-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider EMV for the Web #32
Comments
This scheme also permits a payment request performing a pre-authorization only where the result is a token that can be used at a later stage. The very same model can also be used to increase the security of card-on-file schemes, since (valid) activations (in a properly designed system NB...), should only be possible to create by the party it was originally issued for. There seems to be no need for specific tokenization services either. |
Closing this for now. We can reopen if needed. |
I haven't "deciphered" the entire spec but the following lines caught my eyes:
Creating a new system that needs card numbers in clear outside of the RP/Bank environment seems somewhat short-sighted and may even be in conflict with GDPR. Since WebAuthn was built for the Web, wouldn't it be reasonable using Web-methods to overcome deficiencies that stems from technology that was created 25 years ago?
This presentation outlines such a system: https://www.youtube.com/watch?v=OWn8sg7Oy3I&t=306s
That is, payment credentials are also fitted with
making authorizations only reveal which bank the user have.
The hashing mentioned in the presentation has recently got a suitable solution that is 100% JavaScript compatible: https://www.rfc-editor.org/rfc/rfc8785.html
This is effectively a souped-up EMV adapted for the Web. EMV is more "protocol-efficient" than 3DS-like concepts.
Browser-wise I believe this is quite simple to achieve. Backend-wise not so. The ability to support IBAN & friends is probably a necessity to get traction. Note that such systems do not provide any "fallbacks" and such.
The text was updated successfully, but these errors were encountered: