Divisibility -- Electronic tokens could either be designed so they can be subdivided into arbitrary small units or available only in discrete increments. If change from a large-denomination token can be obtained remotely, token divisibility may not be necessary.
Receipts -- Purchasers seek refunds for any number of reasons. Regardless of whether their purchase was made via paper cash, debit or credit card, or electronic tokens, they will need a receipt or proof of purchase. New electronic analogues must be developed to replace physical receipts.
Cash purchase of tokens -- Some users might prefer to purchase electronic tokens with paper cash. This practice would allow them to maintain anonymity. It would also let people without bank accounts purchase tokens.
Fungibility -- Users' ability to convert electronic tokens to paper cash and/or other monetary equivalents would increase the value and utility of the electronic token, particularly during the transition period when the NII is evolving and not yet universally used. On the other hand, this conversion capability could make the token a more attractive target for crime because of its increased fungibility (i.e., interchangeability).
International use and multi-currency -- People in the United States should be able to access and pay for foreign services as well as U.S.-based services from abroad. To support this access, electronic tokens would need to be available in multiple currencies. A service provider in one country could then accept tokens of various currencies from users in many different countries, redeem them with their issuers, and have the funds transferred back to banks in the local country. This ability to transport currency electronically across borders could have repercussions on trade and international banking laws.
Time limits -- Time limits could be imposed beyond which the electronic token would expire, worthless. The user would have to redeem or exchange the token prior to the expiration deadline. For this feature to work, electronic tokens would have to be date/time-stamped, and time would have to be synchronized across the network to some degree of precision.
Maximum amount and rate limits -- An upper limit could be imposed on the allowable value that could be assigned to any single electronic token device or that could be transferred to the same device within a given period of time. Imposing this maximum limit, however, could limit the issuer's liability. Additionally, since the user's terminal could be programmed to execute small transactions continuously at a high rate over the network, a strategy of reporting transactions over a certain amount will be ineffective for law enforcement. However, a tamper-resistant unit could enforce a policy involving both transaction size and value with time. For example, an "anonymous coin-purse" feature of the unit might be capable of receiving or spending no more than $500 in any 24-hour period. Alternatively, the "rate ceiling" for the next 24 hours could be made dependent on the rate of use or on the number of exchanges that could be permitted before a token would have to be redeposited in a bank or financial institution and reissued. Exchanges could also be restricted to a class of services or goods (e.g., electronic benefits could only be used for food, clothing, shelter, or educational purposes).
Conditional payment and post-dating -- The exchange process should allow payment to be withheld from the seller upon the buyer's instructions until delivery of purchases, goods, or services within a specified time in the future. Conversely, it should allow delivery to be withheld upon the seller's instructions until payment is received.
Token registration -- It might be useful for all electronic tokens issued to be uniquely identified and registered. Just as physical coin and paper currency is identified with a unique serial number, so too could electronic tokens be similarly protected. It would then be easier to spot copies or tokens with duplicate or unregistered numbers.
Anonymity -- The issue of anonymity involves a spectrum of positions. Many users may want their transactions to be completely anonymous, with the identity of either the buyer or seller unknown. However, when a court order or warrant is presented, it might be in everyone's best interests to be able to reveal user identities and transaction details. In some cases, too, users might want to give up their anonymity in exchange for detailed reports of transactions, to improve their management information system, or to sell details of transactions to marketing organizations. The best resolution of these various concerns might be "almost anonymous" transactions, in which the transactor's anonymity is maintained unless either the transactor gives permission and/or a government warrant is issued. From a technical standpoint, additional encryption techniques will be needed to help achieve the desired level of anonymity, along with the relaxation of certain accounting features, constraints, and limitations.
Ownership -- To ensure authentic ownership of a given token, the token could be linked to the current owner. This feature would require authentication of the owner as well as of the electronic token (requiring, for example, passwords, shared secrets, or biometrics such as verbal verification, dynamic handwritten signature recognition, fingerprints, hand geometry, or retinal scan). The advantage of such a feature is that lost or stolen electronic tokens would be worthless to anyone but the owner. Digital signatures ensure only that the electronic token is authentic, not the holder of the electronic token. The use of PINs or other secrets ensures that the holder of the electronic token is in possession of some knowledge believed to be known only by the legitimate owner. It is, however, possible for this knowledge to be compromised and used without the owner's awareness.
Biometric authentication cannot be duplicated by anyone but the owner, but may be coerced. If an electronic token is linked to either an owner's secrets or biometrics, the transfer of tokens to new owners would require altering this linkage. Alternatively, the owner could be identified only with the device that is storing/producing the token. It may be useful for the electronic token system to feature a false positive password/secret that provides a seemingly legitimate response, but in reality tags the transaction as invalid, renders the electronic token useless if used by anyone but the rightful owner, or notifies the authorities that a crime is in progress.
Co-located applications and data -- The relationship between electronic tokens used as payment mechanisms and other security-sensitive information objects that might be stored with electronic tokens needs to be carefully defined, especially when these are co-located in a single multipurpose device. Driving license information, health care-related information, buying preferences, biometrics, and other personal profile data as well as monetary units of value may all need to be stored in the same computer, card, or device in a private and secure fashion. Monetary electronic tokens should be able to be logically and/or physically isolated from other co-located data, lest linkages offer new opportunities for unauthorized misuse.