W3C home > Mailing lists > Public > public-webpayments@w3.org > October 2015

Multi-pay tokens

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 5 Oct 2015 06:24:22 +0200
To: Web Payments CG <public-webpayments@w3.org>
Message-ID: <5611FB76.1030809@gmail.com>
In Manu's response to me and list regarding Proximity versus Web
he mentions EMV tokens.

I haven't found any good definition of such but I found this interesting paper from FirstData:

It outlines multi-pay tokens which could be significant since some major sites like Amazon.com
as well as third-party payment providers like PayPal, may need/want a static payment instrument
to simplify transactions and dealing with automatic renewals.  The latter may become even more
important due to the SaaS (software as a service) trend.

Static payment instruments though represent a risk since they are vulnerable to theft.
The best protection against theft is making such payment instruments useless for anyone
but the original payee.

This seems to be yet another possible use-case for the "Russian-doll" kind of signatures
which is the core of WebPKI.org WebPay PoC:
Well, a standardization effort would of course have to use JOSE and shroud messages in Base64
but that's not my headache :-)

An obstacle here is that keys tend to expire.  One solution to that problem is to use the
scheme featured in e-passports which is letting an about-to-be-renewed key sign its
replacement and supply the entire list during authorization which makes it possible
to verify an old payment instrument.  This eliminates the need for having a specific
renewal process for stored payment instruments.

Received on Monday, 5 October 2015 04:24:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:43 UTC