[w3c/payment-request] Use Case: 3DS 1.0 flows and invoking PR API from inside an iFrame (#881)

This is issue is here to track progress on a use case that was highlighted during the Web Payments Security Interest group meetings at TPAC.

The use case is as follows:

 - When a merchant initiates a card transaction using 3DS they will get back a URL which they will render in an iframe. This content is hosted by the user's card issuer (or their behalf) in a system called the ACS.
 - The user provides some interaction with the ACS-hosted content through which they authenticate themselves (and authorise the transaction). 
 - The user interaction may involve providing an OTP that was sent to the user via another channel (e.g. SMS) or providing a biometric credential etc.

Current notes/challenges with this case are:
1. The ability to invoke Payment Request from within the iframe
2. The ability to invoke webAuthN from within the iframe
3. The need for the PR API to be invoked by the ACS (as opposed to the merchant which is the original intent

cc @rsolomakhin @ianbjacobs @jeremywagemans @btidor-stripe

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/881

Received on Friday, 20 September 2019 03:51:29 UTC