Re: Encrypting basic card data from Adrian Hope-Bailie on 2016-07-11 (public-payments-wg@w3.org from July 2016)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Mon, 11 Jul 2016 17:02:38 +0100
To: Erik Anderson <eanders@pobox.com>
Cc: Payments WG <public-payments-wg@w3.org>
Message-ID: <CA+eFz_+DoZEu5ac8o3tf9vXkh3mYib1qMBKWKVruEAcNd7wr4w@mail.gmail.com>

I don't follow. Are you saying that time makes the Web Payments API less
secure than filling credit card details out in a web form?
How?

The fact that online fraud is increasing is not news nor the fact that
specific vendors have built highly successful businesses around solving
this.

Our job in defining this API is not to provide a replacement for those
solutions it is to begin providing a framework upon which new solutions are
possible. You are talking about specific implementations of payment
processing systems and we are talking about a new interface upon which
these and other systems can be built.

If what you are saying is true then the developers of HTML are liable for
all current online card fraud because HTML provides the framework for
credit card details to be submitted online.

I don't think security is an "anit-pattern topic" I think it is being
treated as an important topic that we can layer onto the API through better
generic payment method specifications.

The basic card specification is simply a bootstrapping mechanism that gives
us a slightly better version of what we already have today that is arguably
also slightly more secure in that it:

1) Is only available in a Secure Context
2) Requires top-level contexts to explicitly enable it
3) Prevents users from typing in card numbers and risk having these stolen
or observed in doing so

If you think the API introduces new risks then please say what those are,
I've read the documents you are linking to and find none myself.

On 11 July 2016 at 16:24, Erik Anderson <eanders@pobox.com> wrote:

> >  How is the current Basic Card mechanism any less secure than what is
> done today using web forms to capture card details?
>
> Adrian, time.... Time changes everything, Chip-n-pin is causing fraud to
> move away from the Merchant terminal to online. Laws are changing quickly
> to adjust.
>
> Paypal was successful because they wrote a secure application in an
> unsecure environment. They worked around all of the issues.
>
> Paypal follows the best practices, assumes liability for fraud
> transactions, and required financial standards.
>
> If all you want to achieve with v1 is social payments (not financial
> payments) or optimize checkout then do whatever.
>
> However, credit cards, checks, and consumer data is closely regulated and
> consumers have legal protection.
>
> I am not sure why payment security topics are such an anti-pattern topic
> at W3C.
>
> Erik Anderson
> Bloomberg
>

Received on Monday, 11 July 2016 16:04:27 UTC