Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tokenized Card Payment] Replace usage of 'last4' with 'suffix' #211

Closed
nickjshearer opened this issue Feb 14, 2017 · 8 comments
Closed

Comments

@nickjshearer
Copy link

Ian requested some feedback on this proposal, which I am happy to provide. Note that my feedback should not be taken as an endorsement of the proposal itself.

In https://w3c.github.io/webpayments/proposals/tokenized_cards.html#response

dictionary TokenizedCardResponse : BasicCardResponse {
    required DOMString cardLast4;
             DOMString tokenType;
             DOMString tokenRequesterId;
};

Although many cards and networks sanitize to the last four digits, there are some edge cases where that doesn't happen. I would recommend renaming this to something along the lines of cardSuffix.

@doodi-v1
Copy link

While I agree edge cases need to be addressed, cardSuffix seems less intuitive than cardLast4 and has the potential to be less standardized (maybe this will help to push the edges toward the center). To support the edge cases I would recommend adding cardSuffix as an optional parameter (I'm new to this group and this spec so I apologize if optional parameters are not supported).

The other note that I would add, and another can of worms, I would recommend moving away from card references and instead replace "card" with "account". There are many payment types that do not have physical cards and at some point as the payments environment evolves the reference to card may date the spec.

@kphfb
Copy link
Contributor

kphfb commented Feb 16, 2017 via email

@nickjshearer
Copy link
Author

@nick Can you elaborate bit on the cases where last 4 doesn’t make sense?

Because merchants in some jurisdictions may be subject to different requirements, be them lax or more stringent. FACTA in the US, for example, requires five digits or less - there are some merchants (a small number, I'll give you) who truncate to five instead of four. Since the goal for this spec seems to be to allow tokenized cards to plug directly into a basic card processing flow we should probably try and support those merchants with their existing flows.

Putting that aside, there's nothing to stop a regulator in a particular country from deciding that they want to, say, truncate to three digits on receipts. So it's because of those global variations that I'd strongly recommend not placing any assumptions about the length of the number in the property name. If suffix doesn't feel right I'm sure we can find something else that fits?

The other note that I would add, and another can of worms, I would recommend moving away from card references and instead replace "card" with "account".

Given this seems to inherit in part from basic card I'm not sure that makes sense without changing the basic card naming to match (which I think might be a good idea).

@kphfb
Copy link
Contributor

kphfb commented Feb 16, 2017 via email

@ianbjacobs
Copy link
Contributor

@doodi-v1 wrote:

'I would recommend moving away from card references and instead replace "card" with "account".'

@nickjshearer wrote:

"Given this seems to inherit in part from basic card I'm not sure that makes sense without changing the basic card naming to match (which I think might be a good idea)."

-1 to this proposal. Basic Card really is meant to address card payments, using PR API instead of
a Web form. Creating a different abstraction that is more generic will dilute that message. It will also slow down the progress of that specification to figure out what abstraction to create to
encompass other payment systems (and what filters are appropriate). I also don't know what
impact this would have on existing implementations.

It's fine to propose new abstraction payment methods for consideration, but I don't think we should disrupt Basic Card at this point.

Ian

@adrianhopebailie
Copy link
Collaborator

Interesting, so how would the provider of the token know how many digits to include?

That's not something they'd know from this spec. It's specific to the local scheme rules. The spec must simply accommodate as many of the various rules that are out there.

Another consideration is where this field holds just the "unmasked" PAN values (1234) or a masked PAN including the masking characters (************1234). If it is the latter I'd recommend calling the field maskedPan or similar.

@ianbjacobs
Copy link
Contributor

@adrianhopebailie,

The spec says "the last 4 digits of the original (non-token) primary account number (PAN) for the payment card. This may be used for display purposes during the purchase."

So I think that answers your question: the value does not include the masking characters.

Regarding the name, Basic Card uses "cardNumber" so how about "cardNumberHint" ?

Ian

@ianbjacobs
Copy link
Contributor

Now that we have a tokenization spec repo, I am closing this issue in favor of:
w3c/webpayments-methods-tokenization#4

Ian

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants