Frequently-Asked Questions

Q. What is Xiippy?

Answer:

Xiippy is world’s first and only privacy-preserving data-rich payments provider.

We provide in-store and online payment terminals/solutions PLUS online dashboards to merchants of all sizes with a big difference: All our payments are data-rich and come with extras for different parties.

Backed by 5 patents, Xiippy smartly and inventively makes it possible to establish a two-way completely-private end-to-end encrypted communication channel between merchants and their customers to send/receive private data seamlessly through payments without the need to exchange contact details.

Smart receipts (from merchants to shoppers), loyalty rewards numbers (from shoppers to merchants), catalogues, product recall notifications and COVID test recalls are all examples that Xiippy can add to and embed in a normal in-store or online payment seamlessly, all without such data being known to Xiippy or any other parties in the world!

Xiippy is a pioneer and is years ahead in data-rich payments and has successfully resolved all the barriers of adopting digital receipts at scale, i.e. retailer avoidance to share data, consumer privacy and standardisation (K. Fuchs et. al , 2019), thanks to end-to-end encryption and privacy preservation at both ends

Accordingly:

  • For Consumers
    Xiippy payments are 1-step payments that come with seamless no-upfront-app-needed no-personal-details-needed end-to-end encrypted receipts & rewards for ALL cards
  • For Merchants
    Xiippy payments come with growth-generating advanced analytics, engagement, rewards & marketing dashboards to reach out to and engage all paying customers without the need to collect personal details at the counter
  • For Franchises
    Xiippy payments come with all-of-chain marketing, reporting, and CRM dashboards plus instant settlement and collection of franchise fees as part of daily sales
  • For Acquirers:
    A limited number of elite acquiring partners get to take their payments to the next level via our unique methods of turning payments into data-rich payments to carry receipts and rewards seamlessly
  • For Card Issuers: A limited number of our elite card issuing partners can get to enable their consumer apps with privacy-preserving smart receipts and rewards
  • For POS developers:
    Our POS partners enjoy a revenue sharing model via our partners programs and get to enable their product offering to the next level via smart receipts, seamless 99.9% coverage of rewards programs for all payers, as well as privacy-preserving customer identification via payments

Q. Why does Xiippy exist?

Answer:

Xiippy addresses a range of problems all together which is why it exists:

  1. Extra data that should be part of payments are NOT part of payments due to consumer privacy issues and retailer avoidance to share such data.
  2. There is no way to embed data within payments since current protocols don't support such a concept
  3. Inclusion of tamper-resistant legal statements (e.g. invoices) within payments requires public key infrastructure, cryptography and extra heavy work
  4. Millions of trees are killed and turned into useless garbage via paper receipts
  5. Retailers have no easy way to know, reach out to and send data to their shoppers except by asking details at the counter or encouraging rewards membership which are normally avoided by customers
  6. In certain jurisdictions, it can be illegal to ask personal identification information at the counter in physical stores
  7. Franchises & merchants have no easy way for instant multi-party merchant accounts (e.g. for franchise fees collection)
  8. Retailers and consumers feel uncomfortable disclosing itemized sales/purchase data to 3rd parties for little gain, this being the biggest barrier against digital receipts and data-rich payments at scale (K. Fuchs et. al , 2019)
  9. In-store checkout experience is long and inconvenient (pay, scan, print receipt/provide email)
  10. Online checkout experience requires personal information data entry
  11. Consumers have 10s of rewards cards
  12. Consumers have no detailed insights on transactions and on where exactly they spend our money
  13. People want extra data as part of payments without having to install apps or extra actions like giving out personal details

Q: Who are Xiippy customers?

Answer:

Any merchant, at any size, physical or online, is a potential Xiippy customer. However, there are some special traits our clients possess who are mostly:

  • Progressive
  • Forward-looking
  • Committed to the social responsibility to save the environment
  • Aligned with their customers' high-order motives like respect to privacy and the environment
  • Eager to increase revenue and save operational costs
  • Aware of privacy legislations, implications and requirements of CDR, GDPR, CCPA and the like

Q. What is end-to-end encryption?

Answer:

End-to-end encryption (E2EE) is a paradigm with which data gets encrypted and decrypted at both ends of a data transfer transaction in such a way that it becomes impossible for the intermediary who transfers the data to know what the contents of the data are. This paradigm has been widely used (and popularized by) instant messaging products (e.g. WhatsApp and others).

For the first time in the world, Xiippy has invented systems and methods to use payments as an end-to-end encrypted data transfer tool to connect merchants and shoppers privately without the need to exchange details.

Q. Do I need to download an app to receive my receipts via Xiippy?

Answer:

Short Answer: NO

Xiippy also comes as a Progressive Web App that can run in almost all modern browsers on all mobile operating systems and provides a strong subset of the features of the Xiippy native apps, except for the fact that you do not have to download and install an app before being able to receive your receipts, if you use the Xiippy web app.

Importantly, the user on-boarding process of Xiippy is seamless and single-tap which means you only accept the terms and don't have to fill any forms. You may add details for account recovery at a later point. Your account details are saved securely, encrypted at rest, within your web browser. Your private purchase data is NOT saved on Xiippy infrastructure.

It is obvious that for end-to-end encryption to work, there has to be two ends. In this case, one end is the merchant's POS system and the other end is the shopper's personal device running at least a non-downloadable progressive web app.

We see a future where the possibility to receive private data as part of payment becoming a feature of the operating system on your phone via Xiippy's inventions but until that time, Xiippy;s own progressive and native apps will simply do enough!

Q. Does Xiippy track me via my card if it facilitates data transfer through it?

Answer:

Absolutely NOT.

In fact, the very fact that we have made tracking the data you receive and send via your card impossible even for ourselves is the whole innovative and inventive bit which makes Xiippy so good otherwise the concept of using your payment card to receive data should have existed years ago!

Key facts:

  • Your card details are not disclosed to Xiippy at all.
  • Xiippy maintains no knowledge of your card details, neither for in-store payments nor for online payments.
  • Instead of your card details, Xiippy uses a useless string (i.e. a card token) to generate a card fingerprint which it uses to route the data between entities.
  • Xiippy also uses smartly-designed cryptography functions and private keys - that Xiippy maintains no knowledge of - during the tokenization process to identify a customer to a merchant in a privacy-preserving fashion so that
    • The identifier remains the same in future transactions
    • The same card gets a different identifier for different merchant chains
    • Even if the data Xiippy maintains on its infrastructure are publicised, it will take years of power computing to be able to cross-check such identifiers and determine the same person was part of multiple transactions with different merchants.
      Note that acquirers and card issuers still DO track every move you make like before and in that sense, we are maintaining status quo even though we are adding a lot of data to payments. The important point is that with what Xiippy maintains from you on its infrastructure, one can not track your purchase history. 
      In any other form or shape of doing what Xiippy does to enrich payments with data, this data will end up getting disclosed to parties that don't own the data, requiring full trust. Xiippy solves the data transfer problem without creating a new problem of disclosing the data to unwanted unnecessary parties who don't own the data in a zero-trust setup. This is a materialisation of consumer data rights to the fullest levels.
  • All data transferred via Xiippy is end-to-end encrypted. This means the data gets encrypted before leaving a POS system and decrypted at end consumers' devices with keys unknown to the whole universe, except for the merchant and the shopper.

This is complex, new and innovative the like of which does not exist. Without solving the privacy issues which Xiippy has successfully managed to do, it would be impossible to enrich payments with data without disclosing that extra data to unwanted parties!

Q. What are the benefits of adopting Xiippy for our business as a payment solution?

Answer:

A lot actually, but briefly, grow your revenue and save costs without sharing any data!

WITH YOUR BUSINESS REMAINING YOURS, WITHOUT sharing itemized sales data or customer details with Xiippy or replacing existing loyalty systems or asking customer details at the counter OR integrating with tens of banking systems, Xiippy turns payments into an engagement and private data transfer mechanism.

  • Grow your business via increasing key business metrics like Customer Lifetime Value, Customer Retention and Average Transaction Value merely with data-rich payments
  • Save on merchant fees. We are almost guaranteed to beat your current pricing. A major client of ours is saving more than $2.5m/yr doing so!
  • Improve customer experience with a 1-step data-rich Xiippy checkout that includes smart receipts for ALL cards (not just a few banks) and rewards without requiring rewards cards or apps
  • Without the need to ask for customer details, which could be illegal and is almost always avoided by customers
    • Identify customers in a privacy-preserving fashion using Xiippy's patented customer identification scheme using payment cards
    • Make literally every payer of your business a member and subscriber of your deals and offers eliminating needs for registration and rewards cards
    • Get rid of rewards cards
    • Get rid of paper receipts, savng almost thousands of printing costs
  • Turn payment cards into an itemized data transfer and data collection mechanism while preserving privacy at both ends using end-to-end encryption

There is no product in the market that is even remotely close to what Xiippy is! What are you waiting for then?

Q. How long does it take to get to a Proof of Concept with Xiippy?

Answer:

Short answer: 2 weeks without requiring any upfront costs.

  • Xiippy's integration is a 300 line of code piece of work with your POS system.
  • We take on the costs of replacing your existing in-store terminals with our next-gen PCI-DSS certified payment terminals and also the integration work.
  • You can partially run the system alongside with your existing solutions.
  • There is no need to leave your current bank with whom you do your business banking.
  • Merchant settlement can still be driven to your existing bank accounts from our acquiring partners instead of your current ones.

Q. As a merchant, will I be sharing my itemised sales data with Xiippy or anyone else to include smart receipts and rewards within payments?

Answer:

Short answer: Absolutely NOT.

That's the whole different Xiippy uniquely brings to the table, backed with multiple patents. Other alternatives require you to FULLY trust the data intermediary and possibly banks as well. With alternate providers, it will be like saying "Give us all your passwords and we're good people; we won't be doing anything bad with it". With Xiippy, you are assured you are not in need of trusting anyone with your data as you are not sharing anything in the first place!

  • Xiippy uses end-to-end encryption to establish a completely-private communication pathway between you and your customers.
    This means no data gets out of your POS system without being encrypted with keys unknown to the rest of the universe.
  • Such data then gets decrypted at the consumers' devices after being routed using cryptographically-generated routing details from consumer card tokens (not card numbers).
  • You can generate your own keys as part of the process and only share public keys with Xiippy for increased confidence and assurance of Xiippy's zero knowledge.
  • Xiippy is the only company preserving consumer data rights in full by only making data available to them whilst digitising the data that otherwise must remain on papers or be disclosed to other parties as part of digitisation.
  • Your itemized sales data will never be visible to Xiippy nor any other party in the universe, including your competitors.
  • For high-privacy-needs merchants like pharmacies, this is a MUST have! Imagine disclosing people's medications list to a 3rd party via digital receipts! That could potentially lead to legal actions should the data get ever disclosed to other parties, wantedly or unwantedly (e.g. in a data breach incident)

Q. As a merchant, how come we can view and access our itemized transaction data in Xiippy's Business Owner's Portal while Xiippy claims it has no knowledge of such data? How can that be?

Answer:


Well, nice question! Simply, because the Xiippy Business Owner's Portal is a Zero-Knowledge web-based portal. This means even though YOU have access to such data in plain format, the data is actually decrypted at client side within your web browser. Your data is never maintained in plain format on Xiippy's servers and the keys to such encryption are only and only owned by you and your organisational users.

We have a long article about why zero-knowledge dashboards will be the thing of the future.

This new novel model of Software-as-a-Service (SaaS) dashboards privatise an inherently-public environment like the cloud so that you get all the benefits of using a SaaS product (e.g. high availability, no maintenance costs, no server costs etc...) WITHOUT the trust requirement that you normally have to say yes to when using a SaaS product.

In other words, in a zero-knowledge dashboard, data is encrypted and decrypted at client side with keys unknown to the SaaS product developer/operator/owner. The cloud is merely used to host encrypted data which is unreadable by any other party. This means a completely private environment, as if you were running it all on your own infrastructure, without the needs to trust the SaaS provider for your data.

Every user within your organization (who can access the Xiippy dashboard via enterprise SSO as well) will have to generate a User Master Key/certificate upon the first login. The main user who creates the organization within Xiippy also has to generate a set of Entity Master Keys. These keys are used to encrypt all dashboard data to privatise such data and protect it from Xiippy and the rest of the universe.

The end result: YOU will have access to your data but Xiippy or the rest of the universe will NOT!

This level of information protection is nowhere else seen in similar products and suites large-scale mass retail networks with high privacy needs and multi-tiered access to reporting, CRM and marketing dashboards, unique to Xiippy.

Q. What is a “User Master Key” in Business Owner's Portal?

Answer:

Each user in Business Owner's Portal owns a master key which is generated upon the first time they log into the portal, which we have called a 'User Master Key'. The generation of this key, which is a P-384 EC key, is carried at client side within your browser which should be a modern and secure one. Xiippy does not hold the private component of the master key! This key is used to perform end-to-end encryption for the data that Business Owner's Portal handles. In other words, using this key assures that Xiippy will not be able to know what the contents of business owner's data in Business Owner's Portal are hence assuring its Zero Knowledge over the data even for the web-based portal Business Owners use.

Q. What is Business Owner's Digital Signature?

Answer:

Xiippy uses a range of digital signatures in its operation for a range of reasons including fraud protection, tamper-resistance and non-reputability of purchase records. When a business owner issues a statement, it signs the contents of the statement using its currently-active identity key only owned by and known to the merchant. The signature assures tamper-resistance of the statement and can be used to verify the statement has genuinely been issued by the relevant business owner and that it has not been changed since the issuance. If a business owner, re-registers a POS station, the previous public key of the POS station will still remain on the server to help with the verification of previously-issued statements with older identity keys.

Q. What is Recipient's Digital Signature?

Answer:

Xiippy uniquely uses a range of digital signatures in its operation for a range of reasons including purchase verification and rewards claims. Upon receiving a receipt or statement, the recipient also signs the transaction. This signature remains a mechanism for the recipient to prove purchase at later stages by providing the same keys used to generate the signature in an interactive way.

Q. How does Xiippy handle passwords?

Answer:

Xiippy has adopted the 'Secure Remote Password 6a protocol' which is a zero-knowledge password proof protocol. This makes it possible for Xiippy to avoid having to maintain any of your credentials in any form or shape (not even in hashed format). As a result of this, you can rest assured that the chance of the password you choose with your accounts in Xiippy ever being exposed is almost nil.