W3C home > Mailing lists > Public > public-webpayments-specs@w3.org > May 2019

Re: [w3c/payment-method-basic-card] Don't redact phone number from billingAddress (#80)

From: Nick Telford-Reed <notifications@github.com>
Date: Mon, 13 May 2019 09:48:29 -0700
To: w3c/payment-method-basic-card <payment-method-basic-card@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-method-basic-card/pull/80/c491900383@github.com>
> I'm not aware of a system where the merchant needs the user's phone number. There are common back-ends where it is used for verification via 2FA. So it would seem an active security breach to hand it over, since it is critical data for a MITM attack collecting the second factor.

TBH, @chaals , I wasn't either, until I starting digging, but it looks like some card scheme anti-fraud solutions can (perhaps optionally) use phone number (I found a reference to phone number for the Amex AAV service which has been in place for 5 years or more in the Worldpay integration documentation [http://support.worldpay.com/support/kb/bg/pdf/bgxmldirect.pdf]), and it looks like phone numbers (both home and mobile) are conditionally required fields in the 3DS 2.x spec [https://www.emvco.com/wp-content/uploads/documents/EMVCo_3DS_Spec_v220_122018.pdf] (which is much more data hungry than the 3DS 1.x specs).

So if we want merchants to be able to offer 3DS2 authentication experiences off the back of a basic-card payload (which we almost certainly do as a transitional step), then phone numbers need to be supported. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-method-basic-card/pull/80#issuecomment-491900383
Received on Monday, 13 May 2019 16:48:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 May 2019 16:48:52 UTC