- From: adamroach <notifications@github.com>
- Date: Wed, 10 Aug 2016 13:30:37 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Message-ID: <w3c/browser-payment-api/issues/233@github.com>
This is a recommendation from the Security and Privacy Checklist review. See https://docs.google.com/document/d/1w7ginyzNg-xZUmITK4vzcGUKB4gbMOAvlkWWaRtX14k/edit?usp=sharing for additional detail _Note: It's not clear to me whether this should be files on the payment request API or the payment apps API. I'm filing it here for now, as it applies to native apps in addition to web apps, and the payment apps API doesn't address native apps._ Although not explicitly listed in the checklist questionnaire, dealing with financial data does present some unique challenges. In particular, the greatest risk that isn’t covered in the current documents or in the preceding checklist is that of payment provider phishing attacks. For example, a web site may register itself as capable of handling the “Basic Card” payment time; and, in fact, may provide valid information to the merchant site. However, if malicious, this site may also exfiltrate the credit card information for its own unauthorized use. The potential risks of installation of payment applications must be very carefully explained to the user. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/233
Received on Wednesday, 10 August 2016 20:31:10 UTC