

An Update on In-Stream Payments on Twitter - coloneltcb
http://blog.ribbon.co/an-update-on-in-stream-payments-on-twitter/

======
signed0
The card pictured on that page[1] looks nothing like the payment cards they
introduced, it is just a movie clip. If they want to claim that their
implementation is valid they should show the validation for a payment card.

[http://rbn_prod.s3.amazonaws.com/blog_images/2013/04/Screen-...](http://rbn_prod.s3.amazonaws.com/blog_images/2013/04/Screen-
Shot-2013-04-10-at-1-1.48.29-AM-1024x905.png)

~~~
jeffgreco
That's because these guys submitted using a "Player card" which is meant for
embedded video streams, then swapped out the content for their widget after
getting approved. A total bait-and-switch.

Player cards are meant for online video players, not any sort of interactive
virtual content. Twitter wants to keep experiences consistent across platforms
-- for mobile, Player card users are supposed to provide direct links to media
streams. The docs are fairly clear on this. This whole thing just stinks of
media stunt.

------
ElginEudor
It's called PCI. Taking payment information in the context of the twitter.com
same origin would pull Twitter into PCI compliance scope for Ribbon & possibly
impact Twitters own PCI compliance state. For this to happen there would need
to be contracts in place.

~~~
andrewmunsell
It's an IFrame, so no credit card info is ever actually on Twitter.com. In
fact, the entire Ribbon card interface is served on a different host. Because
of that, Twitter doesn't actually have to be PCI compliant-- they never see
credit card or payment information.

~~~
samsama
Wrong! Check the Feb PCI clarification update. iFrames don't take anything out
of scope because at the end of the day the SSL session shown by the browser is
that of the originating site.

[https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommer...](https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf)

~~~
samsama
In this case Twitter is the only company that can secure the page containing
the iFrame code:

Merchant is responsible for:  Managing website and servers (if self-hosted),
including applicable PCI DSS requirements  If website/server hosting is
outsourced, applicable PCI DSS requirements for management of third parties
(e.g., Requirement 12.8)  Having written agreements with any third parties
and ensuring that they protect cardholder data on behalf of the merchant, in
accordance with PCI DSS  Securing the web page(s) containing the iFrame code.

------
quellhorst
Already killed by twitter: [http://techcrunch.com/2013/04/10/well-that-was-
fast-twitter-...](http://techcrunch.com/2013/04/10/well-that-was-fast-twitter-
shut-down-ribbons-newly-launched-in-stream-payments-feature-built-using-
twitter-card-technology/)

