- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Sat, 24 Jun 2017 13:14:53 +0200
- To: Steve Sommers <steve@shift4.com>
- Cc: Ian Jacobs <ij@w3.org>, Payments WG <public-payments-wg@w3.org>
- Message-ID: <CA+eFz_LebKfhf2Msy62_WSsWA3C142EMXrJbL1pmXKL+sm0KhQ@mail.gmail.com>
Hi Ian, I'd support the WG taking this up as a draft for possible publication as a note. Adrian On 24 June 2017 at 00:43, Steve Sommers <steve@shift4.com> wrote: > Hi Ian, > > I rarely make it to the conference calls so I'll provide some feedback > here for the reference Payment Method Best Practice document. > > In the Payee Identity section there is a reference "In these cases, it may > be useful to provide a 'merchantID' in the data field..." and then the > example code show shows merchantIds. These merchant IDs cannot and should > not be the merchant's acquirer bank merchant ID number as this would be > very dangerous. > > Background: Years back deviants learned that old credit card terminal > found on ebay and other resale sites contained merchant IDs. They then used > these IDs to post fraudulent credit/return postings to their "mule cards" > and posted offsetting sales/purchases to stolen cards. Other deviants > simply used the merchant IDs to validate that stolen cards were valid and > could be used for purchases. Moral of the story: Merchant IDs are > considered sensitive data and should be protected. > > More thought will need to be given to the merchant ID - or maybe there has > been and I just didn't read enough of the referenced docs. > > > Steve Sommers > Senior Vice President, Applications Development > > Shift4 Corporation > 1491 Center Crossing Road > Las Vegas, NV 89144-7047 > > 702.597.2480 ext. 40400 > fax 702.597.2499 > www.shift4.com > steve@shift4.com > > facebook.com/shift4corp > twitter.com/shift4corp > linkedin.com/companies/shift4-corporation > shift4.com/blog > > > This message contains confidential information and is intended only for > the individual named. If you are not the named addressee you should not > disseminate,distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. E-mail transmission cannot be > guaranteed to be secure or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. > The sender therefore does not accept liability for any errors or omissions > in the contents of this message, which arise as a result of e-mail > transmission. If verification is required please request a hard-copy > version. > > -----Original Message----- > From: Ian Jacobs [mailto:ij@w3.org] > Sent: Friday, June 23, 2017 6:46 AM > To: Payments WG > Subject: Should we make Payment Method Best Practice a WPWG Note? > > Hi WPWG, > > While we have been working on the other specs I’ve been recording good > practices notes in: > > Payment Method Best Practice > https://w3c.github.io/webpayments/proposals/method-practice/ > > Now that the PMI spec [1] refers to it, should we take it up officially as > a WD that will become a WG Note? > > I have not reviewed it lately and welcome review by others! > > Ian > > [1] https://w3c.github.io/webpayments-method-identifiers/ > -- > Ian Jacobs <ij@w3.org> > https://www.w3.org/People/Jacobs/ > Tel: +1 718 260 9447 > > > > > >
Received on Saturday, 24 June 2017 11:15:27 UTC