-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Propose a payment method specification that includes an example of field level security #141
Comments
I agree that this would be very valuable. I also feel like it would be an incremental change to almost any existing payment method specification (once there are more of them). |
Hello,
Currently, our team integrated many payment methods and none of them have encryption at field level, maybe because most of the calls are made server-side. |
I think actually if there is any encryption beyond TLS, it would necessarily be on the merchant side when initiating the request. If I care about encrypting my content, I surely do not want to expose it to the user agent. I want to pass the encrypted blob to the payment app along with some sort of an indication of how to decrypt it. I also think this is out of scope for what we are designing right now, but I could be wrong. |
Agree that a field-level encryption mechanism should be investigated further, and a field level encryption mechanism that supports any number fields (not just the basic card payment fields) would be valuable. Field-level encryption is beneficial in scenarios where a third-party (e.g. the merchant) is in the flow of the information that we wish to protect. A number of PSPs have client-side encryption mechanisms, whereby an encryption key is requested from the PSP by the client (typically via Javascript in the user’s browser) for each transaction. This is for the purpose of encrypting the payload prior to being submitted to the merchant’s servers, who then submits the payload to the PSP for decryption and processing. However, the original intent was to reduce PCI exposure for the merchants, however the PCI standards council has since implemented the Self Assessment Questionnaire (SAQ) A-EP as part of PCI DSS 3.0, for specifically this scenario. @halindrome: I want to make sure I understand your point above. In some cases, the user agent itself is the payment app (e.g. basic card payment flow where the browser stores the card details). I think the merchant would need to identify the fact that it can support field-level encryption for specific PSPs or payment apps, however the key itself would need to be provided by the PSP. |
@halindrome wrote:
+1 |
Migrated to: |
This action was inspired by the discussion on #55.
It would be useful if someone in the group proposed a payment method specification that illustrated how field level encryption or signing could be used in the payment method data. This may be in the form of an "Advanced Card Payment Specification" or an extension of some other scheme.
The text was updated successfully, but these errors were encountered: