> > >> Regarding #4: The digital signature makes the transaction tamperproof. > > >But, the transaction is sent twice: once for display in the password > >dialog and again for authorization. A digital signature guarantees > >integrity through one data transit. But it doesn't guarantee > >equivalence of two separate transmissions sent to two separate servers. > > The transaction sent twice? I do not have the latest draft so I > may be misinformed but I though the transaction request (Shopping Cart) > was sent to the customers's bank through the browser. The return > is not a shopping cart but a payment authorization.
I don't think that's how it works. If I'm understanding you, your saying authentication and authorization are done in one step. The merchant asks the issuer to do both and return a payment authorization. But that's not what's happening. VbV is a two pass process. The merchant asks for authentication (issuer). If successful, merchant then asks for authorization (acquirer). > > >For example, the merchant sends transaction information to issuer for > >display in password dialog. Digital signature guarantees issuer > >receives untampered transaction data. After authentication, merchant > >sends transaction to acquirer. Digital signature guarantees acquirer > >receives untampered transaction data. But, the digital signatures don't > >ensure the issuer and acquire got the same data. Right? > > Aqquirer can only use data that the issuer issued (under the control of > its client), > so I don't understand what the merchant could do in this case. The issuer doesn't issue the data. The merchant does. The issuer only issues a "success" code for authentication.
