[w3c/3ds] Spec feedback (#8) from Adam Solove on 2018-08-22 (public-webpayments-specs@w3.org from August 2018)

From: Adam Solove <notifications@github.com>
Date: Wed, 22 Aug 2018 07:57:40 -0700
To: w3c/3ds <3ds@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/3ds/issues/8@github.com>

Here's an outline of my thoughts after reviewing the draft spec. I'll close this issue after we discuss these at today's meeting.

### Request data
- requestLevel cases
  separate into two things: is 3ds required? is challenge required/not allowed/don't care?
    merchant likely doesn't know which until address entered
  references to "step up" should be changed to "challenge flow", which is the official 3DS spec term
- handler for 3DS will need to receive or collect shipping address for physical goods
  merchant needs a way to mark whether shipping is needed or not
  merchant needs events to listen on shipping changes and possibly change 3DS config
  where do we specify "stuff the 3DS module requires of its host payment method?"
- handler will need to gather email and 
- payee data
  order number, merchant id, acquirer id, acquirer merchant id, merchant name, 
  opt in to encrypted or tokenized card number

###Response data
- cases of ThreeDSResponse
  (See [Cardinal's 3DS2 result test cases](https://cardinaldocs.atlassian.net/wiki/spaces/CCen/pages/412712961/3DS+2.0+Test+Cases))
  if we add a requestLevel=never3DS, then returned data shape is different
    is the shape of returned data then specified by the host payment method?
  if there's an error during 3ds, or ACS is unavailable or times out
    if 3ds required, handler should prompt for another form of payment
    if 3ds not required, handler maybe falls back to returnign card/token without performing 3ds.
  there are lots of case intersections, for example:
    if 3ds is required but merchant specifies frictionless, what do we do if frictionless denied?
      give up and ask for another payment method from the customer?
      try 3ds again and allow a challenge?

Privacy/data gathering
- points in the spec still stand: we don't know what to do here, probably need browsers to make a suggestion
- how we will load method_url, or get around the need to, is the biggest question for this spec

Footnote
- Should 3DS reference point to a specific version of the spec rather than a landing page that will point to the latest 3DS-related specs and change over time?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/3ds/issues/8

Received on Wednesday, 22 August 2018 14:58:01 UTC