> I think it depends on how strong the merchant credential is to communicate to GW. Usually here we are looking at network security (VPN, TLS etc)
Are you saying that you require mTLS for the merchant to gateway/psp communication?
> My point was on subsequent transaction you were still passing id stored in browser. so you are still having static value in browser which is sent to merchant. Then relying on merchant to get token. So here you are relying on merchant credentials. if they get compromised then hacker can use static id to get token.
Yes that's what I imply. Breaking into the merchant infrastructure should be harder than breaking into the end-user's computer.
> We can simplify this further I think and improve user experience without compromising on security. we can have a call to discuss further.
Sounds good. Let's have a chat
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-tokenization/issues/8#issuecomment-307173630