How are keys communicated for encryption of response data?

[ianbjacobs]

If some portion of SRC response data is encrypted, how are keys exchanged (between merchant/PSP and payment handler) for that?

Some option:

• Out of scope for the SRC payment method (e.g., because handled during onboarding).
• Provide key as input data.
• Provide link to key as input data.

[ianbjacobs]

Also, see the early draft of encryption

[tblachowicz]

The Checkout API returns encrypted Payload containing payment credentials and/or personal Consumer details. The encrypted data is compliant with JWE and the EMVCo SRC API specification [1] only indicates recommended algorithms to use, but the details on how the keys are exchanged are out-of-scope for the spec.

Note, in the spec, there is section "5.8 Public Key Retrieval" containing details on how SRC System is expected to publish cryptographic keys as JWK keyset. However, the section is only limited to keys used for digital signature verification between SRC Systems and other participants.

[1] https://www.emvco.com/terms-of-use/?u=/wp-content/uploads/documents/EMVCo-Secure-Remote-Commerce-Specifications-API-1.0.pdf

[ianbjacobs]

Thank you, @tblachowicz. Based on your note, I propose that we conclude that how keys are exchanged is outside the scope of a W3C payment method. I have added this sentence to the payment method description:

"How keys are exchanged (during onboarding or at other times) to enable the encryption of part of the payload is outside the scope of this payment method."

[ianbjacobs]

Closed this issue at 12 June teleconference [1]; there was support for the proposed sentence in the payment method specification.

[1] https://www.w3.org/2019/06/12-wpwg-minutes#item03