Option for validating Payee accounts

[cyberphone]

It has been said that it might be useful for payer banks to verify that the "receive" account given by a Merchant is authentic. If a Merchant key is stolen a lack of validation could enable a fake Merchant masquerading as the genuine getting paid by changing account number. The most straightforward solution would be to simply publish valid account numbers in the associated public PayeeAuthority object. See Authority Objects.

The following proposal implemented in V0.58 of the Saturn API enables verification but without publishing (in clear):

Before in AuthorizationRequest:

    "paymentMethodSpecific": {
        "@context": "https://sepa.payments.org/saturn/v3#pms",
        "payeeIban": "FR7630004003200001019471656"
    }

 
Updated AuthorizationRequest:

    "paymentMethodSpecific": {
        "@context": "https://sepa.payments.org/saturn/v3#pms",
        "payeeIban": "FR7630004003200001019471656",
        "nonce": "nZFwxLP0TvFXD2xPKzRTIGevgLjpiMw2BP86hszj5x4"
    }

New element in PayeeAuthority:

    "accountVerifier": {
        "algorithm": "S256",
        "hashedPayeeAccounts": ["eWJtV95_RCg6aGj-TH-yo-A0SO4vIZAq_Oaizdy55j8"]
    }

That is, the issuer can aided by the PayeeAuthority information, verify that a claimed account is authentic by comparing the published hash and the calculated hash. The hash itself is calculated in a payment method specific manner. In the example above the hash is simply running SHA256 over the entire paymentMethodSpecific object using EcmaScript/JavaScript compatible serialization. The nonce makes it impossible guessing account numbers by looking into PayeeAuthority objects.

[cyberphone]

Fixed, Yay!