Re: ANSI X9.122 Secure Customer Authentication for Internet Payments

On 2016-07-05 21:53, Ian Jacobs wrote:
>
<snip>
>
>> - To ensure segregation of authentication data and PAN data, the
>> authentication data and the PAN must be transmitted in separate sessions
>> from the consumer’s browser and the merchant to the authenticating
>> vendor.
>
> I think the payment app model supports this. The user authenticates
> through the payment app. The payment app returns data to the browser.
> The browser returns it to the merchant. So authentication and data-to-the-merchant
> are independent.

Converted to Apple and Android Pay it means that these apps would
have to call Apple and Google services respectively before providing
a response to the Merchant.  Is that the case?

I thought that "tokenization" rather was their answer to this problem.

There are as I mentioned other, entirely different ways achieving
similar goals which do not require the introduction of a separate
authentication entity at the browser or app level.

Anders

Received on Wednesday, 6 July 2016 07:49:14 UTC