Hacker News new | past | comments | ask | show | jobs | submit login
An Update on In-Stream Payments on Twitter (ribbon.co)
43 points by coloneltcb on April 10, 2013 | hide | past | favorite | 7 comments



The card pictured on that page[1] looks nothing like the payment cards they introduced, it is just a movie clip. If they want to claim that their implementation is valid they should show the validation for a payment card.

http://rbn_prod.s3.amazonaws.com/blog_images/2013/04/Screen-...


That's because these guys submitted using a "Player card" which is meant for embedded video streams, then swapped out the content for their widget after getting approved. A total bait-and-switch.

Player cards are meant for online video players, not any sort of interactive virtual content. Twitter wants to keep experiences consistent across platforms -- for mobile, Player card users are supposed to provide direct links to media streams. The docs are fairly clear on this. This whole thing just stinks of media stunt.


It's called PCI. Taking payment information in the context of the twitter.com same origin would pull Twitter into PCI compliance scope for Ribbon & possibly impact Twitters own PCI compliance state. For this to happen there would need to be contracts in place.


It's an IFrame, so no credit card info is ever actually on Twitter.com. In fact, the entire Ribbon card interface is served on a different host. Because of that, Twitter doesn't actually have to be PCI compliant-- they never see credit card or payment information.


Wrong! Check the Feb PCI clarification update. iFrames don't take anything out of scope because at the end of the day the SSL session shown by the browser is that of the originating site.

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommer...


In this case Twitter is the only company that can secure the page containing the iFrame code:

Merchant is responsible for:  Managing website and servers (if self-hosted), including applicable PCI DSS requirements  If website/server hosting is outsourced, applicable PCI DSS requirements for management of third parties (e.g., Requirement 12.8)  Having written agreements with any third parties and ensuring that they protect cardholder data on behalf of the merchant, in accordance with PCI DSS  Securing the web page(s) containing the iFrame code.


Already killed by twitter: http://techcrunch.com/2013/04/10/well-that-was-fast-twitter-...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: