The Basic SEPAmail Payment specification describes the data formats used by the PaymentRequest API [[!PAYMENTREQUESTAPI]] to support payment by SEPAmail Applications such as RUBIS, GEMME or JADE.

Introduction

This specification is a Payment Method specification for use with the PaymentRequest API [[!PAYMENTREQUESTAPI]]. With it, merchants can collect the SEPAmail details (client’s identifier.) through the PaymentRequest API that they have traditionally collected through Web forms, but with an improved user experience.

Dependencies

This specification relies on several other underlying specifications.

Payment Request API
The term PaymentRequest constructor is defined by the PaymentRequest API specification [[!PAYMENTREQUESTAPI]].
Payment Method Identifiers
The term Payment Method Identifier is defined by the Payment Method Identifiers specification [[!METHODIDENTIFIERS]].
Web IDL
The IDL in this specification is defined by Web IDL [[!WEBIDL]].

Payment Method Identifier

The payment method identifier string for the Basic SEPAmail Payment Payment method is sepamail.

Payment Method Specific Data for the PaymentRequest constructor

This section describes payment method specific data that is supplied as part of the data argument to the PaymentRequest constructor.

BasicSepamailRequest

	  enum BasicSepamailType {
  	    "rubis",
	    "gemme",
	    "jade"
	  };

	  dictionary BasicSepamailRequest {
	    required sequence<DOMString> supportedNetworks;
	    required sequence<BasicSepamailType> supportedTypes;
	  };

The BasicSepamailRequest dictionary contains the following fields:

supportedNetworks
The supportedNetworks field contains a sequence of identifiers for card networks that the merchant accepts. Note: Only one network “sepamail.eu” is currently operational. However new ones are under construction.
supportedTypes
The supportedTypes field contains a sequence of SEPAmail types that the merchant accepts. Implementations will determine how to match the type values rubis, gemme, and jade.

If only supportedNetworks is provided then any supported type may be returned. If only supportedTypes is provided then any SEPAmail identifier may be returned from any network provided it matches one of the types. If supportedNetworks and supportedTypes fields are empty, the browser should wake up the payment App and any SEPAmail idetifier may be returned.

Payment Method Response

The BasicSepamailResponse dictionary contains the response from the PaymentRequest API when a user accepts payment with this payment method.

BasicSepamailResponse

	  dictionary BasicSepamailResponse {
  	     required DOMString id;
	     required DOMString selectedNetwork;
	     DOMString selectedType;
	  };

The BasicSepamailResponse dictionary contains the following fields:

id
The sepamailIdentifier field contains the QXBAN given to the user when joining a SEPAmail Network.
selectedNetwork
The selectedNetwork field contains the name of the network chosen by the client.
selectedType
The selectedType field contains the type proposed by the merchant. If empty, this field contains the type attached to the SEPAmail ideitfier (QXBAN)

Security and Privacy Considerations

The sepamailIdentifier (QXBAN) is not a sensitive information. It cannot be used to transfer funds without additional consent from the user. Thus, SEPAmail payments has no security or privacy issues on the web. However, owners of web sites SHOULD AVOID storing the payer's sepamailIdentifier along with other payment identifier like card number, IBAN which are sensitive.

Note: There is no regulation under the SEPAmail specifications related to security on the Web, but discussion of those considerations lies outside the scope of this document.

Acknowledgments

Manfred Olm (Decibi), Matthieu Dambrin (Skilea), Jacques Vanhautère (Sepamail.eu), Jacques Baillon (Crédit Agricole), Olivier Jousselin (Solago), Gregory Estrade (Lyra-Network).