Re: Encrypting basic card data

This topic is changing daily.

2 days ago EU just adopted some strong privacy issues around users data
and financial devices.
http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm

The new European laws strictly call out European-style data
protection/encryption, data at rest, data in motion,  and tokenization.

Throughout these laws and regulations they specifically call out "public
networks". Public networks is exactly where W3C Web Payments falls.
 
They are not saying to protect against this attack vector or that attack
vector. They are saying to secure the data before it leaves the users
control via encryption and tokenization.

I am looking into a massive amount of incoming documentation from the US
Treasury, NIST, PCI compliance,  Federal Trade Commission (FTC).

Between the US and EU they are essentially saying the same thing.
Protect the users data via point-to-point security (not channel based
security but encrypt  or tokenize that data directly).

These W3C standards are international. I will update Manu page.

Design the API up, not down.
 
I would argue that the users data leaves their control once they enter
it in a web form. I will accept that the data is secured once it hits
our API (or before).

The Payments API must be secure.
 
Erik Anderson Bloomberg

Received on Thursday, 14 July 2016 21:24:22 UTC