Where does tokenisation occur in the the flow - and do we care

[mattsaxon]

A number of the flows so far discussed show tokenisaton occuring during the call to PaymentRequest.

Whilst this is indeed possible and a valid use case, there are many cases where the token has been created earlier, e.g;

1. At payment app registration time
2. At user registration time with the payment app provider

We should make it clear that the time the token is created is to a large extent independent of the PMI definition

[MasterKeyur]

Tokenization occurs in payment handler. It should not matter to merchant where tokenization happens. Payment Handler can be PSP or Wallet or Bank. Payment Handler will need to connect to TSP (Tokenization Service Provider) to tokenize cards.

[stpeter]

@MasterKeyur When we say "where tokenization happens", are we referring to various token types - as in post-authorization vs. pre-authorization tokens, and (among the latter) acquiring tokens vs. payment tokens vs. issuer tokens?

[stpeter]

To be specific: it would be helpful to describe exactly what the scope of this document is. Right now https://w3c.github.io/webpayments-methods-tokenization/index.html says "The tokens anticipated by this specification are "network" or "issuer" tokens." That appears to leave out acquiring tokens and payment tokens (and, as far as I understand it, EMVCo tokens are typically payment tokens). That's fine by me, but let's make it clear. :-)

[ianbjacobs]

@stpeter,

Previously in this task force we looked at encompassing more token types. However, based on discussions with organizations that create opaque tokens for merchants, we concluded it was unlikely that they would move that functionality into payment handlers. Consequently, the scope of the work became more clearly "issuer tokens."

This also relates to issue #27, but @adrianhopebailie's review was of an outdated draft. I think at this point we should really focus on issuer tokens. I believe that includes seeing whether various *Pay systems could leverage the work rather than use proprietary approaches.

Ian

[stpeter]

@ianbjacobs I'm a fan of issuer tokens (because the user has a trust relationship with the issuer but not with acquirers or other entities in the middle), so this seems like a fine approach!