> Ok, excellent. So we should easily be able to get a list of exactly if anyone needs this from the WG members.
Since the vast majority of the payment vendors are not WG members, and even fewer hang out on GitHub, that would (IMHO) not return an exhaustive response.
I would rather engage the members by asking: _How do you anticipate that the PaymentRequest API is to be used with providers of outsourced "Secure Payment Pages"_. A possible answer is that PaymentRequest is outsourced as well but then the Merchant won't be able to use _other_ outsourced providers in the same setup. BTW, how is PayPal supposed to work in this context?
Encrypting on the inside or on the outside is not only a technical issue, _it is a policy consideration_. Personally I'm not (at all) into policy, so I try to come up with solutions that should comply with any policy, be it sloppy or strict.
This topic seems like a possible task for the https://www.w3.org/Payments/IG/wiki/Security_Task_Force to dig into.
The proposal was partly "inspired" by a similar concept featured in Android Pay
https://developers.google.com/web/fundamentals/discovery-and-monetization/payment-request/android-pay#integration_using_network_token
where the "App" does the encryption.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-method-basic-card/issues/38#issuecomment-319599841