Re: [w3ctag/design-reviews] Eligibility for autofill (Issue #831) from Stephen McGruer on 2023-08-10 (public-webapps-github@w3.org from August 2023)

From: Stephen McGruer <notifications@github.com>
Date: Thu, 10 Aug 2023 06:40:23 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/831/1673246468@github.com>

Hey folks; sorry for the delay here in replying. Starting with my WPWG hat (will reply with my Chrome one following :D):

The WPWG discussed this issue at our August 3rd call ([minutes](https://www.w3.org/2023/08/03-wpwg-minutes.html)). Overall, we heard the following main points (my own summary):

- It is necessary for merchants to be able to iframe in PSPs to handle credit card data, to avoid merchants being subject to PCI DSS requirements.
- It is also necessary for Cardholder Name to remain on the merchant origin - two reasons we heard were that merchants want that relationship with their customer directly, and also that they may be themselves able to pre-populate that piece of information in certain cases (e.g., a pre-existing customer relationship). Having this field on the merchant origin is allowed because cardholder name is **not** covered by PCI DSS.
- The inability for autofill to fill checkout flows with iframes across a merchant/PSP is known pain-point and there was general support for fixing it, including the three scenarios I covered above (filling 'across', filling less-sensitive data 'up', and filling 'down' - the latter requiring a permission policy).
- There was a suggestion made that one should be able to constrain the shared-autofill permission policy to certain 'types' of data, e.g. "only fill address autofill down into this iframe", or "only fill payments autofill down in to this iframe".

Attendants of the meeting included representatives from a few merchants and the [Merchant Advisory Group](https://www.merchantadvisorygroup.org/), some credit card networks, some PSPs, and the PCI Security Standards Council. This list does not mean any particular entity approved of the proposal outside of what is captured in the minutes, but just to give an idea of what the audience was.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/831#issuecomment-1673246468
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/831/1673246468@github.com>

Received on Thursday, 10 August 2023 13:40:29 UTC