Re: [w3c/3ds] Some high-level issues to discuss (#2)

Some thoughts (based on your helpful analysis):
 * The merchant needs to package up some data used for risk analysis by the issuer. 
   (At least this is my guess if merchants want to leverage the risk analysis part of 3DS.)
 * The merchant does not want to share that data with arbitrary parties.
 * The merchant does not want that data to be tampered with.

Would this flow work?
 * The merchant (or their PSP) creates the required data package, encrypts and signs it. 
    Call this "MerchData".
 * The merchant provides a 3DS endpoint URL and the MerchData to PR API.
 * The browser only displays payment apps that match on the endpoint URL. (I'm not sure yet
    whether that makes sense.)
 * When the user selects a payment instrument (e.g., Visa card from Chase), the payment
   app initiates the 3DS protocol calling the 3DS endpoint and sending it the relevant data.
 * The payment app receives necessary information from the 3DS server (issuer URL)
   and displays the issuer's authentication window. (Not yet sure whether this works with
   Web security.)
* After authentication (when required), the payment app returns the AV in the response data.

Presumably this would still require changes to 3DS. But I am curious whether this addresses some
of the trust issues raised.
Ian

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/3ds/issues/2#issuecomment-362927032

Received on Sunday, 4 February 2018 18:14:08 UTC