A receipt you can check,not a score you must trust.Verifiable payment attestation is RankShield Financial's signed receipt for a payment. It records the exact intent, the released, held, or denied verdict, and the signer — sealed to a tamper-evident record before settlement — so you can recompute the digest and confirm it yourself.
What is a verifiable payment attestation?
A verifiable payment attestation is a signed receipt that proves a specific payment intent was authorized before it settled. RankShield Financial reduces each intent — payer, payee, amount, purpose — to a canonical record, signs it with post-quantum ML-DSA-65, resolves a released, held, or denied verdict, and seals the whole decision to a tamper-evident record on the RankShield Network. The receipt is not a summary of what happened; it is the cryptographic artifact itself. Anyone who holds it can rebuild the canonical string, hash it, and confirm the signature against the enrolled signer identity. Nothing about the proof depends on trusting RankShield: the math either checks or it does not. That is the whole point of an attestation — to turn a payment decision into evidence that stands on its own, independent of the party that produced it. Consider what usually passes for a payment record: a line in a log, a status field, a screenshot, each of which is only as trustworthy as the system that wrote it and each of which can be edited without leaving a trace. An attestation replaces that trust with math. Because the canonical record is deterministic and the signature is bound to a published signer, a receipt cannot be quietly altered to describe a different amount or a different payee without the signature failing to verify. And because the decision is sealed before settlement, the receipt also fixes a moment in time — it says this intent was authorized, in this state, at this point, on the record. That combination of determinism, signature, and timing is what makes it evidence rather than assertion.
How is an attestation different from a black-box fraud score?
An attestation differs from a fraud score in one decisive way: you can reproduce it. A fraud score is a probability a model emits — a number you cannot recompute, audit, or independently confirm, and one that changes if the model changes. A verifiable attestation is a signed statement about a specific, canonicalized intent that anyone can rebuild and check. The score answers how risky a payment looks; the attestation answers whether this exact payment was authorized and provides the cryptographic proof. Scoring still has a place — it can inform whether an intent should be held — but the durable artifact is the attestation, because it survives the model, the vendor, and the audit horizon. When a dispute or an examiner arrives a year later, a score of 0.87 explains nothing and can no longer be regenerated from a retired model; a signed attestation can still be verified byte for byte. The two are not rivals so much as different layers: risk analytics decide, and the attestation records the decision in a form that cannot be walked back. Feedzai and others do claim pre-settlement timing, so speed alone is not the differentiator. We are not aware of another platform that combines a verifiable, cryptographic, identity-bound, and quantum-safe receipt in one artifact — and that combination, not raw latency, is what makes a RankShield attestation stand apart from a scoring output you are asked to trust.
How is a payment attestation produced?
An attestation is produced in a fixed pipeline that runs before settlement. First the payment intent is reduced to a canonical record — a deterministic string over payer, payee, amount in minor units, purpose, rail, and nonce — so the same intent always hashes to the same digest. That record is signed with composite ML-DSA-65. Identity, signature, liveness, and any agent authority are then verified against the granted mandate, and a verdict resolves: released, held, or denied. Finally the signed decision is sealed to a tamper-evident record on the RankShield Network. The diagram below reads left to right — sign, verify, seal, anchor — with coral action resolving to teal verification. Because each step operates on the same canonical record, the receipt that comes out the far side describes precisely the intent that went in, with no room for a silent substitution along the way. Two design choices make this trustworthy. Amounts are canonicalized in minor units so there is no ambiguity between, say, dollars and cents that an attacker could exploit at the margin. And the signing keys never sit exposed: they live in a hardware security module, and releasing a payment requires an M-of-N quorum rather than a single key, so no lone compromised signer can mint a false release. The pipeline is deliberately boring and repeatable — the same inputs always yield the same digest and the same verifiable outcome — because predictability is exactly what lets an outside party reproduce and trust the result.
Sign
The payment intent is reduced to a canonical record and signed with post-quantum ML-DSA-65.
Verify
Signature, identity, liveness and agent authority are checked against the granted mandate.
Seal
A release or hold decision is produced with a signed, independently verifiable attestation.
Anchor
The decision is sealed to a tamper-evident record on the RankShield Network — before settlement.
Why is an attestation independently verifiable?
