Add more detail to cryptogram flows #52
Description
When a merchant has a token-on-file and requests a cryptogram for a subsequent transaction, they have the option of requesting the cryptogram through a backend integration, or throught payment request API via the token-cryptogram payment method.
The token itself may have domain controls on it meaning that only the original token requestor can request subsequent cryptograms.
If the token requestor was a payment handler (browser or third party) this means reusing the same one for subsequent transactions. This may not raise issues generally, but the question has come up: what happens if the user does not have the same piece of software (e.g., the first transaction took place from a home computer, and subsequent transactions might happen from a work computer)? Do people think that is an important use case (for version 1 of this specification)?
If the token requestor was the merchant, this creates some opportunities for greater flexibility (at least in theory) - the user might be able to use a broader set of browsers and/or payment handlers, provided those software agents can speak to the TSP that minted the original token.