- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 08 Feb 2015 07:19:23 +0100
- To: David Nicol <davidnicol@gmail.com>
- CC: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>
- Message-ID: <54D6FFEB.6010809@gmail.com>
On 2015-02-07 21:13, David Nicol wrote: > > > On Sat, Feb 7, 2015 at 1:04 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > > I'm little bit wondering how to deal with merchants and services who use static > credit card information stored in their systems. > > > > start thinking in terms of finer-grained "purchase order numbers" instead of bearer-credential credit card credentials. Cass Customer wants credit at Mike Merchant? Instead of Cass's bearer gizmo being a payment instrument, her bearer gizmo is something that facilitates setting up a payable account to Mike on Cass's side and a receivable from Cass on Mike's side, but the receivable is underwritten so Mike doesn't have any more default risk than he would with Visa. After the handshake, Cass shops at Mike's and charges everything to her Mike's account. > > The delta between the above and the grocery shopping I just did would be, I would have paid with my "Chopper Shopper" card in addition to flashing it to get the discount price on the loaf of bread. On the other hand, that would create liability as store loyalty cards would become payment instruments. Reduced if the cashier gets to see a picture of whoever is expected to be using that loyalty card when it is presented. > > We have massive disk drives and they're practically free. We can do this. > > Anyway, the answer to the question is, add another layer of abstraction. Even if thieves do manage to copy Mike's list of purchase order numbers good for entering payments due to Mike, they aren't any good to anyone else. > > I have been thinking in similar ways for setting up auto-payments which is used in many EU countries. Currently this is only possible through your bank and usually takes days. One could imagine that the Payee signs a statement where it requests the right to withdraw money without explicit authorization and that this request is counter-signed by the Payer and that a copy of this is automatically stored in the bank as well so that Payer can see all such "contracts". When a withdrawal is to be performed the Payee would sign a payment order including a reference to the "contract". The Payer should be able at any time canceling a "contract" through his/her on-line bank which also should send a message to the Payee since it may require actions on the Payee side (a reduced allowance typically have some implications...). The current solution using non-authorized credit-card information must go otherwise we will be stuck with a broken system forever. Anders
Received on Sunday, 8 February 2015 06:20:02 UTC