W3C home > Mailing lists > Public > public-payments-wg@w3.org > September 2017

RE: Minutes [Was: [Agenda] 5 September Tokenization Task Force call]

From: Steve Sommers <steve@shift4.com>
Date: Tue, 5 Sep 2017 17:06:28 +0000
To: 'Ian Jacobs' <ij@w3.org>, Payments WG <public-payments-wg@w3.org>
Message-ID: <CF20D77A1CB1C34BA3338F5F7C4C8A31102F8E42@S4-MAIL02.shift4.com>
Sorry, I was not able to attend. One comment in reading the minutes:

RE: "Sachin: I think it makes more sense to manage these two as separate specs
 ... I think we should address encrypted card and network tokens separately for now
 ... and later see if we want to merge"


The whole basis for tokenization is that tokens cannot be decrypted. Tokens should not be mathematically related to the data they are protecting. For specific scenarios, encryption is a must - including behind the scenes for tokenization (I.E. the referenced vault), but including encryption support within a tokenization spec defeats its biggest benefit - IMHO.

To me, secure passing of card data like this should happen behind the scenes, outside the merchant environment, provider to provider with the payment API passing provider information. Maybe this could be a separate card/token exchange spec for providers to use. I intentionally used "provider" here as a provider could be a card network (brand), processor, gateway, or even a merchant hosted tokenization vault of some sort.

Steve Sommers
Senior Vice President, Applications Development

Shift4 Corporation
1491 Center Crossing Road
Las Vegas, NV  89144-7047

702.597.2480 ext. 40400
fax 702.597.2499


This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate,distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

-----Original Message-----
From: Ian Jacobs [mailto:ij@w3.org]
Sent: Tuesday, September 05, 2017 9:39 AM
To: Payments WG
Subject: Minutes [Was: [Agenda] 5 September Tokenization Task Force call]

Hi all,

Minutes from today’s call:

Next meeting: 19 September


> On Sep 4, 2017, at 8:23 AM, Ian Jacobs <ij@w3.org> wrote:
> Participants in the tokenization task force,
> Our next call takes place 5 September at 11:30am-12:30pm ET.
> We will meet on irc.w3.org on #wpwg.
> Previous call: 22 August:
>  https://www.w3.org/2017/08/22-wpwg-minutes

> Ian
> ======
> Agenda
> * Review NEW draft “Encrypted Card Payment Method” (Olivier)
>   https://github.com/w3c/webpayments-methods-tokenization/wiki/encrypted_card

> * Next meeting. Proposed 19 September.
>   - Question: will we have updates to network tokenization spec by then? (or requires another week?)
> Thank you,
> Ian
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/

> Tel: +1 718 260 9447

Ian Jacobs <ij@w3.org>

Tel: +1 718 260 9447

Received on Tuesday, 5 September 2017 17:06:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 5 September 2017 17:07:00 UTC