Comments (8)
@janaka, thanks for checking in. We continue to have conversations with our open banking colleagues (e.g., Berlin Group) about integration of SPC. I don't have any pointers to concrete change requests at this time.
from secure-payment-confirmation.
Hi all, wondering what the latest status is on open banking integration? Issues #185 and #186 seem to be it? any other issues or places to follow progress?
Hello @janaka. I think the key to SPC adoption in open banking largely lays in the standards that implement FAPI - UK, CDR, Brazil, etc. - creating a profile that allows the Payment Assertion to be sent to the ASPSP under the covers of an OpenID Connect flow. In my head the flow looks like this:
- SPC Relying Party contacts ASPSP for challenge to seed SPC. This could be done during consent/grant management interaction that typically happens prior to authentication/authorisation.
- With challenge in-hand SPC can be invoked. Based on successful authorisation a Payment Assertion is minted.
- The Relying Party can then use - ideally - CIBA to send an Authorisation Request to the ASPSP, with the Payment Assertion used to set the value of
login_hint
. The ASPSPs can then validate the Payment Assertion using the public key they hold.
For many markets SPC therefore snuggles up nicely with existing protocols. However, adoption will require buy-in to Webauthn and then SPC as alternative to app-to-app or web-to-app authentication which is prevalent in all markets. The onus here is on ASPSPs to adopt, and given the high level of investment to date by ASPSPs for functionality that is largely for regulatory compliance in many markets cutting in a new authentication standard may be a stretch. My fingers are, however crossed given the recent fanfare around Passkeys and the how that might force things along.
from secure-payment-confirmation.
The PISP concept (unlike AISP) does not presume that the User is known by the PISP making "Your PISP" a less useful term
Under PSD2 I don't believe this is true. The PISP is the regulated entity and the legal contract is between the PSU and PISP. It therefore not only presume, in relies absolutely on the PSU and PISP knowing each other.
from secure-payment-confirmation.
@SensibleWood This sounds a bit strange. A user has no way of selecting "Your PISP"; it is done by Merchant who have a commercial contract with the PISP. The user (PSU) is usually anonymous with respect to the PISP.
May I ask how and where the PISP would manifest itself in your proposal? Does it presume PISP login as well?
from secure-payment-confirmation.
@cyberphone in the paper I wrote there is no concept of "your PISP" so I find it strange you have read this from the paper.
I dispute what you say when you consider PSD2. The PSU will absolutely know - or be made aware of - who the PISP is as there are obligations the PISP has to fulfil. For example, look at the UK open banking customer experience guidelines: https://standards.openbanking.org.uk/customer-experience-guidelines/pis-core-journeys/single-domestic-payments-acc-selection-pisp/latest/ PISP splattered all over it.
As far as PSD2 is concerned there is no "putting the PISP in the same position as a payment gateway" as that is simply not possible in the construct of the regulations and, for that matter the implementation in most territories. I get the merits from the perspective of a ubiquitous, one-size-fits-all solution but that ain't going to cut it when it comes to working in regulated markets like the EU. SPC must make accommodations for these facts otherwise it is less likely to succeed as a proposal.
from secure-payment-confirmation.
@SensibleWood There is indeed no "Your PISP" in your paper but from what you write there must be something of that kind, and I'm curious to know how and where in an SPC context. In the sequence diagram you make Merchant=PISP which hides the rather awkward "Ménage à trois" I'm referring to.
FWIW, I was recently a member of an Ad-hoc WG "to make payments better" associated with the Berlin Group NextGenPSD2 effort. One the proposals which nobody objected to was based on existing EMV terminals and cards used in a PISP/GW scenario. I believe the resulting standard proposal (Signed Payment Request) is still under serious consideration.
I will perform some private research on this topic.
from secure-payment-confirmation.
Closing this for now. I anticipate we will open more specific issues once we work more closely on integration of SPC into particular open banking rails.
from secure-payment-confirmation.
Hi all, wondering what the latest status is on open banking integration? Issues #185 and #186 seem to be it? any other issues or places to follow progress?
from secure-payment-confirmation.
Related Issues (20)
- Broken "Object" xref in § Set SPC Transaction Mode HOT 2
- language and direction metadata needed? HOT 6
- Error example contains a hardcoded string HOT 1
- Term 'monkey-patch' may not be inclusive? HOT 1
- `DOMString` for `payeeName` vs. `USVString` for other fields? HOT 1
- Add locale hint for browser UX
- Proposal: Remove User Activation requirement for authentication HOT 1
- Use lowercase values in enum HOT 11
- Register SPC-related WebAuthn extensions in IANA registry HOT 8
- Broken references in Secure Payment Confirmation
- Example of `locale` member HOT 3
- I18N problem with displayName unresolved? HOT 3
- [PING] Only allow triggering authentication from a foreground tab HOT 4
- Broken references in Secure Payment Confirmation
- Broken references in Secure Payment Confirmation
- Add Support for Cross-Device Authentication HOT 2
- Implementing a time out for fallback UX HOT 1
- How will new passkey providers impact SPC HOT 1
- Document End-User Guide HOT 5
- Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure-payment-confirmation.