- From: Erik Anderson <eanders@pobox.com>
- Date: Thu, 14 Jul 2016 17:21:48 -0400
- To: public-payments-wg@w3.org
- Message-Id: <1468531308.632475.666613145.1C8FF127@webmail.messagingengine.com>
This topic is changing daily. 2 days ago EU just adopted some strong privacy issues around users data and financial devices. http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm The new European laws strictly call out European-style data protection/encryption, data at rest, data in motion, and tokenization. Throughout these laws and regulations they specifically call out "public networks". Public networks is exactly where W3C Web Payments falls. They are not saying to protect against this attack vector or that attack vector. They are saying to secure the data before it leaves the users control via encryption and tokenization. I am looking into a massive amount of incoming documentation from the US Treasury, NIST, PCI compliance, Federal Trade Commission (FTC). Between the US and EU they are essentially saying the same thing. Protect the users data via point-to-point security (not channel based security but encrypt or tokenize that data directly). These W3C standards are international. I will update Manu page. Design the API up, not down. I would argue that the users data leaves their control once they enter it in a web form. I will accept that the data is secured once it hits our API (or before). The Payments API must be secure. Erik Anderson Bloomberg
Received on Thursday, 14 July 2016 21:24:22 UTC