├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE.md
├── README.md
├── diagrams
├── index.html
├── token-cryptogram.pml
├── tokenization.png
├── tokenization1.png
├── tokenization3.png
├── tokenized-card.pml
└── w3cpayment.pu
├── index.html
├── issuerTokens.png
├── networkTokens.png
├── tokenized_cards.html
├── utils.js
└── w3c.json
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Code of Conduct
2 |
3 | All documentation, code and communication under this repository are covered by the [W3C Code of Ethics and Professional Conduct](https://www.w3.org/Consortium/cepc/).
4 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Web Payments Working Group
2 |
3 | Contributions to this repository are intended to become part of Recommendation-track documents governed by the
4 | [W3C Patent Policy](http://www.w3.org/Consortium/Patent-Policy-20040205/) and
5 | [Software and Document License](http://www.w3.org/Consortium/Legal/copyright-software). To make substantive contributions to specifications, you must either participate
6 | in the relevant W3C Working Group or make a non-member patent licensing commitment.
7 |
8 | If you are not the sole contributor to a contribution (pull request), please identify all
9 | contributors in the pull request comment.
10 |
11 | To add a contributor (other than yourself, that's automatic), mark them one per line as follows:
12 |
13 | ```
14 | +@github_username
15 | ```
16 |
17 | If you added a contributor by mistake, you can remove them in a comment with:
18 |
19 | ```
20 | -@github_username
21 | ```
22 |
23 | If you are making a pull request on behalf of someone else but you had no part in designing the
24 | feature, you can remove yourself with the above syntax.
25 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | All documents in this Repository are licensed by contributors
2 | under the
3 | [W3C Software and Document License](http://www.w3.org/Consortium/Legal/copyright-software).
4 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Tokenized Card Payment
3 |
4 |
104 | This specification addresses data security in credit or debit card
105 | payments on the Web.
106 |
107 |
108 | When making a card payment, the cardholder shares data with a merchant.
109 | The sahred data has traditionally included the number embossed on the
110 | card (the primary account number or PAN), the card expiry date,
111 | cardholder name, and billing address.
112 |
113 |
114 | There are a variety of ways to share this data: imprinting the card
115 | (physically making use of the embossed numbers on the card), swiping
116 | the card through magnetic stripe reader, providing the data through a
117 | chip or contactless connection, typing it into a Web form, or reading
118 | it aloud over the phone. These approaches differ in their convenience
119 | and security.
120 |
121 |
122 | Most notably, if the PAN is intercepted by a malicious actor (in a
123 | merchant store or through a compromised Web site, for example), this
124 | can lead to fraudulent reuse. The card payment ecosystem has chosen to
125 | combat this risk by reducing the circulation of PANs, and instead
126 | reducing attack vectors through more opaque and controlled data. By
127 | accepting (and possibly storing) tokens instead of the PAN, merchants
128 | can reduce the risk of fraud due to data compromise. This can lower
129 | their costs to receive card payments and their liability for some types
130 | of fraud.
131 |
132 |
133 | EMVCo has published [[!EMVCO-TOKENIZATION]] and related documents that
134 | replace the traditional PAN with a "network token" (as well as
135 | additional data to help limit misuse of each network token). These are
136 | called "network" tokens because card payment networks (e.g., American
137 | Express, China Union Pay, Discover, JCB, Mastercard, and Visa) and
138 | issuing banks offer relevant services. The current document describes
139 | how to connect these service providers to the Payment Request
140 | [[payment-request]] ecosystem so that merchants can request network and
141 | issuer tokens, and users can use payment handlers that request these
142 | tokens from service providers.
143 |
144 |
145 | The network tokenization approach has gained some traction in "card
146 | present" transactions, that is through physical terminals. Indeed, in
147 | regions where merchants have migrated to terminals that accept network
148 | tokens, fraud has tended to move online. This trend is an important
149 | reason why the Web Payments Working Group seeks to increase the
150 | security of card payments on the Web.
151 |
152 |
153 |
154 | Security Benefits of Network Tokenization
155 |
156 |
157 | Network tokenization offers several security benefits:
158 |
159 |
160 |
The data can include "domain controls" that reduce opportunities
161 | for misuse, for example by limiting use of a token to a given site,
162 | transaction, or time period.
163 |
164 |
Some transactions includes per-transaction (or, "dynamic")
165 | elements such as a ‘cryptogram’, ‘authentication value’ or ‘card
166 | verification value’ to enable validation of authorized use.
167 |
168 |
169 |
170 | In addition, the current specification includes mechanisms to further
171 | enhance security through encryption of potentially sensitive data.
172 |
173 |
174 |
175 |
176 | The Network Tokenization Ecosystem
177 |
178 |
179 | In [[!EMVCO-TOKENIZATION]] EMVCo describes the different roles in the
180 | tokenization ecosystem as well as the data requirements that are
181 | related through the current specification. Please consult that
182 | document for authoriative definitions. For the purposes of this
183 | introduction, here are brief descriptions of key roles:
184 |
185 |
186 |
187 | Card Issuer
188 |
189 |
190 | The card issuer is typically a bank that makes available a credit
191 | or debit card to a customer, the cardholder.
192 |
193 |
194 | Token Service Provider (TSP)
195 |
196 |
197 | Token Service Providers perform a variety of tasks, especially the
198 | generation and storage of tokens, mapping between PANs and tokens
199 | (and vice versa), and validating token usage.
200 |
201 |
202 | Token Requestor
203 |
204 |
205 | The Token Requestor is authorized to request tokens from the Token
206 | Service Provider. Different parties may be Token Requestors,
207 | including merchants, parties that have a relationship with a
208 | merchant (e.g., payment gateways), and parties that have
209 | relationships with the user (e.g., payment handlers).
210 |
211 |
212 |
213 |
214 |
215 | Additional Benefits of Network Tokenization
216 |
217 |
218 | Network tokens offer additional benefits as well beyond security:
219 |
220 |
221 |
If a user's card number is lost, stolen or replaced, a merchant
222 | may still use a stored token associated with the card for future
223 | transactions.
224 |
225 |
A merchant can reduce compliance burden in partnership with a
226 | payment service provider though the use of Token Reference
227 | IDs: the payment service provider stores the token while the
228 | merchant stores the Token Reference ID.
229 |
315 | This specification is designed to address these primary use cases:
316 |
317 |
318 |
Single transaction
319 |
320 |
Recurring payments (same token, all subsequent transactions
321 | approved through an initial agreement with the payer)
322 |
323 |
Card-on-file payments (same token, subsequent transactions approved
324 | individually by the payer)
325 |
326 |
327 |
328 | See the TokenUsageType for more information.
329 |
330 |
331 | For these use cases, the individual payment methods support different
332 | flows:
333 |
334 |
335 |
336 | tokenized-card
337 |
338 |
339 | This payment method covers several flows:
340 |
341 |
One-time usage of a token
342 |
343 |
Recurring payments with a token
344 |
345 |
Card-on-file use cases with the following assumptions. The
346 | payee seeks a token and does not yet have any card information from
347 | the payer. The response data includes a token, cryptogram, and
348 | other information sufficient for an authorization request.
349 |
350 |
351 |
352 |
353 | token-reference
354 |
355 |
356 | This payment method covers the same flows as
357 | tokenized-card but relies on the payee (or their payment
358 | service provider) having a backend integration to reach a Token
359 | Service Provider. The payee expects to retrieve token,
360 | cryptogram, and other information through backend APIs and therefore
361 | only needs a reference via Payment Request API. In other words, the
362 | existence of the backend integration means the payee requires less
363 | data than with tokenized-card.
364 |
365 |
366 | token-cryptogram
367 |
368 |
369 | This payment method is for card-on-file use cases when the payee (or
370 | their payment service provider) already has a token. The payee only
371 | requires a new cryptogram for a subsequent transaction with the same
372 | token. For this payment method, we assume the payee (or their payment
373 | service provider) does not have a backend integration
374 | that enables them to reach a Token Service Provider for the
375 | cryptogram. Through this payment method, the payee leverages Payment
376 | Request API and the user's Payment Handler to reach the original
377 | Token Service Provider.
378 |
379 |
380 |
381 |
382 |
383 | Assumptions
384 |
385 |
386 |
A payment handler MUST be able to access the services of one or
387 | more Token Service Providers.
388 |
389 |
A payee that uses Payment Request API is registered with its
390 | supportedNetworks. This
391 | specification does not address that registration process.
392 |
393 |
An assertion by the payee of acceptance of one of the
394 | supportedNetworks implies
395 | acceptance of the network-specific cryptogram types.
397 |
398 |
399 |
400 |
401 |
402 | Tokenized-Card Payment Method
403 |
404 |
405 | The payment method identifier string for the Tokenized Card
406 | Payment method is tokenized-card.
407 |
408 |
410 |
411 | TokenizedCardRequest dictionary
412 |
413 |
414 | This section describes payment method specific data that is supplied
415 | as part of the data argument to the PaymentRequest
416 | constructor.
417 |
444 | A card can be of type "credit", "debit", or "prepaid", as derived
445 | from the issuer identification number (the first eight digits of
446 | the primary account number (PAN). The different types are
447 | represented as the BasicCardType enum.
448 |
449 |
450 | usageType member
451 |
452 |
453 | A payee may request a TokenUsageType. If not present, the
454 | value of this member defaults to "one-time".
455 |
456 |
457 | payeeID member
458 |
459 |
460 | This Member is an optional Payment Network-specific string
461 | that the Token Service Provider may use to constrain the
462 | token for us by a single party. This is called a "merchant
463 | identifier" in the EMVCO Tokenization Specification.
464 |
465 |
466 | keyProviderURL member
467 |
468 |
469 | This member designates, via a URL, a public key trusted by the
470 | Token Service Provider. The source of the key, therefore,
471 | becomes the effective requestor of the tokenized-card from a
472 | Token Service Provider's perspective.
473 |
500 | The payee expects to use the token for a single authorization. How
501 | exactly the payee can use the token (e.g., for a charge, an update
502 | to the authorization, a partial refund, a second partial shipment,
503 | or incremental charges) is outside the scope of this specification.
504 |
505 |
506 | "card-on-file"
507 |
508 |
509 | The payee expects to re-use the token for as yet uknown future
510 | transactions, including payer-initiated transactions and
511 | payee-initiated transactions (e.g., for partial shipment,
512 | incremental charges, and resubmission use cases).
513 |
514 |
515 | "recurring"
516 |
517 |
518 | The payee expects to re-use the token exclusively for a recurring
519 | payment according to an agreement with the payer.
520 |
554 | It is common for applications to want to display recognizable
555 | information about the user's card, without revealing sensitive
556 | credentials. This value may be used as a hint, for the common case
557 | of displaying the last four digits of the original PAN.
558 |
559 |
560 | displayMaskedCard member
561 |
562 |
563 | In some cases, the card issuer may provide an alternative hint to
564 | displayLast4. Applications MAY use either
565 | displayLast4 or displayMaskedCard as a hint, and
566 | SHOULD use only one of them to avoid confusion or leaking
567 | information.
568 |
569 |
570 | displayExpiryMonth member
571 |
572 |
573 | A two-digit string for the actual expiry month of the card in the
574 | range "01" to "12".
575 |
576 |
577 | displayExpiryYear member
578 |
579 |
580 | A four-digit string for the expiry year of the actual card in the
581 | range "0000" to "9999".
582 |
583 |
584 | displayNetwork member
585 |
586 |
587 | The name of the actual Payment Network of the card.
588 |
600 | This optional member is a Payment Account Reference (or
601 | PAR), which enables merchants, acquirers and payment
602 | processors to link transactions initiated with affiliated Payment
603 | Tokens to transactions based on the underlying primary account
604 | number. The value is a composite field consisting of 29
605 | uppercase alphanumeric roman characters. See [[EMVCO-TOKENIZATION]]
606 | for more details.
607 |
624 | This optional member is an Electronic Commerce Indicator, a
625 | Payment Network-specific string to indicate the results of
626 | user authentication. For related discussion about authentication,
627 | see [[3ds]].
628 |
629 |
630 | encryptedDetails member
631 |
632 |
633 | This member is a string that represents
634 | EncryptedTokenizedCard information, encrypted with the
635 | keyProviderURL
636 | according to [[webpayments-crypto]].
637 |
638 |
639 |
641 |
642 | EncryptedTokenizedCard dictionary
643 |
644 |
645 | This dictionary defines the sensitive data that is to be encrypted.
646 | Note that the fields of this dictionary do not themselves influence
647 | the encryption.
648 |
704 | This member is a Token Requestor ID, an 11-digit numeric
705 | value that identifies the Token Requestor (e.g., the
706 | payment handler) and is used as part of authorization
707 | flows.
708 |
709 |
710 | tokenRequestorKey member
711 |
712 |
713 | This member is a public key that belongs to the Token
714 | Requestor. It is intended to be used in the
715 | token-cryptogram payment method for card-on-file use
716 | cases.
717 |
718 |
719 |
720 |
721 |
722 |
723 |
724 | Token-Reference Payment Method
725 |
726 |
727 | The payment method identifier string for the Token Reference
728 | Payment method is token-reference.
729 |
730 |
731 |
733 |
734 | TokenReferenceRequest dictionary
735 |
736 |
737 | This section describes payment method specific data that is supplied
738 | as part of the data argument to the PaymentRequest
739 | constructor.
740 |
762 | A card can be of type "credit", "debit", or "prepaid", as derived
763 | from the issuer identification number (the first eight digits of
764 | the primary account number (PAN). The different types are
765 | represented as the BasicCardType enum.
766 |
767 |
768 | usageType member
769 |
770 |
771 | A payee may request a TokenUsageType. If not present, the
772 | value of this member defaults to "one-time".
773 |
774 |
775 | payeeID member
776 |
777 |
778 | This Member is an optional Payment Network-specific string
779 | that the Token Service Provider may use to constrain the
780 | token for us by a single party. This is called a "merchant
781 | identifier" in the EMVCO Tokenization Specification.
782 |
801 | This member is a Payment Network-specific Token Reference
802 | ID that the payee uses on the backend to retrieve additional
803 | information about the card.
804 |
805 |
806 | trid member
807 |
808 |
809 | This member is a Token Requestor ID, an 11-digit numeric
810 | value that identifies the token requestor (e.g., the payment
811 | handler) and is used as part of authorization flows.
812 |
813 |
814 |
815 |
816 |
817 |
818 | Token-Cryptogram Payment Method
819 |
820 |
821 | The payment method identifier string for the Token Cryptogram
822 | Payment method is token-cryptogram.
823 |
824 |
825 |
827 |
828 | TokenCryptogramRequest dictionary
829 |
830 |
831 | This section describes payment method specific data that is supplied
832 | as part of the data argument to the PaymentRequest
833 | constructor.
834 |
843 | The TokenCryptogramRequest dictionary contains the
844 | following members:
845 |
846 |
847 |
848 | tokenReferenceID member
849 |
850 |
851 | This member is a Payment Network-specific Token Reference
852 | ID that represents the stored token for which the payee is
853 | requesting a new cryptogram.
854 |
855 |
856 | encryptedCardNumber member
857 |
858 |
859 | This optional member is an encrypted Payment Token. Although
860 | the tokenReferenceID is preferred it may not always be
861 | available, in which case the payee may provide this Payment
862 | Token instead, encrypted with the tokenRequestorKey, for example that
864 | was returned through the tokenized-card payment
865 | response.
866 |
867 | Need more details on encryption.
868 |
869 |
870 |
871 | tokenRequestorID member
872 |
873 |
874 | This member identifies the payment handler used to request the
875 | original token. It is an 11-digit numeric value that is a Token
876 | Requestor ID. The user agent uses this information to provide a
877 | path to the Token Service Provider through the payment
878 | handler that requested the original token. It is assumed that the
879 | payment handler also has a means to validate that the payee
880 | requesting the cryptogram is authorized to do so.
881 |
914 | This optional member is an Electronic Commerce Indicator, a
915 | Payment Network-specific string to indicate the results of
916 | user authentication. For related discussion about authentication,
917 | see [[3ds]].
918 |
919 |
920 |
921 |
922 |
923 |
924 | Interfacing with a payment request for tokenized-card
925 |
926 |
927 | Currently these sections are for the tokenized-card
928 | payment method; we will need similar algorithms for other payment
929 | methods.
930 |
931 |
932 |
933 | Steps to check if a payment can be made
934 |
935 |
936 | The steps to check if a payment can be made by a Payment
937 | Handler that handles "tokenized-card" takes
938 | TokenizedCardRequestrequest as input. It returns
939 | either true or false:
940 |
941 |
942 |
Let cards be a list of
943 | cards associated with this payment handler.
944 |
Let cryptograms be an empty DOMString sequence.
955 |
956 |
Let usage be the value of
957 | request["usageType"] if present, otherwise set it to
958 | "one-time". If the value of usage is not a legal value of
959 | TokenUsageType, set usage to "one-time".
960 |
961 |
If request["supportedTypes"] is present, append each
962 | item in request["supportedTypes"] to types.
963 |
964 |
If request["supportedNetworks"] is present, append
965 | each item in request["supportedNetworks"] to
966 | networks.
967 |
985 | Steps to check if an instrument is supported
986 |
987 |
988 | The steps to check if an instrument is supported takes as
989 | input a cardcard, a list of typetypes, a
991 | list of network
992 | networks, and a usageTypeusage. It returns
994 | true if the card is supported, false otherwise.
995 |
1036 | Steps to respond to a payment request
1037 |
1038 |
1039 | The steps to respond to a payment request are given by the
1040 | following algorithm. If the end user inputs or selects a card
1041 | that meets the constraints of TokenizedCardRequest
1042 | data, the algorithm returns a card as a
1043 | TokenizedCardResponse.
1044 |
To provide a hint to help the user select this card,
1065 | either set card["displayLast4"] to a string that
1066 | includes the last four digits of the primary account number
1067 | (e.g., "*** 5050") or set card["displayMaskedCard"]
1068 | to a string that represents different non-sensitive information about
1069 | the card (e.g., "Francine Business").
1070 |
1071 |
Set card["displayExpiryMonth"] to two-digit
1072 | string ranging from "01" to "12", or the
1073 | empty string if the user chooses not to provide it or the type
1074 | doesn't require an expiry month.
1075 |
1076 |
Set card["displayExpiryYear"] to a four-digit
1077 | string in the range "0000" to "9999", or
1078 | the empty string if the user chooses not to provide it or the
1079 | type doesn't require an expiry year.
1080 |
1081 |
Set card["displayNetwork"] to a string that
1082 | identifies the card network.
1083 |
1084 |
Set card["par"] to a 29-character string, or
1085 | the empty string if not available.
1086 |
Set card["billingAddress"] to
1102 | billingAddress.
1103 |
1104 |
1105 |
1106 |
Set cardNumber to a tokenized representation of
1107 | primary account number, a string of digits that ranges from 10
1108 | to 19 digits.
1109 |
1110 |
Set expiryYear to two-digit string ranging from
1111 | "01" to "12", or the empty string if the
1112 | user chooses not to provide it or the type doesn't require an
1113 | expiry month.
1114 |
1115 |
Set expiryMonth to a four-digit string in the range
1116 | "0000" to "9999", or the empty string if
1117 | the user chooses not to provide it or the type doesn't require
1118 | an expiry year.
1119 |
1145 | Until such time as we learn of intention by browsers/mediators to
1146 | implement this specification, we have eliminated discussion of
1147 | validation in this algorithm.
1148 |
1149 |
1150 |
1151 |
1152 |
1153 |
1154 | There is only one class of product that can claim conformance to this
1155 | specification: a payment handler.
1156 |
1168 | return TokenizedCardResponses whose members are formatted per
1169 | their definition in this specification.
1170 |
1171 |
1172 |
1173 |
1174 |
1175 | Security and Privacy Considerations
1176 |
1177 |
1178 |
1179 |
1180 |
1181 | Dependencies
1182 |
1183 |
1184 | This specification relies on several other underlying specifications.
1185 |
1186 |
1187 |
1188 | Payment Request API
1189 |
1190 |
1191 | The terms PaymentAddress and PaymentRequest
1192 | constructor are defined in Payment Request API
1193 | [[payment-request]].
1194 |
1195 |
1196 | Payment Method Identifiers
1197 |
1198 |
1199 | The term payment method
1200 | identifier and standardized payment method
1201 | identifier are defined by the Payment Method Identifier
1202 | specification [[!payment-method-id]].
1203 |
1204 |
1205 | Basic Card Payment
1206 |
1207 |
1208 | The terms basic-card,
1210 | BasicCardType,
1212 | cards, type, networks,
1216 | primary-account-number,
1218 | billing
1219 | address, and card holder's
1221 | name are defined in [[!payment-method-basic-card]].
1222 |
1223 |
1224 | EMVCo Tokenisation
1225 |
1226 |
1227 | The terms Payment Token,
1228 | Token Cryptogram,
1229 | Payment
1230 | Networks, Token Service Providers, Token Requestor ID, Token Requestor, Merchant Identifier and Tokenized Payment Method Credentials,
1236 | Token Reference ID, and
1237 | Payment Account Reference
1238 | are defined in [[EMVCO-TOKENIZATION]].
1239 |
1240 |
1241 | EMVCo 3-D Secure
1242 |
1243 |
1244 | The terms Electronic Commerce
1245 | Indicator is defined in [[EMVCO-3DS]].
1246 |
1247 |
1248 | Payment Method Encryption
1249 |
1250 |
1251 | The steps for response data encryption are described in
1252 | [[!webpayments-crypto]]. That specification defines the terms
1253 | content encryption
1254 | key, message
1255 | structure, and plaintext
1257 | encryption.
1258 |
1259 |
1260 | RFC6454
1261 |
1262 |
1263 | The term origin is defined in [[!RFC6454]].
1264 |
1265 |
1266 | ISO7812-1
1267 |
1268 |
1269 | ISO 7812-1 specifies a numbering system for the identification of the
1270 | card issuers, the format of the issuer identification number (IIN)
1271 | and the primary account number
1272 | (PAN).
1273 |
1274 |
1275 |
1276 |
1277 |
1278 | Appendix: Token Service Provider Considerations
1279 |
1280 |
1281 | The following Token Service Provider considerations are
1282 | explicitly out of scope for this specification.
1283 |
1284 |
1285 |
This specification focuses on standardizing data from an arbitrary
1286 | payment handler at transaction time. How provisioning takes place lies
1287 | outside the scope of this specification.
1288 |
1289 |
Any requirement for a KeyProvider to register/onboard with a Token
1290 | Service Provider, for example to establish cryptogram conventions or
1291 | other program-specific requirements.
1292 |
1293 |
1294 |
1295 |
1296 |
1297 |
1298 |
1299 | Appendix: Flow Diagrams
1300 |
1301 |
1302 |
1303 | First request for one-time use, recurring, card-on-file token
1304 |
1305 |
1306 | This diagram illustrates one flow where a payee requests a token (or
1307 | token reference id) for one-time use, recurring, or card-on-file.
1308 |
69 | The Tokenized Card Payment specification describes the data formats used by the
70 | PaymentRequest API [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards.
71 |
If you wish to make comments regarding this document, please raise them as
83 | GitHub issues.
84 | Only send comments by email if you are unable to raise issues on GitHub (see
85 | links below). All comments are welcome.
86 |
87 |
88 |
89 |
90 |
Introduction
91 |
92 | This specification is a Payment Transaction Message Specification used by the PaymentRequest API
93 | [[!PAYMENTREQUESTAPI]] to support payment by tokenized payment cards.
94 |
95 |
Tokenization provides some advantages over traditional card payments - tokenized credentials are often narrowly scoped, for example single-use or merchant/amount/time scoped. Tokenized credentials also help alleviate some concerns about merchant data breaches since the merchant does not have the raw PAN. This provides some additional security for a consumer.
96 |
97 |
98 |
99 |
100 |
Dependencies
101 |
102 | This specification relies on several other underlying specifications.
103 |
104 |
105 |
Basic Card Payment
106 |
The term BasicCardResponse is defined by the Basic Card Payment specification [[!BASICCARD]].
107 |
Payment Request API
108 |
The term PaymentRequest constructor is defined by the PaymentRequest API
109 | specification [[!PAYMENTREQUESTAPI]].
110 |
Payment Method Identifiers
111 |
The term Payment
112 | Method Identifier is defined by the Payment Method Identifiers specification
113 | [[!METHODIDENTIFIERS]].
114 |
Web IDL
115 |
The IDL in this specification is defined by Web IDL [[!WEBIDL]].
Payment Method Specific Data for the PaymentRequest constructor
126 |
This section describes payment method specific data that is supplied as part of the data
127 | argument to the PaymentRequest constructor. This specification extends the BasicCardRequest (defined in [[!BASICCARD]]) with some additional fields required for tokenization.
139 | The TokenCardRequest dictionary contains the following fields:
140 |
141 |
142 |
143 |
supportedTokenTypes
144 |
The supportedTokenTypes field contains a sequence of token card types that the merchant
145 | accepts. The values mean the following:
146 |
147 |
"emv": These are tokens (typically single-use) provided by card networks (cf. supportedNetworks) that represent the underlying PAN.
148 |
"issuer": With these tokens, a provider serves as a card issuer by generating a new card number. This new card number is backed by the original PAN or by another funding source. During charging of these tokens, the provider translates the generated card number back into the original PAN or original funding source.
149 |
150 |
151 |
A payment service may wish to use emv tokens if its infrastructure supports sending a token/cryptogram combination. Issuer tokens may be preferred in cases where the card is not emv-tokenizable or if the merchant is unable to handle emv tokens.
152 |
153 |
The supportedNetworks and supportedTypes fields are both optional.
154 | If neither is provided then any card may be returned. If supportedNetworks
155 | is provided then any card that matches one of the supported networks is returned.
156 | If supportedTypes is provided then any card that matches one of the supported types is returned.
157 |
158 |
Implementations will determine how to match values of supportedTypes.
159 |
160 |
161 | This specification covers a limited number of supportedTokens. There are other types of tokens such as gateway tokens, but because they involve substantially different flows of information (e.g., merchant onboarding), this specification does not cover them.
162 |
163 |
164 |
165 |
166 |
Payment Method Response
167 |
168 | The TokenizedCardResponse dictionary contains the response from the PaymentRequest API when a user accepts payment with a Tokenized Payment Card payment method. This specification extends the BasicCardResponse (defined in [[!BASICCARD]]) with some additional fields required for tokenization. It should be noted that the "cardSecurityCode" from the BasicCardResponse will contain a card security code for issuer-based tokens, but will contain the cryptogram for network tokens. The combination of cardNumber (the token number) + cardSecurityCode (either cryptogram or security code - note that security code can be 3 or 4 digits) establishes a one-time use credential.
169 |
180 | The TokenizedCardResponse dictionary contains the following fields:
181 |
182 |
183 |
184 |
cardLast4
185 |
The cardLast4 field contains the last 4 digits of the original (non-token) primary account number (PAN) for the payment card. This may be used for display purposes during the purchase.
186 |
tokenType
187 |
The tokenType field contains the token type selected by the user. This is one of the values of supportedTypes.
188 |
tokenRequesterId
189 |
The tokenRequesterId field contains ID of the entity that requested the token from the network (likely the creator of the payment app). This field is only applicable when tokenType is "emv".
260 |
261 |
262 |
263 |
264 |
265 |
--------------------------------------------------------------------------------
/utils.js:
--------------------------------------------------------------------------------
1 | // We should be able to remove terms that are not actually
2 | // referenced from the common definitions
3 | //
4 | // the termlist is in a block of class "termlist", so make sure that
5 | // has an ID and put that ID into the termLists array so we can
6 | // interrogate all of the included termlists later.
7 | var termNames = [] ;
8 | var termLists = [] ;
9 | var termsReferencedByTerms = [] ;
10 |
11 | function restrictReferences(utils, content) {
12 | var base = document.createElement("div");
13 | base.innerHTML = content;
14 |
15 | // New new logic:
16 | //
17 | // 1. build a list of all term-internal references
18 | // 2. When ready to process, for each reference INTO the terms,
19 | // remove any terms they reference from the termNames array too.
