Should encryption of tokenized card payment data be optional?

[ianbjacobs]

Hi all,

@mattsaxon raised this question in Singapore [1]. Right now the Tokenized Card Payment specification requires that some of the response data be encrypted (cf. EncryptedTokenizedCard). Matt wondered whether the specification would still be useful even if that data blob were not encrypted.

[1] https://www.w3.org/2018/04/20-wpwg-minutes.html#item01

[MasterKeyur]

@mattsaxon - The credentials returned in the tokenized card response can be used to perform payment. I would recommend to encrypt the response and make it mandatory. There is no amount restriction on token at least in MC token.

[webpayments-specs]

+1 for Visa as well. No amount restriction.

From: MasterKeyur notifications@github.com Reply-To: w3c/webpayments-methods-tokenization reply@reply.github.com Date: Tuesday, May 29, 2018 at 10:08 AM To: w3c/webpayments-methods-tokenization webpayments-methods-tokenization@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [w3c/webpayments-methods-tokenization] Should encryption of tokenized card payment data be optional? (#39) Resent-From: public-webpayments-specs@w3.org Resent-Date: Tuesday, May 29, 2018 at 10:06 AM

@mattsaxonhttps://github.com/mattsaxon - The credentials returned in the tokenized card response can be used to perform payment. I would recommend to encrypt the response and make it mandatory. There is no amount restriction on token at least in MC token.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/w3c/webpayments-methods-tokenization/issues/39#issuecomment-392856858, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQ8khr0zLlR0fbfuixkB7ZqJYUb8QG3Fks5t3YAHgaJpZM4TtUvQ.