Re: [w3c/webpayments-methods-tokenization] How are future card on file transactions supported through dynamic data? (#44) from ianbjacobs on 2018-07-17 (public-webpayments-specs@w3.org from July 2018)

From: ianbjacobs <notifications@github.com>
Date: Tue, 17 Jul 2018 05:37:55 -0700
To: w3c/webpayments-methods-tokenization <webpayments-methods-tokenization@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-methods-tokenization/issues/44/405567047@github.com>

Here are some additional thoughts. (Corrections and comments welcome!) 
cc @mweksler 

PROBLEM STATEMENT: How does a merchant get dynamic data for subsequent card-on-file transactions when they have received an initial token through PR API?

For dynamic data the second, third, fourth, and so on transaction, the merchant can either:

- Request data via the token service provider (backend flow)
- Request data via the Payment Request API (frontend flow)

———————
BACKEND FLOW

For the backend flow, if the merchant has an existing relationship (e.g., with a gateway) then the merchant could ask the gateway to get the cryptogram. This is the easy case and no changes to Payment Request API or Card Payment Tokenization are necessary.

However, some merchants may not have existing relationships, in which case the payment handler can provide a means to connect the merchant with the token service provider, for example an endpoint URL. 
———————
FRONTEND FLOW

For the frontend flow, the merchant will need to identify the token (e.g., via the token reference id) in the payment request data. The payment handler can use this token reference id to request dynamic data from the same TSP. 
———————
Two Payment Methods?

We might want to define two payment methods: one for the initial token request, and one for subsequent requests for dynamic data. Here’s what the data models might look like.

******************
PAYMENT METHOD: tokenized-card

Request Data:
 supportedNetworks
 supportedTypes
 supportedCryptogramTypes
 usageType
 payeeID
 keyProviderURL

Response Data:
cardholderName
displayLast4
displayMaskedCard
displayExpiryMonth
displayExpiryYear
displayNetwork
billingAddress
par member
tokenreferenceid
tspEndpoint             <=== NEW. Optional. Enables the backend flow.
encryptedDetails

where encryptedDetails holds:

 cardNumber
 expiryMonth
 expiryYear
 cryptogram 
 typeOfCryptogram
 trid
 eci

******************
PAYMENT METHOD: tokenized-card-dynamic-data
[For card-on-file use cases front end flow; assumes the merchant has stored necessary non-sensitive data from the tokenized-card payment response]

Request Data:
 supportedNetworks
 supportedTypes
 supportedCryptogramTypes
 tokenreferenceid
 payeeID
 keyProviderURL

Response Data:
tokenreferenceid
encryptedDetails  <=== same data as for tokenized-card

———————
SUMMARY:

* To enable the backend flow, add tspEndpoint
* To enable the frontend flow, add the new payment method tokenized-card-dynamic-data

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-tokenization/issues/44#issuecomment-405567047

Received on Tuesday, 17 July 2018 12:38:24 UTC