[ietf-enroll] Using credit cards during "enrollment"
Max Pritikin
pritikin at cisco.com
Fri May 21 18:19:38 EDT 2004
During this discussions, and in some of the scenarios passed around, we
have discussed using credit cards during the enrollment. In my recent
post I indicated a TTI scenario's document where (scenario 4) I argue
that this use of credit cards is not good; and indicate how TTI can be
used to address this.
http://www.employees.org/~czmax/tti/framework-doc-tti-scenarios.txt
In summary TTI would address this by Something like:
- user connect to Merchant. User puts some stuff in the shopping card
and clicks Checkout.
- Merchant site computes payment total, list of stuff and redirects the
user session to Visa/MC/etc (chosen by customer)
- customer auths himself to Visa (using credit card number or existing
visa online account). Then approves the payment. Visa checks the balance
and approves the payment, issuing receipts to Merchant
and Customer.
- customer session is back on the Merchant site. Merchant server
approves Visa receipt and issues a new receipt (final receipt) for
customer.
In contrast VISA currently has a 'Cardholder Information Security
Program' to attempt to keep the credit card information secure:
http://usa.visa.com/business/merchants/cisp_index.html?it=search#b
"CISP defines a standard of due care for securing Visa cardholder data,
wherever it is located. CISP compliance has been required of all
entities storing, processing, or transmitting Visa cardholder data."
This is worth looking at as an example of how desperately our work here
is needed.
- Max
More information about the ietf-enroll
mailing list