Re: FIDO - and its future? Relative to VCs

Secure Payment Confirmation (SPC) indicates that breaking away from only being a password-replacement is not entirely straightforward.

Using SPC
1. Buyer gives Merchant a card number in CLEAR.  This typically requires you to have the physical card at hand as well.
2. Through very complex backend operations, the Merchant gets the associated FIDO key identifier (CredentialID) from the associated issuer bank.
3. Perform an authorization process using FIDO/WebAuthn.

Using Apple Pay
1. Select virtual card.  No need for typing or having a physical card at hand.
2. Perform an authorization process.
Noteworthy:
- Merchants get neither card numbers nor key identifiers.
- Merchant integration is a magnitude simpler than for SPC.

Q: How can Apple Pay work without handing over card numbers to Merchants?
A: Merchants do not need card numbers, they need assurances (receipts) from the payment network showing that a payment has been performed.  From the Buyer, Merchants only receive encrypted/tokenized user authorizations that are resolved by the payment network, making the scheme both GDPR and PCI compliant.

Thanx,
Anders

Received on Friday, 1 April 2022 07:01:58 UTC