Tokenized Card

Tokenized Card Payment Method

Note: The specification content from this wiki has been moved to the Tokenized Card Payment draft.

FAQ

NOTE: Once stable, move to the Payment Request FAQ

How will users add and remove payment instruments to the payment handler?

That is an implementation detail, whether the browser or third-party implements the payment handler.

Can browsers discover and install default payment handlers based on supportedNetworks?

Just-in time registration of payment handlers is under discussion.

How does the payment handler communicate with the Token Service Provider?

That is out of scope for this proposal (but will be necessary in the ecosystem to enhance inteorperability).

What is the relation between this payment method and PCI compliance?

The Web Payments Working Group does not have a formal position on the question. Please see PCI Tokenization Guidelines Supplement and consult with your organization's compliance officers.

As part of its ongoing work, the Web Payments Working Group seeks to confirm certain assumptions:

• Payment handlers fall in the Cardholder Data Environment (CDE) and are subject to relevant rules.
• Merchants receiving tokenized payment credentials might not need to be PCI-DSS compliant.
• Merchants receiving encrypted tokenized payment credentials do not need to be PCI-DSS compliant.
• Key-providers for encryption need to be PCI-DSS compliant.

How do payment app distributors / TSPs establish trust with key providers?

That is an implementation detail outside the scope of this specification. However, one approach may involve validation of digital signatures; see the Signature proposal.