Open stpeter opened 6 years ago
Plain data is required for display purposes or for tracking where, for example, the payment is being processed by a third party but the merchant wants access to some data like a tx id.
I do think we should make this simpler though, I think that the way this is done in the tokenization spec is best. i.e. Define two schemas; a clear-text schema which contains unencrypted data (at least one data element is the encrypted data in the form of a JWT) and a data schema for the data that is encrypted inside the JWT.
See my proposal in #13
It seems that we're envisioning partial encryption of response data: "Each payment method defines which response fields are not sensitive. Those fields are returned in the response along with the encryption of the full response." Is there a good reason to include both encryptedData and plainData? Why not encrypt the entire response? What are the use cases behind this suggestion? Do entities in the middle (say, the merchant or a PSP if the response is going to an issuer or other entity) need access to some of the response fields?