EMV versus SPC from a privacy perspective

*EMV:*

=================================
= Payment Request from Merchant =
=================================
               |
               V
+==============================+
| INTEGRATED PAYMENT UX & CODE |
+==============================+
|    1. Select Card            |
|    2. Authorize              |
|    3. Encrypt or Tokenize    |
+------------------------------+
               |
               V
================================
= User-authorized Request Data =
================================

As you can see EMV is a "black box" requiring zero external communication.  Therefore it does not leak any information that is not strictly necessary for performing the actual task.  In this case the information required is limited to the name/URL of the user's bank.


*SPC:*

   =================================
   = Payment Request from Merchant =
   =================================
                 |
                 V
+===================================+
|    PROVIDER SPECIFIC CREDENTIAL   |
|    DISCOVERY AND ASSOCIATED UI    |
+===================================+
| Draft: The merchant communicates  |
| out-of-band with the issuing bank |
| of the payment instrument (e.g.,  |
| using ANOTHER protocol)           |
+-----------------------------------+
                 |
                 V
   +=============================+
   | SECURE PAYMENT CONFIRMATION |
   +=============================+
   |         Authorize           |
   +-----------------------------+
                 |
                 V
+==================================+
|    VERIFICATION BY MERCHANT      |
+==================================+
| Draft: The merchant communicates |
| the signed cryptogram to the     |
| issuing bank out-of-band         |
+----------------------------------+

In addition to requiring extensive and proprietary communication between Merchants and Issuers, SPC depends on sharing account information with Merchants.

It is hardly surprising that W3C members like Apple, Google, and Worldline in their own commercial payment efforts, all build on variants of the EMV concept.

Anders

Received on Sunday, 31 October 2021 03:47:56 UTC