Privacy Standards: Build financial systems with privacy managed locally, using banks or intermediaries to reconcile transactions. Layer granular privacy into payment protocols, ensuring offline payments provide anonymity while enabling traceability for systemic auditing.

Avoid Full Anonymity for Systemic Integrity: Design systems to offer selective anonymity, incorporating thresholds (e.g., smaller payments are private; larger payments trigger traceability).

Invest in Universality and Interoperability: Ensure payment solutions work across devices, proximity methods, geographies, and demographics as well as cross-systems, cross-networks, and also cross-borders.

Focus on Seamlessness: Provide hybrid payment interfaces that continue operations offline and automatically reconcile online later.

The future of digital payments hinges on balancing cost, resilience, and seamless integration, bridging traditional infrastructure gaps while gearing solutions for next-generation financial landscapes. This whitepaper has shown a viable way forward with a novel packet-switched architecture delivered by the modular Crunchfish Digital Cash L2 solution that can augment any payment network with multiple desired design objectives.