Re: [w3c/3ds] Some high-level issues to discuss (#2)

@asolove-stripe said:

> We can't obviously push complexity to payment handlers because merchants cannot simply work with any handler that registers for that generic 3DS method. Nor can they hand over all the data involved to an unknown middleman that speaks to the 3DS server for them.

I don't entirely agree with this.

There are two sources of data, the merchant and the handler (on behalf of the user). The merchant supplies information about the context and the handler provides the user's payment instrument details.

3DS through PRAPI requires that the handler effectively perform step 3 in your first diagram on behalf of the merchant. 

To mitigate the concern about passing data to an unknown middleman I suggest we consider @ianbjacobs suggestion and use encryption.

Option 1

1. The merchant provides a gateway URL and a blob of encrypted data in the Payment Request.
2. The payment handler submits this data along with the card details to the provided URL and if the issuer requests a step-up it renders the content of the returned URL in an iframe just as the merchant website would have done in flow 1 step 4.

Option 2

1. The merchant submits the tx details (without card details) to the gateway and gets back a URL to include in the PR.
1. The merchant provides the gateway URL in the Payment Request.
2. The payment handler submits the card details to the provided URL and if the issuer requests a step-up it renders the content of the returned URL in an iframe just as the merchant website would have done in flow 1 step 4.

Pros:
  * There is a good chance the handler is provided by the issuer so step up auth is less likely

Cons
  * Can the handler trust the URL from the merchant? Is there a way to be sure that the card details are not being submitted to a malicious URL? 

Is this negative even an issue given that this is no different to the user submitting their card details to the merchant directly. At least in this case the handler can have a blacklist of origins that it won't trust or be even more conservative and use a whitelist.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/3ds/issues/2#issuecomment-363468138

Received on Tuesday, 6 February 2018 15:59:52 UTC