Re: 3D Secure++ for Push Payments from Manu Sporny on 2014-06-27 (public-webpayments@w3.org from June 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 27 Jun 2014 00:16:19 -0400
To: public-webpayments@w3.org
Message-ID: <53ACF013.6020709@digitalbazaar.com>

On 06/26/2014 11:49 PM, Anders Rundgren wrote:
> The merits of 3D Secure haven't been discussed in this list, probably
> because it has [rightfully] been rejected in the US. However, 3D
> Secure is a very cool idea, it just lacks a proper platform to run
> on.

PaySwarm is basically 3D Secure w/o domain verifier phishing security
risks. Have you gone through the PaySwarm demo? The process is the same
as 3D Secure.

> 0. Probably the payer must select payment type (=payment
> provider)... 1. The payer gets a digitally signed payment request
> from the payee 2. The payment request is redirected to the payment
> provider 3. The payer authorizes the payment request at the payment
> provider using a payer key 4. The payment provider counter-signs the
> payment request with its provider key 5. The resulting object is
> returned to the payee

+1 up to this point. I'll note that in step #4, we've been referring the
the resulting object in #5 as the "digital receipt".

> 6. The payee pulls money from the received object trough its payment 
> provider

Don't know if this step is necessary since step #4 above wouldn't happen
unless the clearing/settlement was successful.

> Note that the payer's card details wouldn't be given to the merchant 
> when you use your payment provider as the source rather than your
> card. The payer only needs to be authenticated to the payment
> provider.

+1

> Although originally designed with another objective in mind, the
> following steps and platform ought to work for push payments as
> well: 
> http://webpki.org/papers/payments/securing-card-not-present-transactions.pdf

I read this when you sent it out the other day. This is more-or-less
what PaySwarm does as well (which is good, because it means that we
agree on the general principle of how this stuff should work).

> I strongly believe that BaM-payments and Web-payments could/should
> be identical.

+1

> There are several hurdles.  Banks are slow as h**l, Standardization 
> takes forever, and Google can do whatever they want: 
> http://www.cnet.com/news/google-spells-out-ambitious-plan-android-world-domination

Google will use a standard if it gives them a competitive advantage
against the incumbents. JSON-LD gave them a competitive advantage, which
is the reason it powers portions of their Knowledge Graph and Google Now
products. I would expect Google to do the same sort of adoption w/ the
Web Payments work if we create something compelling for them (and I
think we're on that path with the discussions we've been having over the
last two or so months).

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Friday, 27 June 2014 04:16:48 UTC