External privacy analysis of SPC

Hi List,

Secure Payment Confirmation (SPC) is probably the only payment related standardization initiative that depends on sharing PII like card numbers and key handles (credentialId in FIDO terms) with (technically) untrusted third parties like Merchants.  BTW, Merchants do not need card numbers, they need assurances that they will get paid.

State-of-the art systems like Apple Pay also encrypt user authorization data.

The architecture underpinning Apple Pay as well as the 10 billion EMV cards currently in circulation, does not have these privacy implications.  The SPC competitors have therefore adopted variants of the EMV concept. However, the motives for that are mainly 1) Simple integration in Merchant systems 2) Nice and consistent UX. In contrast to the EMV standard, SPC leaves these core characteristics to the payment providers to figure out.

Sincerely,
Anders Rundgren

Received on Thursday, 28 October 2021 03:30:36 UTC