This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
identity-canon/research/commercial-identity/payment-credential-pci-boundary.md
tegwick 08361f6fb7 Settle commercial identity nuances with consolidated enums and linking rules
Add commercial-identity-nuance-settlement.md resolving control_basis,
binding_trigger, cross-registry Synonymity strengths, OPI branch modeling,
escrow commitment type, reputation portability, payment edge cases, CRM renewal
rules, Person Account adapters, and eIDAS wallet scope. Update canon, OpenQuestions,
and all commercial-identity source notes.
2026-06-21 23:21:21 +02:00

171 lines
7.4 KiB
Markdown

# Payment Credential Boundary — PCI and Commercial Commitment
## Source Type
Standards and product synthesis. PCI DSS tokenization guidance, Stripe Payment
Methods / SetupIntents, and identity-canon Credential vs. Commercial Commitment
separation.
## Domain
Payment instruments on billing customers — what belongs in canonical identity
model vs. PCI-scoped downstream vaults, and how charge authorization relates to
Commercial Commitment.
## Why This Source Matters
Stripe **Customer** objects carry **payment methods**, and canon **Credential**
already covers secrets and proof material. Collapsing them causes two failures:
1. **PCI scope bleed** — modeling PAN, CVV, or vault secrets in identity canon
implies they belong in general identity stores.
2. **Semantic collision** — login passkeys and payment mandates both "authorize
something" but authorize **authentication** vs. **commercial debit**.
Payment methods are commercially binding (tier 3 assurance) when they encode
**mandate to charge** — but the binding artifact is the **authorization/commitment**,
not the token reference.
## Key Concepts
### PCI DSS data categories
- **CHD (cardholder data)**: PAN, cardholder name, expiration, service code.
- **Sensitive authentication data (SAD)**: CVV/CVC, full track data, PIN — never
stored after authorization per PCI.
- **Token**: surrogate value replacing PAN; if properly implemented, token in
merchant environment is **out of PCI CHD scope** (PCI tokenization guidelines).
- **Scope principle**: systems that store, process, or transmit CHD fall under PCI;
token references (`pm_xxx`) in app DBs are not CHD when only the token exists.
### Stripe payment object model
- **PaymentMethod** (`pm_xxx`): reusable payment details attached to Customer;
contains type-specific non-transaction data (last4, fingerprint, billing details).
- **SetupIntent**: establishes future off-session payment — creates mandate to charge.
- **PaymentIntent**: one-time or reusable charge attempt.
- **Customer**: billing container; payment methods attach here, not to login User.
- **Mandates** (SEPA, Bacs, etc.): explicit customer authorization for debits.
### Authentication vs. payment authorization
| Dimension | Authentication credential | Payment authorization |
| --- | --- | --- |
| Proves | Identity / session control | Right to debit funds |
| Scope | IdP, app login, federation | Payment network / acquirer |
| Regulation | NIST 800-63, OIDC | PCI DSS, PSD2 SCA, Nacha |
| Canon home | Credential | Payment Mandate (Commercial Commitment) |
| Secret handling | Passkey, password hash | CHD in vault only; token ref in app |
## Modeling Assumptions
- **Canon is implementation-neutral** but must not encourage CHD in identity layers.
- **Payment provider owns payment truth**; app holds references and commitment state.
- **Reusable payment method** implies **Commercial Commitment** (payment mandate)
when customer consented to future charges (SetupIntent succeeded, card on file).
- **Single-use payment methods** may exist only for one PaymentIntent — weaker
commitment, often no reusable mandate.
- **Subscription** is separate Commercial Commitment (recurring service obligation);
payment mandate is **enabling** commitment for collection.
- **Webhook events** (`setup_intent.succeeded`, `payment_method.attached`) are
**Evidence Source** for mandate lifecycle.
## Identity-Canon Implications
### Resolved: do not map payment methods to Credential
**Credential** in canon covers authentication, federation, and entitlement proof
(passkey, password, certificate, VC). **Payment methods are not Credentials.**
Raw CHD and SAD are **out of canon entirely** — downstream PCI vault / payment
provider only.
