Different card schemes have different mandatory field requirements #9
Comments
|
@adrianba |
|
The PR has a flat structure for the data with some optional fields. I've done some further research and it appears that the only card types that use this data structure today are Meastro cards. There were other brands before such as Switch and Solo, but these are no longer issued. We should discuss if Maestro should be a specific type (e.g. sub-class of BasicCardResponse) of PaymentResponse object. What are your views? |
This is what I found too but it wasn't clear to me from a quick look where Maestro still had this requirement. For this reason, I didn't include the fields in the initial draft.
I think this is a good question. First I wonder whether there are other fields used in other geos that would also need to extend the response. If we end up with a myriad of options fields that are rarely used then that might not make the spec very easy to consume. On the other hand, if most implementations will need to consider start date or issue number then including it in the basic data structure might be considered beneficial. It would be good to get more data before deciding but equally we should pick something soon and change it if new information arises later. We need to address this to determine what to do with #25. |
|
Adrian, I've dug deeper and found the following: Whilst Maestro is still a brand, Maestro cards that need issue number or start date to be submitted were actually using the Switch network scheme (even though the brand was Maestro), this network was closed in 2011, this effectively means that these card went out of circulation sometime in 2014. I think this closes the issue and we can stick to the simpler format. I'll edit my PR to remove these, but will leave the revisions to the field names. |
That matches the results of the research we've been doing too. |
|
I think there's still a problem here, irrespective of Maestro. Expiration month, expiration year, and cardholder name are all optional fields for a UnionPay card. As it stands the spec therefore won't work for basic card payments in mainland China (or Russia, for that matter, where UnionPay cards are also issued). The only required field you can have for a basic card payment is the PAN. |
|
To add some detail here, UnionPay credit cards do conform to the 'usual', ie. BasicCardResponse, it's the UnionPay debit cards that don't have name and expiry. However what concerns me with modelling is that this level of specification is volatile as we have seen from the Meastro investigations. These discussions raise a few questions for me;
I still propose we accept my PR as it standard as it is more explicit about the problem as it has a fixed list of brands rather than an empty list and therefore calls out the absence of UnionPay from this model. This does not imply this is the version that will go to FPWD as we may have some more time to consider this further prior. |
This is a good example of where we have to decide whether this is the same schema or a different one. The goal shouldn't be to create one universal data structure. We can have multiple different ones (and should where it makes sense). |
I expect it to be necessary to support card types from schemes who have never heard of W3C and are not participating in the group. |
I am happy to defer to the editors, but it would be nice if FPWD was able to accommodate China in its basic card model. That being said, I appreciate time is of the essence so maybe a commitment to resolve the issue in a future draft is enough. |
|
@nickjshearer, do you think we should be using the same response type (with lots of optional attributes) or a different type? We could certainly define a variety of types in the spec or write multiple specs (there doesn't have to be only one). Just looking for your view of the pros and cons. |
|
With regard to UnionPay, there are some specific features of the Scheme when used for ecommerce transactions, that may dictate, or at least encourage a specific Payment Application for it. I'll get some more details, but the 1st time a card is used with a merchant, there is a One Time Password sent via SMS that needs entering. I'm not clear that the card can be used with just the usual PAN, Expiry, CVC, certainly there are a few references to UnionPay not being usable for ecommerce transaction out there. The nature of UnionPay leads me to suggest that whilst it is important, I don't believe it qualifies as ubiquitous. However I'm not suggesting we don't cater for it, in fact quite the opposite, I think it is a really good use case to model how it would work with registration and the creation of payment applications. For this reason I suggest that we model this at FPWD as something outside of the BasicCardResponse and try to asap work out how we would create a Payment Application to support this registration process. |
+1 to the sentiment about China here. Also, the variability of requirements across card schemes is something that writers of payment applications have had to accommodate for decades. The brute force way of handling it is to write a specific application for a specific acquirer that is hard-coded to (e.g.) require expiry information. Proper layering of service (which knows what fields are required) and the application (browser?, which should be agnostic) has proven the only mitigating tactic I've seen so far. "Service" need not (in this case) mean a web server - could be a customizable worker. Please ignore any architecture references. The choices are clear:
That's our world, and it's a slippery slope. |
Oops, left one out, maybe the most important one.
Not to sound glib, this is what we really hope for. |
I do think the same response type should be used. After thinking about this, I don't think they would have to be optional in terms of the JS response, it could simply be noted that those properties may be empty. That is, cardholder name and expiry are required properties, but they may contain empty strings. I'm not sure if that's necessarily better than being explicit in the data model that they're optional fields, but it's another approach.
@mattsaxon - I do understand it has its challenges, but in terms of transaction volume and cards issued it outranks all the other card networks...the basic card flow should account for the primary card used in China. Like I said, I'm happy to leave it as-is for FPWD and revise it in the future, as long as we take care of it at some point. |
|
I agree with Nick. We should use the same response and permit empty values. The payment app can be responsible for discerning when to require certain fields and when not to. We already assume that if a merchant supports a given payment method they know how to parse the response for that method, so this just means for Union Pay you may only get a PAN. |
|
The content of any payment card is defined by ISO7813 (https://en.wikipedia.org/wiki/ISO/IEC_7813). That said, we need to balance a very flexible format that is very accommodating with a rigid format that potentially forces us to define a new payment method spec for certain cards because they can't be accommodated by the basic spec. The only benefit of being rigid is that the website can have better defined expectations about what data they will receive. In my opinion, if a website supports UnionPay cards then they expect to do a null value check against certain fields anyway so this value is negligible. My suggestion is that we define the set of fields that accommodates the most use cases (so at least we standardize on field names) and don't make anything mandatory. I don't advocate even making the PAN mandatory because we may add an "encrypted_pan" or "tokenised_pan" field which can be used instead of the PAN. TL;DR: I see no value in mandatory fields. The real value we are getting out of this standard is a set of standardized field names and formats. |
A couple of points of clarity;
-1 to not making the PAN mandatory, when we have tokenised or encrypted PANs, that probably needs another data structure, it will need another PMI for sure. I think it should be clear in the spec that the Payment Application must return a PAN to use the BasicCardResponse format. |
|
We should think carefully about why we make any field mandatory. I think you're overstating the value this provides in this context which is why I'm also in favor of using a dictionary here and not an interface. Making fields mandatory or conform to some format is very useful when gathering direct user input but less so when simply defining a data structure that we are exchanging between the payment app and web app. What happens if the payment app submits a response with no PAN? Who does the validation and throws an exception? The browser? That seems like a complex flow to handle as a developer. Why not just leave it to the developer in the website code? |
My understanding is that the algorithm used to copy a dictionary will cause any fields not specified in the Web IDL to be dropped. This sounds like a problem for extensibility. We may need a new Web IDL type that is "just data" but preserves unspecified fields. |
Can you explain why? |
If you use a dictionary that only defines the field |
If that's the case then I agree with you. I am not a WebIDL expert but we need something along the lines of how a dictionary/map would work in higher level languages. My understanding is that an interface is even less flexible. Put differently, I agree that there is absolutely a requirement to be able to pass in fields that are not specified in the WebIDL definition of the object and expect those to be passed on/returned and not simply dropped. I think @adrianba suggested a new WebIDL type at some point which is likely our only workable solution. |
|
If you want to pass arbitrary data through the API, the correct syntax
|
|
But doesn't this mean that any additional data would need to be bundled into some pre-defined field? I think it is important that additional items are able to be added as primary entities. Otherwise it will be challenging to extend the data with, for example, JSON-LD context etc. At least that is my understanding. @dlongley ? |
|
Yes, we want to be able to add additional information as we see fit and use well-defined interoperable standards, not relegate extensibility to a corner. I'm not quite sure how this is going to work moving forward with the current API. It seems like we might have to repeat all of the other inputs again in the Perhaps one thing we could do in the future is add an overloaded PaymentRequest constructor that takes a payment request message (a fully extensible message that would be defined by the Messaging/HTTP API spec proposals). This message would then be forwarded to a Payment App. |
|
This issue has gone from a discussion of the specifics of the Basci Card Payment Method spec to one of general extensibility. @dlongley and @halindrome let's move conversations about extensibility to PR #133 and Issue #146 @mattsaxon as you have made concrete PR to resolve your initial issue I am going to close this in favour of the thread on PR #114 |
This issue comes from WICG/paymentrequest#20 and is now called out in the
basic-card-paymentdocument.The text was updated successfully, but these errors were encountered: