Re: [w3c/webpayments-methods-card] Storing card information (#2)

This is a recommendation from the Security and Privacy Checklist review. See https://docs.google.com/document/d/1w7ginyzNg-xZUmITK4vzcGUKB4gbMOAvlkWWaRtX14k/edit?usp=sharing for additional detail

We suggest that the Basic Card Payment specification strongly discourage web sites from storing credit card information for future use, except in the case of future or recurring payments. We suggest including explicit guidance that in such cases, Web site owners should take careful action to prevent disclosure. The sequence diagram in the document should similarly be updated so as not to encourage server-side credit card information storage.

Because of the potential for such storage by web sites, and because of the potential for web browser state synchronization (usually assisted by a synchronization server), we also tentatively recommend that the Basic Card Payment specification make some level of mention of PCI DSS compliance. We propose that the group seek input from major credit card processing companies -- such as Visa and American Express -- regarding what language about PCI DSS compliance (if any) is appropriate for the specification. Here is the sort of statement we have in mind: “The privacy and security sections in this document do not replace conformance with PCI DSS or any other regulations. Implementors and users of the payment APIs should determine whether they are also subject to PCI DSS and/or other legal regulations.”

If we elect not to discuss PCI DSS compliance in the Basic Card Payment specification, we strongly recommend mentioning the topic by name and explicitly indicating that it will not be discussed.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-card/issues/2#issuecomment-238986060