W3C home > Mailing lists > Public > public-payments-wg@w3.org > September 2016

Re: Payment Method Spec for Card Issuer Tokens

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Fri, 16 Sep 2016 10:53:10 +0200
Message-ID: <CA+eFz_LgYGFHgJdrCuqV5HXk-doxsVXM-BcGjCd+_srMrEXPfA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Payments WG <public-payments-wg@w3.org>
On 16 September 2016 at 08:04, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2016-09-15 00:22, Adrian Hope-Bailie wrote:
>
> Hi all,
>
> I had a meeting today with a company that deploy mobile apps for banks
> including a whole load of backend security infrastucture for issuing of
> issuer tokens.
>
> They are very keen to build payment app functionality into the apps they
> already build for banks but are concerned that given the current state of
> things there is unlikely to ever be situation where a banks app could be
> used to make a payment other than in countries where there are already push
> based schemes.
>
> Issuer tokens are the card tokens that are created by the card issuing
> bank and provisioned onto a user's mobile device for secure online
> payments. The tokens can be issued with various restrictions on their use
> (one time vs recurring, amount limits, merchant limits) etc.
>
>
> I wouldn't characterize this as "push" payments, it is rather an improved
> version of existing card schemes like 3DS.
>

No, this is tokenized card. i.e. Pull with a slightly more secure auth token


>
> Anyway, lots of similar (but fairly local) systems out there perform real
> push payments which among many things exclude card networks, exploiting the
> fact that banks in many countries charges nothing for such transfers.  Push
> doesn't need tokenization since it only hands over a payment receipt or
> similar to the merchant.
>
>
Correct


>
>
> The token looks like a card number so to the merchant or acquirer they
> just look like a card number and therefor they pass through the network
> seamlessly. As I understand it these are similar to the tokens used in
> schemes like Apple Pay and Samsung Pay but those are issued in conjunction
> with Apple/Samsung where as these are just issued by the banks.
>
>
> As I understand Apple Pay requires patches somewhere in the backend since
> at least local payments do not rely on the client having Internet
> connectivity.
>
>
> The feedback I got was that an open payment method for tokenised card
> payments is essential otherwise they see no future for the payment app
> ecosystem other than for proprietary apps.
>
> Basic card will be fulfilled by browsers so there is no way for an issuer
> to offer payment via a more secure mechanism without third-parties. We
> don't want every bank coming up with their own payment method.
>
> So, I'd encourage anyone with knowledge of how these schemes work and
> access to the specs to provide input into a first draft payment method spec
> that we can work on next week.
>
>
> Creating a scalable tokenization scheme seems hard.  EMV tokenization is
> really just a set of guidelines where awkward stuff like authentication to
> tokenization providers have been left to implementers.
>

Correct but there is enough in the guidelines to define a message format
between the merchant and the payment app which is all we need to define a
payment method for the Web Payments APIs.


>
> Anders
>
>
>
> Adrian
>
>
>
Received on Friday, 16 September 2016 08:53:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 16 September 2016 08:53:44 UTC