Should encryption of tokenized card payment data be optional?

[ianbjacobs]

Hi all,

@mattsaxon raised this question in Singapore [1]. Right now the Tokenized Card Payment
specification requires that some of the response data be encrypted (cf. EncryptedTokenizedCard).
Matt wondered whether the specification would still be useful even if that data blob were not
encrypted.

[1] https://www.w3.org/2018/04/20-wpwg-minutes.html#item01

[MasterKeyur]

@mattsaxon - The credentials returned in the tokenized card response can be used to perform payment. I would recommend to encrypt the response and make it mandatory. There is no amount restriction on token at least in MC token.

[webpayments-specs]

+1 for Visa as well. No amount restriction. From: MasterKeyur <notifications@github.com> Reply-To: w3c/webpayments-methods-tokenization <reply@reply.github.com> Date: Tuesday, May 29, 2018 at 10:08 AM To: w3c/webpayments-methods-tokenization <webpayments-methods-tokenization@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: Re: [w3c/webpayments-methods-tokenization] Should encryption of tokenized card payment data be optional? (#39) Resent-From: <public-webpayments-specs@w3.org> Resent-Date: Tuesday, May 29, 2018 at 10:06 AM @mattsaxon<https://github.com/mattsaxon> - The credentials returned in the tokenized card response can be used to perform payment. I would recommend to encrypt the response and make it mandatory. There is no amount restriction on token at least in MC token. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#39 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AQ8khr0zLlR0fbfuixkB7ZqJYUb8QG3Fks5t3YAHgaJpZM4TtUvQ>.