Re: [w3c/webpayments] Add SRC user recognition use case (PR #260) from Stephen McGruer on 2022-01-25 (public-payments-wg@w3.org from January 2022)

From: Stephen McGruer <notifications@github.com>
Date: Tue, 25 Jan 2022 05:52:17 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments/pull/260/review/862299889@github.com>

@stephenmcgruer approved this pull request.



> @@ -0,0 +1,28 @@
+# EMV&reg; Secure Remote Commerce (SRC) User Recognition
+<sup>[Home][home] > [Use Cases][use-cases] > SRC User Recognition</sup>
+
+See more [information about EMV&reg;SRC](https://www.emvco.com/emv-technologies/src/), including the "Click-to-Pay" consumer facing UX.
+
+## Overview of Click-to-Pay Flow
+
+* The user pushes the Click-to-Pay button.

Optional; should we indicate that the user is usually **not** on an SRC-I page here? (As otherwise step 2 is just a 1p cookie)

> @@ -0,0 +1,28 @@
+# EMV&reg; Secure Remote Commerce (SRC) User Recognition
+<sup>[Home][home] > [Use Cases][use-cases] > SRC User Recognition</sup>
+
+See more [information about EMV&reg;SRC](https://www.emvco.com/emv-technologies/src/), including the "Click-to-Pay" consumer facing UX.
+
+## Overview of Click-to-Pay Flow
+
+* The user pushes the Click-to-Pay button.
+* The SRC Initiator (SRC-I) determines (via a cookie, typically) whether this is a returning user, and if so finds the user's SRC identity (e.g., email address).

This is interesting, as its not how I thought SRC worked! I had thought it was as follows:

1. Sometime in the past, user visits `https://src-a.com` and signs up for SRC with that system.
    * At this time, `https://src-a.com` drops a 1p cookie saying 'this user has ID abcd1234'
2. Later, user is on a site and clicks a Click To Pay button.
    1. SRC-I loads to handle the payment, and has no particular knowledge of the user
    2. SRC-I sends (e.g.) a fetch request to `https://src-a.com/get-details`
        * This fetch request is made with 3p cookies for `https://src-a.com`
        * Server-side, `https://src-a.com` reads its previously set cookie and looks up abcd1234 in its database to fetch credit card details
        * These details are then returned to SRC-I
    3. Repeat step ii. for each known SRC system.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/pull/260#pullrequestreview-862299889
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/webpayments/pull/260/review/862299889@github.com>

Received on Tuesday, 25 January 2022 13:52:30 UTC