The other day I was reading some recent thoughts by Kim Cameron about Information Cards and CardSpace. It had gotten me thinking about the usage of cards and when they would be rolled out in the financial area. In particular, wouldn't it be really cool being able to used managed cards instead of having to enter credit card information when trying to purchase something online. You might ask what the benefit this would be... well I'll get to that in a minute. Today, while going reading through all the recent posts on Planet Identity, I was pleasantly surprised to come across an entry by Andre Durand from Ping Identity. He and another developer had put together a demo, integrating Information cards and an e-commerce site, demonstrated at Digital ID World 2007, that does exactly what I was thinking of. Now, how soon until reality is my question.
Anyways, here was what I had on my mind prior to seeing it. I for one, use temporary credit card numbers. This means that every time I want to make a transaction, I have to go to my financial institution, log in, generate a one-time use number and CVV, cut and paste those into the merchant's form fields and then hit submit. It would be greatly simplified if the merchant would accept cards, which means I just click on their "submit credit card i-card" button, at which point I would be asked for my credentials by my financial institution, and have a one-time generated card number, expir date and CVV automatically created and then submitted to the merchant's site. This would not only save me time and steps, but definitely eliminate the possibility that I accidentally sign into a phishing site, thus exposing my credentials and allow attackers access to my financial information.
The reason why Kim's article had gotten me thinking about this is that I don't see why financial institutions wouldn't be rushing to get this implemented out the in the real world. From their side, all they need to do is get the infrastructure in place to provide and manage the managed cards. They already have the software in place for users to provide credentials and retrieve the temporary numbers. On the merchant side, there also is little work involved. Provide the hooks and backend to handle submitted infocards. There is really no change to their existing software or business processes. They data points for the credit card (number, expir date, CCV, etc..) are the same, so all that would be required is to take the data from the submitted card and pass it off to the existing process. This also gets rid of the issue of trying to filter out card types in the selector from those that the merchant doesn't accept. My opinion is who cares? Nothing is stopping someone right now from entering in a Diner's Club card to a merchant who doesn't accept them. The user simply gets an error saying that they need to use a different type of card.
It would be great if the credit card companies could get say someone like Amazon to buy into this. It would get the things moving along in a major way. The only potential sticking point to this I could really come up with is getting all the credit card companies to agree on a common format. Worse case is that each has their own, but then it would be up to the merchant to make sure their software could understand all the different formats and parse them appropriately. I guess time will tell.