- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 6 Jul 2016 09:48:37 +0200
- To: Ian Jacobs <ij@w3.org>, Erik Anderson <eanders@pobox.com>
- Cc: public-payments-wg@w3.org, public-webpayments-ig@w3.org
On 2016-07-05 21:53, Ian Jacobs wrote: > <snip> > >> - To ensure segregation of authentication data and PAN data, the >> authentication data and the PAN must be transmitted in separate sessions >> from the consumer’s browser and the merchant to the authenticating >> vendor. > > I think the payment app model supports this. The user authenticates > through the payment app. The payment app returns data to the browser. > The browser returns it to the merchant. So authentication and data-to-the-merchant > are independent. Converted to Apple and Android Pay it means that these apps would have to call Apple and Google services respectively before providing a response to the Merchant. Is that the case? I thought that "tokenization" rather was their answer to this problem. There are as I mentioned other, entirely different ways achieving similar goals which do not require the introduction of a separate authentication entity at the browser or app level. Anders
Received on Wednesday, 6 July 2016 07:49:14 UTC