- From: Steve Sommers <steve@shift4.com>
- Date: Fri, 23 Jun 2017 22:43:29 +0000
- To: 'Ian Jacobs' <ij@w3.org>, Payments WG <public-payments-wg@w3.org>
Hi Ian, I rarely make it to the conference calls so I'll provide some feedback here for the reference Payment Method Best Practice document. In the Payee Identity section there is a reference "In these cases, it may be useful to provide a 'merchantID' in the data field..." and then the example code show shows merchantIds. These merchant IDs cannot and should not be the merchant's acquirer bank merchant ID number as this would be very dangerous. Background: Years back deviants learned that old credit card terminal found on ebay and other resale sites contained merchant IDs. They then used these IDs to post fraudulent credit/return postings to their "mule cards" and posted offsetting sales/purchases to stolen cards. Other deviants simply used the merchant IDs to validate that stolen cards were valid and could be used for purchases. Moral of the story: Merchant IDs are considered sensitive data and should be protected. More thought will need to be given to the merchant ID - or maybe there has been and I just didn't read enough of the referenced docs. Steve Sommers Senior Vice President, Applications Development Shift4 Corporation 1491 Center Crossing Road Las Vegas, NV 89144-7047 702.597.2480 ext. 40400 fax 702.597.2499 www.shift4.com steve@shift4.com facebook.com/shift4corp twitter.com/shift4corp linkedin.com/companies/shift4-corporation shift4.com/blog This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate,distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -----Original Message----- From: Ian Jacobs [mailto:ij@w3.org] Sent: Friday, June 23, 2017 6:46 AM To: Payments WG Subject: Should we make Payment Method Best Practice a WPWG Note? Hi WPWG, While we have been working on the other specs I’ve been recording good practices notes in: Payment Method Best Practice https://w3c.github.io/webpayments/proposals/method-practice/ Now that the PMI spec [1] refers to it, should we take it up officially as a WD that will become a WG Note? I have not reviewed it lately and welcome review by others! Ian [1] https://w3c.github.io/webpayments-method-identifiers/ -- Ian Jacobs <ij@w3.org> https://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447
Received on Friday, 23 June 2017 22:44:01 UTC