Re: Integration between PaymentRequest and Receipts from Tom Jones on 2020-10-04 (public-payments-wg@w3.org from October 2020)

From: Tom Jones <thomasclinganjones@gmail.com>
Date: Sun, 4 Oct 2020 12:04:40 -0700
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <CAK2Cwb7jH=+q0SCBgu10kXGySCMdzuPU1xvY1OF4OPWHjP-oKA@mail.gmail.com>

yeah - this is the problem "you cannot get any money out of the system
unless you are a legitimate merchant."
Who is it that determines "legitimate merchant"?
And if it is not a "legitimate merchant" will the bank make me whole?
I guess I will prefer to deal with trusted intermediaries. This appears to
be a case where the disintermediation and frictionless payment provided by
the web is a really bad idea.
Peace ..tom


On Sun, Oct 4, 2020 at 11:51 AM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2020-10-04 19:07, Tom Jones wrote:
> > Let me express my concern that I presented earlier to the UKOBIE.
> Creating a common UX between my bank and some random request for funds is
> likely to lead to fraud by attackers trying to confuse the user into making
> payments that are not intended. I strongly believe that the user MUST
> understand when they are securely communicating with their bank and when
> they are being solicited for payments. Integrating these two is not going
> to end well for consumers.
>
> Dear Tom, does this has anything to do with the integration of receipts?
>
> Anyway, if we stick to on-line/Web payments, I believe you are trying to
> solve a problem that you haven't fully analyzed.  In short: you cannot get
> any money out of the system unless you are a legitimate merchant.  If a
> legitimate merchant tries to fool users there's nothing your bank can do
> about it up-front.  In fact, it probably cannot (on its own) even know if
> the merchant is legitimate!  Isn't that a problem?  No, the legitimacy of a
> merchant is provided by other parts of the payment infrastructure.
>
> Saturn is in this respect no different than for example Apple Pay.  BTW,
> these systems do not talk (directly) to the bank; they build on user
> authorizations that are (indirectly) "routed" to the bank.
>
> However, fraud have indeed been reported for P2P payments systems like
> Zelle and Swish, where the identity of the recipient remains a thorny
> problem.  If you have a silver bullet to offer here, I'm sure we are all
> ears!
>
> If you want, we could have a video-call on how Saturn deals with
> authorization.
>
> Anders
>
> > Peace ..tom
> >
> >
> > On Sun, Oct 4, 2020 at 6:16 AM Anders Rundgren <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
> wrote:
> >
> >     Hi WG,
> >
> >     This is not yet ready for public testing, but here is the core
> documentation:
> >     https://1drv.ms/b/s!AmhUDQ0Od0GTigDejoaMj3TZ0sKs
> >
> >     Enjoy!
> >     Anders
> >
>
>

Received on Sunday, 4 October 2020 19:05:05 UTC