Tokenization. Was: "one click" from Anders Rundgren on 2016-10-06 (public-webpayments-ig@w3.org from October 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 6 Oct 2016 13:58:10 +0200
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Web Payments IG <public-webpayments-ig@w3.org>, Jeffrey Burdges <burdges@gnunet.org>
Message-ID: <b5b9ae6f-a5d1-13c8-8b31-4999deaec4d4@gmail.com>

On 2016-10-06 10:43, Adrian Hope-Bailie wrote:
> Sounds like a miscommunication to me

I guess so.

Anyway, there seems to be two entirely different tokenization solutions out there.

There's one since more than 15 years back established scheme where the issuer is
contacted before each transaction for minting a one-time PAN.  This scheme presumably
has no impact on the rest of the payment infrastructure.

The more recent schemes are based on cryptographic solutions which requires some
kind of "seed" key as well as a patch for invoking an issuer-specific "detokenizer"
somewhere in the payment backend.

None of these schemes appear to be particularly simple to deploy.

Due to that I'm working with a simpler and more scalable concept for achieving
approximately the same functionality.

Anders

>
> On 6 October 2016 at 10:06, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2016-10-03 23:41, Jeffrey Burdges wrote:
>
>
>         I noticed this NYT article that couched the Payment WG's spec as being
>         about "one click" :
>         http://www.nytimes.com/2016/09/26/business/dealbook/what-if-one-click-buying-were-internetwide.html?_r=0 <http://www.nytimes.com/2016/09/26/business/dealbook/what-if-one-click-buying-were-internetwide.html?_r=0>
>
>         It's not actually possible to do one click shopping on a merchant's site
>         securely.  You need interactions with the payment mediator and payment
>         app.
>
>
>     There are other noteworthy stuff in the article as well:
>
>      "On the security side, rather than sending along all the credit card details,
>       the browser will generate a one-time payment token that will avoid leaving
>       your credit card number in countless databases around the world"
>
>     The _browser_ performs tokenization?
>
>     Anders
>
>
>
>         Interestingly, there is actually a way to do one click shopping though
>         if you move the buy button off the merchant's site entirely and into the
>         browser itself.  If a merchant sends a contract, then you display the
>         payment mediator, shipping address information, and payment app in an
>         overlay window separate from the merchant controlled window.  This
>         contains a buy button, so the user can verify information like shipping
>         visually, and push buy without necessarily changing anything.
>
>         Just though that was funny,
>         Jeff
>
>
>
>

Received on Thursday, 6 October 2016 11:58:41 UTC