W3C home > Mailing lists > Public > public-payments-wg@w3.org > July 2016

Re: Encrypting basic card data

From: Erik Anderson <eanders@pobox.com>
Date: Thu, 14 Jul 2016 17:21:48 -0400
Message-Id: <1468531308.632475.666613145.1C8FF127@webmail.messagingengine.com>
To: public-payments-wg@w3.org
This topic is changing daily.

2 days ago EU just adopted some strong privacy issues around users data
and financial devices.
http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm

The new European laws strictly call out European-style data
protection/encryption, data at rest, data in motion,  and tokenization.

Throughout these laws and regulations they specifically call out "public
networks". Public networks is exactly where W3C Web Payments falls.
 
They are not saying to protect against this attack vector or that attack
vector. They are saying to secure the data before it leaves the users
control via encryption and tokenization.

I am looking into a massive amount of incoming documentation from the US
Treasury, NIST, PCI compliance,  Federal Trade Commission (FTC).

Between the US and EU they are essentially saying the same thing.
Protect the users data via point-to-point security (not channel based
security but encrypt  or tokenize that data directly).

These W3C standards are international. I will update Manu page.

Design the API up, not down.
 
I would argue that the users data leaves their control once they enter
it in a web form. I will accept that the data is secured once it hits
our API (or before).

The Payments API must be secure.
 
Erik Anderson Bloomberg
Received on Thursday, 14 July 2016 21:24:22 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 14 July 2016 21:24:24 UTC