[browser-payment-api] How do we ensure that the payment request from the merchant is not tampered with before it gets to the payment app? (#41) from Manu Sporny on 2016-03-14 (public-webpayments-specs@w3.org from March 2016)

From: Manu Sporny <notifications@github.com>
Date: Sun, 13 Mar 2016 17:55:48 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/41@github.com>

If a merchant requests a payment, how can they be sure that their payment request is not tampered with when in transit to a 3rd party payment processor?

There are at least two ways to accomplish this:

1. Create an independent channel between the merchant and customer payment processor to send the payment request over.
2. Digitally sign the payment request.

I suggest that #2 is more flexible in the long run as the payment request could travel through a variety of communication channels that we can't imagine today. For example, HTTP -> NFC -> Bluetooth -> HTTPS.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/41

Received on Monday, 14 March 2016 00:56:19 UTC