Re: [w3c/payment-request] Regulatory Compliance Support (#632)

> Great to see there's been an assessment, but it doesn't seem to include the risks regarding payment descriptions (what people buy), so it needs some work.

That's #628. 

> The security and privacy assessment also has open issues still cited against it.

Sure, we intend to continue to improve the spec as we continue along the recommendation track. Specifications are living documents.  

> For shipping details it doesn't consider the use case that the recipient may not be the payer and the payer may not be legally be allowed to share the recipient information (ie: an employer in a trusted position, purchasing an item for an employee or someone buying items for a friend's daughter).

The `PaymentRequest.shippingAddress` includes `[recipient](https://www.w3.org/TR/payment-request/#dom-paymentaddress-recipient)` that can be different from the person making the purchase, which is captured via the `PaymentResponse`.[`payerName`](https://www.w3.org/TR/payment-request/#payername-attribute). 

> It would appear that the security and privacy assessment needs to be upgraded with consideration for not just PCI-DSS but for wider privacy law.

We are not lawyers tho.

> I would advise that to do this, personas are created... 

These would be useful, but something browser vendors would undertake in-house. Remember, we (browser vendors) compete on privacy and security aspects. Thus, doing something like the above would be overly prescriptive.

 > Then you have a requirements list to redefine your security and privacy assessment by and to improve on it until it is compliant. Then you can fix this spec.

Yeah, that's going to be an ongoing process.   


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/632#issuecomment-332088874