- From: Ian Jacobs <ij@w3.org>
- Date: Mon, 17 Jul 2017 09:58:33 -0500
- To: Steve Sommers <steve@shift4.com>
- Cc: Payments WG <public-payments-wg@w3.org>
> On Jun 23, 2017, at 5:43 PM, Steve Sommers <steve@shift4.com> wrote: > > Hi Ian, > > I rarely make it to the conference calls so I'll provide some feedback here for the reference Payment Method Best Practice document. > > In the Payee Identity section there is a reference "In these cases, it may be useful to provide a 'merchantID' in the data field..." and then the example code show shows merchantIds. These merchant IDs cannot and should not be the merchant's acquirer bank merchant ID number as this would be very dangerous. > > Background: Years back deviants learned that old credit card terminal found on ebay and other resale sites contained merchant IDs. They then used these IDs to post fraudulent credit/return postings to their "mule cards" and posted offsetting sales/purchases to stolen cards. Other deviants simply used the merchant IDs to validate that stolen cards were valid and could be used for purchases. Moral of the story: Merchant IDs are considered sensitive data and should be protected. > > More thought will need to be given to the merchant ID - or maybe there has been and I just didn't read enough of the referenced docs. Thanks, Steve! I have updated the draft with a security note. Ian -- Ian Jacobs <ij@w3.org> https://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447
Received on Monday, 17 July 2017 14:58:40 UTC