When a merchant has a token-on-file and requests a cryptogram for a subsequent transaction, they have the option of requesting the cryptogram through a backend integration, or throught payment request API via the token-cryptogram payment method. The token itself may have domain controls on it meaning that only the original token requestor can request subsequent cryptograms. If the token requestor was a payment handler (browser or third party) this means reusing the same one for subsequent transactions. This may not raise issues generally, but the question has come up: what happens if the user does not have the same piece of software (e.g., the first transaction took place from a home computer, and subsequent transactions might happen from a work computer)? Do people think that is an important use case (for version 1 of this specification)? If the token requestor was the merchant, this creates some opportunities for greater flexibility (at least in theory) - the user might be able to use a broader set of browsers and/or payment handlers, provided those software agents can speak to the TSP that minted the original token. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-methods-tokenization/issues/52
Received on Tuesday, 11 September 2018 17:01:22 UTC