Natalie Poirain sits down with Priya Jaiswal, a seasoned voice in banking and finance whose work spans market analysis, portfolio strategy, and international trends. She unpacks how the digital euro is being shaped by open European standards and real-world pilots, including offline and programmable features. Expect candid reflections on design trade-offs, merchant economics, and the gritty plumbing behind ISO 20022, CPACE, and Berlin Group frameworks. The conversation threads together readiness targets for mid-2027 and 2029 with practical migration playbooks and governance across more than 70 private contributors.
What tipped the decision to base digital euro online payments on open European standards, and how did you weigh speed of rollout against long-term interoperability? Can you share an example where standard reuse cut integration time or cost by a specific percentage?
Reuse won because it compresses risk and learning curves. ISO 20022, CPACE, and the Berlin Group frameworks already run in production, so interoperability starts on day one. We balanced speed and longevity by anchoring to these assets during the technical readiness phase that began last October, while leaving room for iterative refinements. In one gateway pilot, reusing ISO 20022 objects across authorizations and refunds trimmed interface work to a fraction of custom builds, and internal teams felt the relief immediately.
ISO 20022 specs will link merchant systems to PSPs and acquirers for authorization, capture, refunds, reversals, and reconciliation. What changes should merchants expect in their message flows and settlement timelines, and how would you phase migrations to avoid downtime during peak seasons?
Merchants will see cleaner, event-based flows that separate authorization from capture and streamline reversals. Refunds align with standardized reason codes, improving dispute clarity. We would stage migrations outside peak seasons, then run dual message paths with a fast rollback. Cutovers include dry runs, production shadowing, and short freeze windows that feel almost silent on the shop floor.
Alias-based initiation via phone numbers is slated to simplify pay-ins. How will identity binding and directory services work at scale, and what protections will prevent SIM-swap or alias‑hijacking fraud? Can you walk through a step-by-step risk-control playbook for issuers and wallets?
A federated directory maps aliases like phone numbers to instrument identifiers with explicit consent. Binding uses multi-factor checks at enrollment and change events, never only a SIM signal. The playbook is simple: verify alias ownership with strong challenges, risk-score device posture, rate‑limit lookups, and require step-up for sensitive changes. Post‑event, alert users, quarantine risky aliases, and throttle recovery paths until signals stabilize.
With standardized balance and account queries, what rate limits, caching, and consent models are envisioned to protect core banking systems? How will you measure performance targets like P99 latency and uptime, and what penalties or incentives will enforce them?
We apply tiered rate limits and short‑lived caching to keep cores calm during bursts. Consent is explicit, renewable, and scoped to use cases like balance peek or reconciliation. P99 latency and uptime targets will be monitored across shared observability, with dashboards aligned to the technical readiness phase. Incentives include priority routing for good actors, while chronic breaches trigger throttles and remediation plans.
CPACE will enable NFC tap-to-pay between devices and terminals. What terminal firmware and certification updates will be required, and how will you support tap-on-phone for small merchants? Can you share expected certification timelines and average upgrade costs per terminal?
Terminals need firmware that speaks CPACE and validates digital euro acceptance parameters. Certification will follow a predictable path so acquirers can plan upgrades ahead of the mid‑2027 pilot. Tap‑on‑phone will arrive through SDKs and attestation checks that are gentle on small merchants. We are not publishing average upgrade costs yet, as they vary by estate and support model.
For e-commerce and in-app transactions, what SDKs, testing sandboxes, and reference implementations will be available to PSPs and gateways? How will you ensure consistent user experience across browsers and mobile OS versions, and what metrics will define “uniform” acceptance?
PSPs will get SDKs that wrap ISO 20022 flows for authorization, capture, and refunds, plus mock acquirer stubs. Sandboxes mirror edge cases, including reversals and reconciliation quirks. A UX reference, backed by pattern libraries, will align browsers and mobile OS behavior. Uniform means the same steps, the same cues, and the same success criteria, even under spotty networks.
Reconciliation is often messy across acquirers. How will standardized reconciliation tools handle partial captures, multi-currency disclosures, and refunds after chargeback windows? Could you outline the daily reconciliation run, including file formats, cutoff times, and exception handling?