20 | $.each(base.querySelectorAll("dfn"), function(i, item) {
21 | var $t = $(item) ;
22 | var titles = $t.getDfnTitles();
23 | var n = $t.makeID("dfn", titles[0]);
24 | if (n) {
25 | termNames[n] = $t.parent() ;
26 | }
27 | });
28 |
29 | var $container = $(".termlist",base) ;
30 | var containerID = $container.makeID("", "terms") ;
31 | termLists.push(containerID) ;
32 |
33 | // add a handler to come in after all the definitions are resolved
34 | //
35 | // New logic: If the reference is within a 'dl' element of
36 | // class 'termlist', and if the target of that reference is
37 | // also within a 'dl' element of class 'termlist', then
38 | // consider it an internal reference and ignore it.
39 |
40 | return (base.innerHTML);
41 | }
42 |
43 | require(["core/pubsubhub"], function(respecEvents) {
44 | "use strict";
45 | respecEvents.sub('end', function(message) {
46 | if (message == 'core/link-to-dfn') {
47 | // all definitions are linked; find any internal references
48 | $(".termlist a.internalDFN").each(function() {
49 | var $r = $(this);
50 | var id = $r.attr('href');
51 | var idref = id.replace(/^#/,"") ;
52 | if (termNames[idref]) {
53 | // this is a reference to another term
54 | // what is the idref of THIS term?
55 | var $def = $r.closest('dd') ;
56 | if ($def.length) {
57 | var $p = $def.prev('dt').find('dfn') ;
58 | var tid = $p.attr('id') ;
59 | if (tid) {
60 | if (termsReferencedByTerms[tid]) {
61 | termsReferencedByTerms[tid].push(idref);
62 | } else {
63 | termsReferencedByTerms[tid] = [] ;
64 | termsReferencedByTerms[tid].push(idref);
65 | }
66 | }
67 | }
68 | }
69 | }) ;
70 |
71 | // clearRefs is recursive. Walk down the tree of
72 | // references to ensure that all references are resolved.
73 | var clearRefs = function(theTerm) {
74 | if ( termsReferencedByTerms[theTerm] ) {
75 | $.each(termsReferencedByTerms[theTerm], function(i, item) {
76 | if (termNames[item]) {
77 | delete termNames[item];
78 | clearRefs(item);
79 | }
80 | });
81 | }
82 | // make sure this term doesn't get removed
83 | if (termNames[theTerm]) {
84 | delete termNames[theTerm];
85 | }
86 | };
87 |
88 | // now termsReferencedByTerms has ALL terms that
89 | // reference other terms, and a list of the
90 | // terms that they reference
91 | $("a.internalDFN").each(function () {
92 | var $item = $(this) ;
93 | var t = $item.attr('href');
94 | var r = t.replace(/^#/,"") ;
95 | // if the item is outside the term list
96 | if ( ! $item.closest('dl.termlist').length ) {
97 | clearRefs(r);
98 | }
99 | });
100 |
101 | // delete any terms that were not referenced.
102 | Object.keys(termNames).forEach(function(term) {
103 | var $p = $("#"+term) ;
104 | if ($p) {
105 | var tList = $p.getDfnTitles();
106 | $p.parent().next().remove();
107 | $p.remove() ;
108 | tList.forEach(function( item ) {
109 | if (respecConfig.definitionMap[item]) {
110 | delete respecConfig.definitionMap[item];
111 | }
112 | });
113 | }
114 | });
115 | }
116 | });
117 | });
118 |
--------------------------------------------------------------------------------
/w3c.json:
--------------------------------------------------------------------------------
1 | {
2 | "group": ["83744"]
3 | , "contacts": ["ianbjacobs"]
4 | , "shortName": "webpayments-methods-tokenization"
5 | , "repo-type": "others"
6 | , "exposed": false
7 | }
8 |
--------------------------------------------------------------------------------
1314 | 
1329 | 
