Leave Off Unneeded Information #5
Comments
|
The PR that @adamroach mentions was closed after discussion at the Sept 2016 F2F, pending a potential reopen. With Nick Doty's email to the group this morning, it is worth considering if we should once again look at this issue prior to moving to CR. Options;
|
|
@mattsaxon For clarity, are you suggesting that the merchant website be able to specify which fields are mandatory and which optional in the payment response for a basic-card payment? i.e. A merchant website can say "I support basic card but I only want you to return the PAN and expiry"? |
|
@adrianhopebailey, that's correct |
|
Is the privacy implication here that the merchant doesn't want to see the name on the card? |
|
My recollection from previous discussions is that about friction collecting information (which may lead to dropoff). Matt cited CVV as one example. ("I don't want you to prompt for CVV; I accept the risk.") However, it is not clear to me that shipping implementations allow for collection of less than the five fields. Ian |
|
Apart from However, certain user agents force the user to enter all credit card information before they can proceed... but all user agents allow the user to abort the payment process. Now, just the first 6 digits of the card number can reveal about a user (using https://www.bindb.com):
@adamroach, do you think we should make some kind of mention of the above? |
|
What's clear to me is that my complete billing address (including phone number) shouldn't be sent to every merchant using Even if the merchant indicates they require a postal billing address, it's not clear whether a billing phone number is required even though that is also part of the requiredBillingContactFields: [
"name",
"phone",
"postalAddress",
](values are a subset of I would ideally like the address to be even more fine-grained since some merchants only need the ZIP code for fraud detection, not the rest of the address. Btw. I don't think an exclusion approach (#29) is the right idea as the defaults will heavily influence what developers request and we should only be giving the minimum required by default. |
|
Proposal is to have certain fields excluded for privacy reasons. Then, we can add something like |
|
As I noted in IRC during the F2F, our user research at Mozilla indicates that users are quite leery about exposing more sensitive information like their phone number. If they know the phone number is needed for shipping purposes they're more accepting. Gathering this data (or exposing data that's really not required) will legitimately raise privacy concerns among a broad swath of users - especially these days. Furthermore, there's no method by which the merchant can specify why any given field is being requested (e.g., "we need your phone number to contact you if there are any problems with delivery"). For some users, being asked for phone number without a legitimate or putative need might be a cause of shopping cart abandonment. This too would be worth researching with users. |
|
My takeaway from discussion in Singapore [1] is that there was some support default behavior of not returning phone information. |
|
Now part of #52 |
* Connecting to payment handler. * redact phone number (closes #5)
|
@marcoscaceres I don't think this issue should be closed after only leaving off the phone number as that doesn't fully address the privacy/security review and the concerns raised in the thread. Other fields mentioned above that may not be necessary:
I think |
|
Happy to revisit. At the f2f, we only agreed to remove phone number. |
|
Just a note... we can discuss further here to understand the scope of the problem, but the above looks like it should spin off into multiple (related) bugs. |
|
@ianbjacobs, do we have an authority in the WG on credit card fraud detection that can definitively tell us exactly which parts of the billing address are pertinent to fraud detection? I want to make sure @mnoorenberghe's concerns are addressed, specially if we can drop more fields from |
|
Wikipedia has some info: |
|
Also, is AVS the only reason for Ok, The You Tubes tells me that cardholder name doesn't participate in AVS. So that's a potential target for removal. |
|
So, some options here:
|
|
That sounds good for when the merchant opts in to getting a billing address. |
Agree 💯. AVS is only used in 3 countries, so why we should pass billing address by default doesn't make much sense. |
|
Ok, also made it optional for the user agent to add the billing address in, say, the US, UK, and Canada... |
marcoscaceres
changed the title
ianbjacobs
changed the title
|
Hi @marcoscaceres, I changed the title back to the original title. The original use case from @mattsaxon was for the merchant to say to the browser (or other payment handler): don't collect the CVV; I would rather the user have less friction and I accept the increased risk. One proposal had been that each payment method might support an array in request data where the merchant could specify which response fields to exclude when building the response. Since the original use case ("don't collect CVV due to friction") other use cases have arisen:
I would prefer that this issue remain merchant-focused (rather than user-focused). The original issue is that the merchant wants to indicate which payment method response fields it wants the payment handler to exclude. Ian |
This is a recommendation from the Security and Privacy Checklist review. See https://docs.google.com/document/d/1w7ginyzNg-xZUmITK4vzcGUKB4gbMOAvlkWWaRtX14k/edit?usp=sharing for additional detail
The Basic Card Payment specification provides additional information that forms a unique correlator. Unlike unique, cross-origin information provided by the Payment Request API, the cardNumber field provided by the Basic Card API is (necessarily) required rather than optional. The current document appears to assume that any Basic Card Payment app will request all possible fields; however, there is a PR filed for leaving off unneeded information. For the sake of privacy, we recommend this PR be accepted.
The text was updated successfully, but these errors were encountered: