TWINT Was Just the Beginning: Toward a Scalable, Privacy-Respecting Digital Receipt Infrastructure for Switzerland

Switzerland has launched digital revolutions: TWINT reshaped mobile payments, and QR-bill invoicing redefined how the nation pays its bills. Across sectors, Swiss-led platforms are driving digital transformation in identity, finance, and public services. Now it is time to confront the next analogue holdout: the paper receipt.

Introduction and Research Motivation

Switzerland is now investing in foundational digital infrastructure with global implications, such as the Alps LLM project, led by ETH Zurich and EPFL, and the development of decentralized identity frameworks through SSI. In this context, we see digital receipts as a natural next step: paper receipts remain a major source of physical waste, digital fragmentation, and lost economic value. We have begun exploring the question: can Switzerland design and implement a privacy-respecting, vendor-neutral, and scalable digital receipt infrastructure without requiring fundamental changes to existing POS systems? Our first step was to develop and evaluate a student-built prototype to test whether a privacy-respecting, vendor-neutral solution could work under real-world retail constraints and legal expectations in Switzerland.

Background and Related Work

Digital receipts are not a new concept, but adoption remains limited and fragmented. Proprietary solutions such as Apple Wallet, Klarna, and Square offer partial implementations, but lack interoperability and often depend on centralized vendor lock-in. European efforts like ZUGFeRD (Germany) and Factur-X (France) define machine-readable invoice formats but are oriented toward B2B use cases. The lack of a consumer-facing, standards-based solution represents a gap in both the technical and policy landscape.

Moreover, the environmental costs of paper receipts are well-documented. According to Green America, paper receipts in the U.S. alone consume over 3 million trees and generate CO2 emissions equivalent to 450’000 cars annually. Most are printed on thermal paper with endocrine-disrupting coatings, now banned in Switzerland.

Methodology and Architecture

Our proof-of-concept, developed as part of a bachelor thesis, aimed to address key barriers to digital receipt adoption at scale: fragmented POS systems, unreliable connectivity, privacy, and regulatory compliance. The system was iteratively tested under simulated retail conditions to assess real-world feasibility.

The architecture follows a modular, three-part design: a local edge server (e.g., Raspberry Pi) receives webhook-based transaction data and buffers it during outages; a cloud backend handles storage, integrity checks via SHA-256, and secure API access; and a mobile frontend allows users to retrieve, link, and manage receipts. The system requires no POS code changes, making it suitable for heterogeneous retail environments.

Designed to comply with Swiss legal requirements, the system supports long-term archival formats (JSON, PDF/A), tamper-evident hashing, and optional digital signatures—enabling auditability, returns, and warranty claims.  Further, each transaction generates a UUID token printable as a QR code, allowing delayed, user-controlled identification. This reduces checkout friction while preserving privacy.

Though not yet deployed at scale, the prototype shows that a privacy-respecting, regulation-aware, and POS-compatible architecture is both practical and scalable.

Societal and Ethical Considerations

In line with our broader goals of trustworthiness and real-world applicability, we designed the system to reflect not only technical best practices but also the legal and ethical expectations specific to the Swiss context. The Federal Act on Data Protection (FADP) sets out principles such as data minimization (Art. 6), purpose limitation (Art. 4), and proportionality, further elaborated in guidance from the Federal Data Protection and Information Commissioner (FDPIC).

To operationalize these principles, the system supports anonymous transactions by default and enables users to identify themselves only if and when they choose to do so after the purchase. Receipt access does not depend on installing a proprietary app or creating a vendor-specific account.

KEY POINT: By decoupling identification from transaction processing and minimizing required user commitments, the system lowers barriers to adoption and reduces the risk of digital exclusion—especially in settings where mobile access, trust, or digital literacy may be limited.

Discussion and Next Steps

Our work set out to determine whether a privacy-respecting, vendor-neutral, and scalable digital receipt infrastructure could be realized without requiring major changes to existing POS systems. At the outset, it was unclear whether these goals were technically or operationally reasonable. Thanks to the successful POC we know now that building a system that meets the constraints (POS modularity, legal compliance, user privacy, and minimal infrastructure disruption) is not only feasible but practical.

As a next step, we intend to pursue the next phase of this initiative as a dedicated project, shifting the focus from feasibility to scale: what are the most effective strategies, architectures, and partnerships needed to bring this concept into widespread use across diverse retail environments?

References

• Universal Receipt Manager, D. Matt, N. Luè, Bachelor Thesis, https://bfh.easydocmaker.ch/search/abstract/4423/
• Green America. “Skip the Slip”. https://www.greenamerica.org/skiptheslip
• Swiss Federal Archiving Law. https://www.fedlex.admin.ch/eli/cc/27/317_321_377/en
• ZUGFeRD documentation. https://www.ferd-net.de/front_content.php?idcat=231