Re: [w3c/webpayments] European market - Security concerns (#210)

Thanks for quick answer.

> This is not true. As a PSP you can still provide your merchants with code that embeds an iframe, the content of which is hosted on your secure (and PCI DSS certified) web servers.

> The Merchant can explicitly give that iframe permission to call the Payment Request API so when the user wants to pay the interaction is done directly with your systems.

I agree, it's technicaly possible and compliant. 
But i disagree on the UX involved; 

> For the redirect use case, nothing stops you from invoking the API when the user has been redirected to the payment page hosted on your secure servers.

Again, i agree; but we loose all UX, the payee is redirected from the ecommerce website to a generic page, loosing connection with the merchant.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:

Received on Wednesday, 8 February 2017 09:32:38 UTC