Re: [w3c/browser-payment-api] Storing card information (#199)

> As has been stated, we need to explore other more secure payment methods, basic card is just the start.

👍 to @mattsaxon 

I'd be loathe to be too restrictive in the basic card spec because as @adamroach points out this is intended to be an interim step to bootstrap the system. (I originally proposed that we call it "Legacy Card Payments" to indicate this).

Any merchant that implements a website supporting this payment method will be subject to PCI DSS restrictions anyway so I'm not worried that they will be storing card details for future use unless they have all the checks in place. In fact, if they can avoid it, and the expensive PCI DSS audits that come with it they will.

My hope is that we will quickly see new payment methods that are designed for use by the card networks but don't require exchange of PANs at all.

We should also bare in mind that there are different types of tokenization. On the one hand we have tokens that are generated by the merchant PSP so that the merchant has a re-usable (but not PCI DSS sensitive) token it can use to initiate future payments (like for subscriptions).

I think we could put a pretty simple payment method spec together that defines a payment method like that but I don't think it should be in the basic card payment spec. This spec would need to provide an easy on-ramp for the likes of Braintree and Stripe that hold stored card details for millions of card holders and would like to leverage this to not use the basic card payment method.

On the other hand, issuer tokens are different and are provided by the payer instead of a PAN right from the beginning. The merchant and their PSP may never even see the original PAN. This type of system is not catered for by any of our payment method specs today and probabaly shouldn't be.

My assumption is that this is the kind of payment method that will be defined by the schemes themselves in collaboration with the entities that do issuer-side tokenisation and that payment apps will simply need to store the tokens and send them as part of the payment.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/199#issuecomment-220309631

Received on Thursday, 19 May 2016 12:29:31 UTC