Network Working Group D. