-
Notifications
You must be signed in to change notification settings - Fork 15
Tokenized Card
Note: The specification content from this wiki has been moved to the Tokenized Card Payment draft.
NOTE: Once stable, move to the Payment Request FAQ
That is an implementation detail, whether the browser or third-party implements the payment handler.
Just-in time registration of payment handlers is under discussion.
That is out of scope for this proposal (but will be necessary in the ecosystem to enhance inteorperability).
The Web Payments Working Group does not have a formal position on the question. Please see PCI Tokenization Guidelines Supplement and consult with your organization's compliance officers.
As part of its ongoing work, the Web Payments Working Group seeks to confirm certain assumptions:
- Payment handlers fall in the Cardholder Data Environment (CDE) and are subject to relevant rules.
- Merchants receiving tokenized payment credentials might not need to be PCI-DSS compliant.
- Merchants receiving encrypted tokenized payment credentials do not need to be PCI-DSS compliant.
- Key-providers for encryption need to be PCI-DSS compliant.
That is an implementation detail outside the scope of this specification. However, one approach may involve validation of digital signatures; see the Signature proposal.