W3C home > Mailing lists > Public > public-payments-wg@w3.org > July 2016

Re: ANSI X9.122 Secure Customer Authentication for Internet Payments

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 6 Jul 2016 09:48:37 +0200
To: Ian Jacobs <ij@w3.org>, Erik Anderson <eanders@pobox.com>
Cc: public-payments-wg@w3.org, public-webpayments-ig@w3.org
Message-ID: <e0f49a03-2612-e25c-74f1-6b66e12e6508@gmail.com>
On 2016-07-05 21:53, Ian Jacobs wrote:
>
<snip>
>
>> - To ensure segregation of authentication data and PAN data, the
>> authentication data and the PAN must be transmitted in separate sessions
>> from the consumer’s browser and the merchant to the authenticating
>> vendor.
>
> I think the payment app model supports this. The user authenticates
> through the payment app. The payment app returns data to the browser.
> The browser returns it to the merchant. So authentication and data-to-the-merchant
> are independent.

Converted to Apple and Android Pay it means that these apps would
have to call Apple and Google services respectively before providing
a response to the Merchant.  Is that the case?

I thought that "tokenization" rather was their answer to this problem.

There are as I mentioned other, entirely different ways achieving
similar goals which do not require the introduction of a separate
authentication entity at the browser or app level.

Anders
Received on Wednesday, 6 July 2016 07:49:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 6 July 2016 07:49:14 UTC