- From: Adam Solove <notifications@github.com>
- Date: Mon, 12 Feb 2018 19:29:09 +0000 (UTC)
- To: w3c/3ds <3ds@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 12 February 2018 19:29:36 UTC
@stpeter I don't think you've missed anything, that is definitely one of the core challenges that I see. >From the EMVCo side, I think their expectation is that you trust the merchant site because 1) you're there and letting it run arbitrary third-party javascript it loads anyways and 2) the merchant could get in PCI trouble and kicked off the card networks if they're doing something shady and get caught. As a result, they assume the merchant loading issuer code in the customer's browser is fine. >From a browser perspective, it makes sense that that _isn't_ fine. I think issuers running some kind of handler would be a great solution from the permissions standpoint. But I am not optimistic that we could make it happen in EMVCo without some kind of leverage, like a great PRAPI 3DS user flow that is supported by lots of browsers and going to make the conversion rate much better for merchants and issuers. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/3ds/issues/2#issuecomment-365034911
Received on Monday, 12 February 2018 19:29:36 UTC