- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 8 Sep 2016 05:55:54 +0200
- To: Web Payments IG <public-webpayments-ig@w3.org>
Hi Payment Enthusiasts, Since there will be a PSD2 presentation at TPAC, I took the liberty raising a few issues that emerged on the LinkedIn network. Although slightly political they should be of general interest, at least for Europeans. # Which API? One such issue is how progress can be made without actually having the "API" (ISO 20022 is not an API). To me it seems that those who really need an API (smaller players) will be forced sticking to current solutions, while the really big (mostly US) e-tailers and social networks will rather define their own APIs which banks then have to implement. # Local Payments It is currently unclear how PSD2 address local payments. That EMV were designed to support centralized card networks including the recent tokenization scheme is also a factor to consider. Most mobile payment systems do not rely on EMV but on proprietary cloud-based schemes. # User Authentication versus Authorization The PSD2 papers talk about strong user authentication. Apple Pay and similar rather perform strong user authorization which supports a wider range of payment use-cases including automated gas stations and bookings. Existing (all-over-the-map) authentication solutions used by banks do not permit secure "pass-through" which limits third-parties' abilities doing things as a proxy for customer. PISPs would in practice be fairly crude "Web redirectors". Such systems are in active use since more than 10 years in several countries including Sweden. Will OAuth improve this situation? Maybe, I still lack a blueprint how that would work, and particularly in a convenient way. C U in Lisbon! Anders Rundgren Principal, WebPKI.org
Received on Thursday, 8 September 2016 03:56:44 UTC