RE: EMV versus SPC from a privacy perspective

Thank you Anders for the elaborate explanation of the differences between EMV and SPC from a privacy perspective.

Regards,

Joshua Ssengonzi | DefendersTech Program Officer
Human Rights House | Plot 1853 John Kiyingi Rd, Nsambya | P.O. Box 70356 Kampala
Office: +256 393 266 827 | Mobile & WhatsApp: +256 782 116408
Email: joshuas@defenddefenders.org<mailto:joshuas@defenddefenders.org>
[cidimage004.png@01D64565.B6A3A640]
http://www.defenddefenders.org | www.twitter.com/defenddefenders<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2Fdefenddefenders&data=04%7C01%7CJoshuaS%40defenddefenders.org%7C7976f78f22604d16cf2708d8fd930c8c%7Cbf2a604b4c464ff9b23855f306004533%7C0%7C0%7C637538155300624102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W0zHxCkVfD4J1OHzeoiJAsHCOaf3Whzx09jowWFwrlg%3D&reserved=0> | www.facebook.com/defenddefenders/<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Fdefenddefenders%2F&data=04%7C01%7CJoshuaS%40defenddefenders.org%7C7976f78f22604d16cf2708d8fd930c8c%7Cbf2a604b4c464ff9b23855f306004533%7C0%7C0%7C637538155300624102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pACEZ%2BnxcJajLk5SKy3lgh1LCofAKqFvPfxRmuHcDNQ%3D&reserved=0>

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Sent: Sunday, 31 October 2021 06:48
To: public-privacy@w3.org
Subject: EMV versus SPC from a privacy perspective

EMV:

=================================
= Payment Request from Merchant =
=================================
              |
              V
+==============================+
| INTEGRATED PAYMENT UX & CODE |
+==============================+
|    1. Select Card            |
|    2. Authorize              |
|    3. Encrypt or Tokenize    |
+------------------------------+
              |
              V
================================
= User-authorized Request Data =
================================

As you can see EMV is a "black box" requiring zero external communication.  Therefore it does not leak any information that is not strictly necessary for performing the actual task.  In this case the information required is limited to the name/URL of the user's bank.


SPC:

  =================================
  = Payment Request from Merchant =
  =================================
                |
                V
+===================================+
|    PROVIDER SPECIFIC CREDENTIAL   |
|    DISCOVERY AND ASSOCIATED UI    |
+===================================+
| Draft: The merchant communicates  |
| out-of-band with the issuing bank |
| of the payment instrument (e.g.,  |
| using ANOTHER protocol)           |
+-----------------------------------+
                |
                V
  +=============================+
  | SECURE PAYMENT CONFIRMATION |
  +=============================+
  |         Authorize           |
  +-----------------------------+
                |
                V
+==================================+
|    VERIFICATION BY MERCHANT      |
+==================================+
| Draft: The merchant communicates |
| the signed cryptogram to the     |
| issuing bank out-of-band         |
+----------------------------------+

In addition to requiring extensive and proprietary communication between Merchants and Issuers, SPC depends on sharing account information with Merchants.

It is hardly surprising that W3C members like Apple, Google, and Worldline in their own commercial payment efforts, all build on variants of the EMV concept.

Anders

Received on Monday, 1 November 2021 07:59:22 UTC