-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should PaymentResponse include totalAmount and if so must it be one of the supplied totals #215
Comments
Hi @adrianba, In the payment app task force we've been discussing scenarios where a payment app might change the total before the user authorizes payment, for example after application of a discount. Presumably if this is possible in the payment app, it's because the app distributor In this case, the "authorized total" may not be one that the merchant sent to the payment app. If we anticipate this scenario, then:
So that would lean toward your option 3 (if I understood correctly). Even if we wanted to say "payment apps much not change totals" I'm not sure we can Ian |
So, my preference is for 3 but would be okay with 2. |
How do merchants know the response wasn't tampered with in transit? That is, if we're putting the total in there so the merchants can feel safe that the amount requested was the amount paid (and we have no MiTM protection on totalAmount), doesn't that defeat the purpose of including the value in the response? |
@msporny wrote:
I assume that payment apps that wish to provide additional guarantees can use digital signatures generally. I would not expect the API to have built-in support for digital signatures.
It seems to me that in many or most cases the merchant-sent total (call it "T") will be the same as the total received in the payment response. So a check that the response includes "T" would make a strong case that no tampering has occurred. |
I would always send "T" then when I wanted to fool the merchant. :) |
What data would convince the merchant? That data can be signed, of course. Ian |
Signed data or some kind of transaction ID that they can check via PSP, etc. I don't think just getting a value in (with no security around it) will work. |
PR #211 introduced the idea of including the
totalAmount
in thePaymentResponse
. The idea is that since different totals can be provided usingPaymentDetails.total
andPaymentDetailsModifier.total
then the user agent should include which one was chosen in the response.There was some discussion of this on the telcon today.
I think there are three options to consider:
totalAmount
fromPaymentResponse
; ortotalAmount
but remove the text that requires that the value be one of the provided totals.My preference is (1) or (2). I don't mind which.
The text was updated successfully, but these errors were encountered: