The `nonce` is a one-time use identifier. it is discarded after the initial emission to the merchant.
The reason for sending the nonce instead of the `token` is to increase security.
The `nonce` is discarded by the user agent right after sending it to the merchant.
The upside of using the `nonce` is that any program (malicious addons, rootkits and other spyware) watching the user agent's databases and memory will only find useless fragments of data. It won't be useful at all to any attackers.
Consider if we passed the `token` to the user agent.
One of the uses of the `token` is for repeated offline use. If we send the `token` to the user agent, we're trusting that the user's machine is not compromised, because that `token`, when put in the wrong hands, are one of the keys required for an attacker to usurp the merchant.
Passing the `id` is much safer. That means that an attacker would also need to break into the merchant's infrastructure to obtain the `id` and `token` mappings.
> On subsequent checkout (existing diagram), are we sending the tokenized card id or nonce? Once we know the answer then we can decide if browser can share the token itself.
On subsequent checkout, only the card id is sent
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-tokenization/issues/8#issuecomment-307163546