W3C home > Mailing lists > Public > public-payments-wg@w3.org > February 2017

Re: [w3c/webpayments] European market - Security concerns (#210)

From: tugal <notifications@github.com>
Date: Wed, 08 Feb 2017 01:31:44 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments/issues/210/278276664@github.com>
Thanks for quick answer.

> This is not true. As a PSP you can still provide your merchants with code that embeds an iframe, the content of which is hosted on your secure (and PCI DSS certified) web servers.

> The Merchant can explicitly give that iframe permission to call the Payment Request API so when the user wants to pay the interaction is done directly with your systems.

I agree, it's technicaly possible and compliant. 
But i disagree on the UX involved; 

> For the redirect use case, nothing stops you from invoking the API when the user has been redirected to the payment page hosted on your secure servers.

Again, i agree; but we loose all UX, the payee is redirected from the ecommerce website to a generic page, loosing connection with the merchant.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/210#issuecomment-278276664
Received on Wednesday, 8 February 2017 09:32:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:24 UTC