An attestation is independently verifiable because everything you need to check it travels with the receipt. The canonical intent fields are in the clear (as de-identified commitments), the canonicalization order is documented, and the signer identity is enrolled and public. So a verifier rebuilds the canonical string, hashes it, and compares the digest; then verifies the ML-DSA-65 signature. If both match, the receipt is authentic and describes exactly that intent — no call to RankShield required. The Verifier here does this live in your browser with WebCrypto: change any field and the digest changes and the match fails, which is the honest demonstration that the proof is real and not theatre. This is why a RankShield receipt is evidence rather than assertion — its truth does not depend on the party that issued it. Independence has a practical payoff. An auditor, a counterparty, a regulator, or a court can each verify the same receipt without a login to our systems and without taking our word for anything, because the check is pure cryptography over data they already hold. It also means the proof keeps working if RankShield is unavailable, or years from now when the original request is long gone: the receipt plus the published signer key is sufficient. Verification that requires calling the issuer is not really verification — it is a second act of trust. A recomputable attestation removes that dependency entirely, which is the difference between a claim and a proof.
How does settlement-oracle reconciliation catch divergence?
Settlement-oracle reconciliation catches the gap between what was authorized and what actually settled. After a payment moves, an enrolled settlement oracle returns a signed receipt of the real outcome, and RankShield compares it to the attestation. The comparison resolves to one of three states. Settled_as_attested means the settled payment matches the authorized intent exactly. Divergence means something changed — an amount edited, a payee swapped — between authorization and settlement. Unauthorized_settlement means a payment settled with no matching attestation at all, the signature of a bypass. Because both the attestation and the oracle receipt are signed, a mismatch is provable rather than merely suspected, and it can be escalated with evidence in hand. This is how the receipt keeps its meaning past the moment of authorization and into the settled record. Pre-settlement verification answers whether an intent should proceed; reconciliation answers whether what actually happened matched what was approved — and the two together close a loop that most controls leave open. A pre-settlement gate alone cannot see a payment that was authorized correctly but then tampered with downstream, or one that skirted the gate entirely. Reconciliation is the second, independent witness that catches exactly those cases. It turns silent divergence into a signed, dated discrepancy you can act on, and it makes a bypass — the attacker's favorite move — leave a mark instead of vanishing into a reconciliation spreadsheet nobody reads in time.
What does a verifiable attestation not do?
A verifiable attestation does not move, hold, or custody funds, and it does not make you compliant by itself. RankShield Financial is a verification and attestation layer — never a wallet, custodian, or payment processor — so an attestation proves an intent was authorized and records the decision while your rails still settle the money. On compliance, the honest framing is that the receipt produces independently verifiable evidence that supports your obligations, not a certificate that discharges them. And it is deliberately narrow: a signed statement about a specific intent, not a promise about your whole program or an assurance that nothing can go wrong. That narrowness is its strength. A claim you can recompute and check is worth more than a broad guarantee you have to take on faith. It is worth being equally clear about what an attestation is not: it is not a fraud model that promises to catch every scam, not a control that can inspect a live phone call, and not a substitute for the judgement of a reviewer or a quorum. It certifies that a specific intent was authorized under a specific policy, and it certifies it in a way anyone can verify. Overclaiming would undercut the one thing the receipt does well. We would rather say precisely what it proves — and let the fact that you can check it for yourself do the persuading.
A settled amount does not match the authorized intent
A payment is authorized for one amount, but the value that settles on the rail is higher — an edit slipped in after the intent was signed and before the money moved.
Four parts of every attestation.
A RankShield attestation is not a free-form log line. It is a structured, signed artifact whose parts each carry a specific, checkable meaning.
Canonical intent
The payment reduced to one canonical string over payer, payee, amount, purpose, rail, and nonce. The same intent always yields the same digest, so the receipt cannot silently describe a different payment.
Verdict
The pre-settlement decision and its reasons, bound into the signed record. Held and denied intents carry why they stopped, so the receipt explains the outcome rather than just stating it.
Signature
A post-quantum signature over the canonical record, hybrid with a classical scheme and crypto-agile. It ties the decision to an enrolled signer identity anyone can verify.
Anchor
The seal to a tamper-evident record on the RankShield Network, placed before settlement, so the receipt's existence and integrity can be confirmed after the fact.
Verifiable payment attestation — questions, answered.
What is a verifiable payment attestation?
How is an attestation different from a fraud score?
How do I verify an attestation myself?
What are the possible verdicts in an attestation?
What does settlement-oracle reconciliation add?
What does a verifiable attestation not do?
Is the attestation signing quantum-safe?
Does the receipt expose account numbers or PII?
Turn every payment decision into evidence you can verify.
RankShield Financial is rolling out verifiable pre-settlement attestation with design partners. Request access and we'll walk you through recomputing a receipt end to end.