Re: [w3ctag/design-reviews] Secure Payment Confirmation (heading to Candidate Recommendation) (Issue #763)

Hi @torgo,

Thank you and the TAG for the additional review/questions. 

I take your first point (on navigator.credentials.get()) to mean "Does SPC have to be based on Payment Request API?" The Working Group has an open issue on that topic [1]. Organizations conducting pilots or building demos (e.g., that integrate with 3-D Secure) have not indicated that the current API shape poses challenges. We have also heard from two browser vendors that there are advantages to leveraging Payment Request API. Having said that, there are also advantages to moving away from Payment Request, such as the ability to use SPC within a payment handler. Having discussed these considerations (including timeliness) the current Working Group consensus is that for version 1 we prefer to stick with the Payment Request API approach.

Thank you for the review of the explainer. As a result of PING review of SPC earlier this year we made some changes to the specification (including being more specific about mitigations) but we did not update the explainer at the same time. Your comment today prompted the Editors to update the explainer with the same improvements found in the specification; see this pull merged request:
 https://github.com/w3c/secure-payment-confirmation/pull/213

And the updated explainer privacy considerations:
 https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md#privacy-considerations

Please let me know if these improvements satisfy your concerns, or if you have other suggestions. Thanks again!

Ian

[1] https://github.com/w3c/secure-payment-confirmation/issues/56

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/763#issuecomment-1259894033
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/763/1259894033@github.com>

Received on Tuesday, 27 September 2022 18:28:55 UTC