Re: [w3c/browser-payment-api] Propose a payment method specification that includes an example of field level security (#141) from Sebastien Domergue on 2016-04-19 (public-webpayments-specs@w3.org from April 2016)

From: Sebastien Domergue <notifications@github.com>
Date: Tue, 19 Apr 2016 07:33:35 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/141/211948064@github.com>

Hello,
In order to reduce security risks on client side, I would suggest to delegate this part when the show method is fired. As I'm pretty sure it won't be possible to have a common encryption mechanism for all payment methods, the data will be available in plain text at the beginning of the process.
When show method is triggered, the browser first request to the payment application a public key (encryption method could be added here if needed). If received, browser internally replace plain text data with encrypted data. If field encryption is not supported, previous call can send back a "not supported" message and plain text data will be kept to call the payment app.
The payment flow itself is then unchanged. I tried to summarize it in this [Sequence diagram](http://plantuml.com/plantuml/png/ZP8nJyCm48Nt_8eJ3BGI5JkYI80OGH4T6123uxms1yOsjjDIVZtdf2qHhIesoxxttNk-yoearkoLJNHIgZL0emS4tSZ5c5vkj8PFBhpICwh82IUa8lbSL_Y_qd0MQJHhdFVvEARRu5OHePDK_PaEg7R8iFVu0JaexmrhbTXPkg1oLlQ2w8lE1qskT_HBAWDY5ka6-dtYsYJa1RhAG5UJbzD50EphK3A3WTueik03gN7r8VXTW4eWLxrbmTm5IWr8AsFEQSu151kt6estXEcKjXdOSc9b-BkFCPqMMweqa2W2Vy9dYoX-sqhYqZlMHNwO_8ddbbo3rA2iCp9dc9fWTLZxtA9G9b7vM-DxOJti-ukzxtK4fPiDgeri5qCp1uMtBKjjs5XFBiznRsWhJitM6kgU7mkO27fqmo37JVw_bpUABILyfLqpMn_vyGqd9bc_uTJ4ZqRiFa8cPbsU_L88tMgSTojue5IMKndPb7fDDQ8EN4aYCK0Py0C0)
This approach should:

- minimize public key exposition to client. A public key could be generated for each payment instead of being hard coded into the merchant website
- allow transparent update for integrators to field encryption mechanism as it would be automatically done between browser and payment application

Currently, our team integrated many payment methods and none of them have encryption at field level, maybe because most of the calls are made server-side.
I hope it'll help you.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/141#issuecomment-211948064

Received on Tuesday, 19 April 2016 14:34:36 UTC