Re: [w3c/webpayments-methods-tokenization] Gateway params sequence (#8) from Olivier Yiptong on 2017-06-08 (public-webpayments-specs@w3.org from June 2017)

From: Olivier Yiptong <notifications@github.com>
Date: Thu, 08 Jun 2017 10:33:45 -0700
To: w3c/webpayments-methods-tokenization <webpayments-methods-tokenization@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-methods-tokenization/issues/8/307173630@github.com>

> I think it depends on how strong the merchant credential is to communicate to GW. Usually here we are looking at network security (VPN, TLS etc)

Are you saying that you require mTLS for the merchant to gateway/psp communication?

> My point was on subsequent transaction you were still passing id stored in browser. so you are still having static value in browser which is sent to merchant. Then relying on merchant to get token. So here you are relying on merchant credentials. if they get compromised then hacker can use static id to get token.

Yes that's what I imply. Breaking into the merchant infrastructure should be harder than breaking into the end-user's computer.

> We can simplify this further I think and improve user experience without compromising on security. we can have a call to discuss further.

Sounds good. Let's have a chat

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-tokenization/issues/8#issuecomment-307173630

Received on Thursday, 8 June 2017 17:34:21 UTC