[OpenID] My 2 Cents to the OpenID foundation

Peter Williams pwilliams at rapattoni.com
Wed Apr 8 14:54:31 UTC 2009

PCI does not addressing the security of the payment flow itself.

It addresses the pre-conditions of security, through risk management practices. PCI is little more than BS7799 best practices, tuned up for credit card data, to which an enforcement regime has been attached.

Today, a browser user on a non PCI-controlled site applies SSL to access a web form at the old VeriSign payment gateway,  now hosted/owned by paypal. Over that SSL channel PCI-controlled data flows between a PCI complying site, and the users home (which is typically not a controlled environment). There is no reason under PCI why an RP could not be an agent of that user, using AX over https to cooperate with OP fronting that very webform with an AX gateway at paypal. PCI doesn't care, and doesn't constrain protocols. As long as the RP site/system can pass its PCI audit, nothing in PCI criteria constrains the protocol selection - the particular audit firms may (probably because they only having methodologies for particular protocol suites, and wish to sell that).

It is also unlikely that PCI rules are going to allow any OP to store credit cards numbers and make them available via AX.
There is going to have to be something other than AX as it is now for authenticating financial transactions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/87128f9c/attachment.htm>

More information about the general mailing list