### Payment Instrument Reference
Add **Payment Instrument Reference** — Reference layer value scoped to a payment
provider (Stripe `pm_xxx`, fingerprint, display last4, mandate ID). Links to
**Commercial Record**, not to login **Account**.
Properties:
- `provider_scope` — Stripe account, Adyen merchant, etc.
- `instrument_type` — card, sepa_debit, us_bank_account, etc.
- `reference_id` — provider token (not PAN).
- `reusable` — boolean.
- `lifecycle_state` — attached, detached, expired, revoked.
This is a **Scoped Identifier** specialization, not a Credential.
### Payment Mandate as Commercial Commitment
When a customer authorizes future charges (SetupIntent success, SEPA mandate
signed, card saved with explicit consent), model **Payment Mandate** as a
**Commercial Commitment** subtype:
- `commitment_type: payment_mandate`
- `lifecycle_state`: proposed → active → revoked → expired
- Parties: customer actor (via Commercial Record) and vendor/payment facilitator
- **Evidence Source**: SetupIntent result, mandate document, SCA proof metadata
- `assurance_tier: committed` on Counterparty Assurance Gradient
**Subscription** remains `commitment_type: subscription` — distinct but often
co-created at checkout.
### Commercial Record role
**Commercial Record** (Stripe Customer) **references** payment instrument refs
and **hosts** links to Payment Mandate commitments. Do not embed CHD attributes
in Commercial Record canon fields — only provider references and lifecycle flags
(`delinquent`, default payment method ref).
### Layer diagram
```text
Login Account → Credential (passkey, password)
Commercial Record → Payment Instrument Reference (pm_xxx)
Commercial Commitment → Payment Mandate + Subscription
PCI Vault / Stripe → CHD (downstream only, not canon)
Evidence Source → webhooks, mandate PDF, SCA audit
```
## Terminology Conflicts
- **Payment method (Stripe)** vs. **Credential (canon)**: both grant "permission"
but different permission domains.
- **Payment credential (informal)** vs. **Credential (glossary)**: avoid informal
phrase in canonical definitions; use Payment Instrument Reference + Payment Mandate.
- **Saved card** vs. **payment mandate**: saved token may exist before explicit
off-session mandate — lifecycle `proposed` until SetupIntent completes.
- **customer_account (Stripe)** vs. **Account (login)**: reinforces commercial split.
## Candidate Canonical Mappings
| Source artifact | Canonical mapping |
| --- | --- |
| PAN / CVV | Out of canon (PCI downstream) |
| PaymentMethod `pm_xxx` | Payment Instrument Reference |
| SetupIntent succeeded | Payment Mandate Commercial Commitment + Evidence |
| Subscription object | Commercial Commitment (subscription) |
| Default payment method | Reference on Commercial Record |
| Payment webhook | Evidence Source |
| 3DS / SCA step-up | Evidence Source on mandate (not Credential) |
| Passkey for login | Credential (unchanged) |
## Open Questions
*(none — settled in `commercial-identity-nuance-settlement.md`)*
## Settled
- Network tokens → Payment Instrument Reference `instrument_type: network_token`.
- Shared methods → multi Commercial Record link within payment org Scope.
- Wallet balance → Commercial Record `provider_ledger_balance` attribute.
## References
- PCI SSC, Tokenization Guidelines — https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf
- Stripe Payment Methods — https://docs.stripe.com/payments/payment-methods
- Stripe Customer object — https://docs.stripe.com/api/customers/object
- Stripe SetupIntent — https://docs.stripe.com/api/setup_intents
- Internal: `../commercial-subscription/stripe-customer-billing.md`,
`reputation-assurance-gradient.md`, `commercial-identity-synthesis.md`