Micro.blog

manton
manton

Thanks to everyone who pre-ordered Indie Microblogging this week. It’s great motivation for me to push through the work and ship by January 2nd. Details here: book.micro.blog

Jerm
Jerm

@manton I for one would have pre-ordered if you were not requiring my actual credit card details, lots of people don’t like entering those anymore.

manton
manton

@Jerm You mean something like Apple Pay for convenience, or are you concerned about security? Credit cards are sent securely directly to Stripe for processing, so we never see them.

Jerm
Jerm

@manton It’s not that I don’t trust you personally but I think people prefer some kind of nominal separation, more and more, ApplePay, PayPal etc.

manton
manton

@Jerm I prefer Apple Pay myself, but even with Apple Pay the credit card details still end up in Stripe, so it's less about separation and more convenience or trust in the payment form.

verumsolum
verumsolum

@manton Are you sure about that? I thought that Apple Pay didn't end up sharing actual card info. At least that's how I interpreted the privacy and security section of Apple's Apple Pay information

When you make a purchase, Apple Pay uses a device-specific number and unique transaction code. So your card number is never stored on your device or on Apple servers, and when you pay, your card numbers are never shared by Apple with merchants. (Emphasis added.)

manton
manton

@verumsolum @Jerm I guess I'm not sure, but I know that Stripe at least gets the last 4 digits, expiration, billing address, etc. Even when using a card directly Micro.blog never sees the number, so it seems comparable from a privacy perspective, but I may be wrong.

aaronpk
aaronpk
@manton Apple Pay generates a sort of proxy credit card number that is shared and used by the merchant. It can still be (ab)used just like your normal CC number though.
aaronpk
aaronpk
@manton In general the credit card system in the US is so broken that it's not worth worrying about these minor differences anyway. At the end of the day, any problems are resolved by the fraud department.
JohnPhilpin
JohnPhilpin

@aaronpk

” In general the credit card system in the US is so broken”

... leading the way again.

American exceptionalism.

fgtech
fgtech

@manton What @aaronpk says is right. Apple generates that pseudo-number when you register your card for Apple Pay. Once I misplaced my phone and activated lost mode. Doing so wipes all card info from your device. You need to re-register each card and they get new pseudo-numbers.

manton
manton

@fgtech @aaronpk I used to think that, but seeing the real last 4 digits in Stripe convinced me otherwise. They could be preserving the last 4 in the generated number or passing it as metadata, though.

fgtech
fgtech

@manton Oh, wow. Maybe it has changed since I had my lost iPhone then. Or maybe Stripe is special somehow.

aaronpk
aaronpk
@manton Could be that Apple Pay for websites doesn't do the proxy number that Apple Pay contactless does. On my grocery store receipts it's a different last 4 digits than my actual card.
In reply to
manton
manton

@aaronpk Interesting. In this Apple support document there are separate sections for in-store vs. web payments, but they seem similar.

aaronpk
aaronpk
@manton hm that does say explicitly "Apple sends your Device Account Number to the app or website along with the transaction-specific dynamic security code. Neither Apple nor your device sends your actual payment card number to the app." So I wonder if somehow the last 4 of the real number are sent to the processor too.
fgtech
fgtech

@aaronpk @manton Grocery store receipts are exactly where I first noticed the change in last 4 digits. It’s unlikely Apple could generate another number while keeping those last digits the same. There’s a checksum involved so the number must be internally consistent.

fgtech
fgtech

@manton @aaronpk That support document is very interesting. Looks like the metadata idea is right. Apple claims not to keep your original card number at all, but may have “a portion” of it as well as “a portion” of the device account number.