Standard tools will tag partial captures with clear linkage to the original authorization and a precise ledger trail. Multi‑currency disclosures ride along with harmonized fields, reducing shock at settlement. A typical daily run compiles end‑of‑day files, validates deltas, posts adjustments, and flags exceptions into a queue with structured reason codes. Missed cutoffs get rolled forward with auditable notes, not guesswork.
More than 70 private contributors are involved, with firms piloting offline and programmable features. How are you governing change control and versioning, and what criteria decide when a feature graduates from pilot to production? Any lessons learned from recent sprints?
We run a gated process with semantic versioning, change logs, and break‑glass rules. Graduation needs stable conformance results, security sign‑offs, and merchant acceptance tests. The “over 70” cohort brings energy, so we channel it with crisp RFC cycles. Recent sprints taught us to shorten feedback loops and to lock specs earlier to protect downstream builds.
Offline payments raise double-spend and privacy challenges. Which risk tiers, value caps, and device attestation methods will you use, and how will dispute resolution work if connectivity returns hours later? Can you share failure rates tolerated in pilot thresholds?
We use risk tiers that align offline value caps with local threat models. Device attestation binds hardware state with wallet identity to curb spoofing. When connectivity returns, deferred checks reconcile counters and flag potential doubles for rapid review. Pilot tolerances are tightly governed and tracked, with thresholds shaped during the technical readiness phase.
Programmability can enable conditional payments. What guardrails will prevent unintended lock-ins or systemic dependencies on third-party logic, and how will audits and kill-switches operate? Please illustrate with two concrete use cases and their compliance checks.
Guardrails keep third‑party logic outside settlement cores and require auditable policies. Kill‑switches can halt a condition path without freezing funds beyond what rules allow. Think delivery‑upon‑proof for an e‑commerce order, with proof types whitelisted and revocable. Or a subscription that unlocks only after monthly confirmation, with explicit consent and rapid exit routes.
The path targets a pilot by mid-2027 and potential issuance readiness by 2029. What milestones must be met each year, and which ones are on the critical path? How will you publicly report progress, slippage, and key risk indicators?
The runway starts from last October’s technical readiness, then marches toward mid‑2027 pilots. Each year we expand coverage, harden security, and broaden merchant acceptance. Critical path items are legal adoption, scheme conformance, and terminal readiness. We will publish updates with progress notes, slippage calls, and clear risk dashboards.
Adoption hinges on merchant economics. What interchange-like fees, scheme fees, or settlement costs are being considered, and how will they compare to card rails for small-ticket transactions? Can you share scenarios where total cost of acceptance drops by a measurable amount?
The design seeks leaner economics by trimming layers and reducing dispute drag. Small‑ticket flows benefit from fewer hops and simpler reversals. We are assessing fee structures that reward efficient routing and clean authentication. We expect scenarios where acceptance costs ease, especially for in‑app and tap‑to‑pay, but we are not disclosing figures yet.
Cross-border expansion is a stated goal. How will the model interoperate with non-euro European schemes and global counterparts, and what FX and compliance workflows are envisioned? What would a step-by-step cross-border refund look like?
Interop leans on open standards and mutual recognition of acceptance profiles. FX and compliance sit in clear lanes, with audit trails tied to ISO 20022 events. A cross‑border refund mirrors the original flow, cites the prior authorization, posts the FX detail, and reconciles to a shared reference. The user sees a clean message and timely credit, not plumbing.
Security and privacy will be scrutinized. How will you balance strong customer authentication with low-friction UX for recurring or low-risk payments, and what anti-phishing education will you push to consumers and merchants? Any incident response SLAs you can share?
We calibrate SCA using risk signals so low‑risk and recurring flows stay light. Users get familiar prompts, not jarring detours, aligned with a uniform experience. Education focuses on trusted initiation paths and warning signs merchants can echo at checkout. Incident response follows tight playbooks with public commitments aligned to the technical readiness framework.
What is your forecast for the digital euro?
For readers, the arc is steady and deliberate: mid‑2027 pilots, then a path to potential issuance readiness in 2029. Expect broader acceptance as open standards settle and merchants feel the day‑to‑day ease. Offline and programmable features will mature from pilots into practical tools. If legislation lands on time, momentum will feel very real, and the experience should feel simple, fast, and distinctly European.
