Micro.blog

Thanks to everyone who pre-ordered Indie Microblogging this week. It’s great motivation for me to push through the work and ship by January 2nd. Details here: book.micro.blog

@manton I for one would have pre-ordered if you were not requiring my actual credit card details, lots of people don’t like entering those anymore.

@Jerm You mean something like Apple Pay for convenience, or are you concerned about security? Credit cards are sent securely directly to Stripe for processing, so we never see them.

@manton It’s not that I don’t trust you personally but I think people prefer some kind of nominal separation, more and more, ApplePay, PayPal etc.

@Jerm I prefer Apple Pay myself, but even with Apple Pay the credit card details still end up in Stripe, so it's less about separation and more convenience or trust in the payment form.

@manton Are you sure about that? I thought that Apple Pay didn't end up sharing actual card info. At least that's how I interpreted the privacy and security section of Apple's Apple Pay information

When you make a purchase, Apple Pay uses a device-specific number and unique transaction code. So your card number is never stored on your device or on Apple servers, and when you pay, your card numbers are never shared by Apple with merchants. (Emphasis added.)

@verumsolum @Jerm I guess I'm not sure, but I know that Stripe at least gets the last 4 digits, expiration, billing address, etc. Even when using a card directly Micro.blog never sees the number, so it seems comparable from a privacy perspective, but I may be wrong.

@manton Apple Pay generates a sort of proxy credit card number that is shared and used by the merchant. It can still be (ab)used just like your normal CC number though.

@manton In general the credit card system in the US is so broken that it's not worth worrying about these minor differences anyway. At the end of the day, any problems are resolved by the fraud department.

@aaronpk

” In general the credit card system in the US is so broken”

... leading the way again.

American exceptionalism.

@manton What @aaronpk says is right. Apple generates that pseudo-number when you register your card for Apple Pay. Once I misplaced my phone and activated lost mode. Doing so wipes all card info from your device. You need to re-register each card and they get new pseudo-numbers.

@fgtech @aaronpk I used to think that, but seeing the real last 4 digits in Stripe convinced me otherwise. They could be preserving the last 4 in the generated number or passing it as metadata, though.

@manton Oh, wow. Maybe it has changed since I had my lost iPhone then. Or maybe Stripe is special somehow.

@manton Could be that Apple Pay for websites doesn't do the proxy number that Apple Pay contactless does. On my grocery store receipts it's a different last 4 digits than my actual card.

@manton hm that does say explicitly "Apple sends your Device Account Number to the app or website along with the transaction-specific dynamic security code. Neither Apple nor your device sends your actual payment card number to the app." So I wonder if somehow the last 4 of the real number are sent to the processor too.

@aaronpk @manton Grocery store receipts are exactly where I first noticed the change in last 4 digits. It’s unlikely Apple could generate another number while keeping those last digits the same. There’s a checksum involved so the number must be internally consistent.

@manton @aaronpk That support document is very interesting. Looks like the metadata idea is right. Apple claims not to keep your original card number at all, but may have “a portion” of it as well as “a portion” of the device account number.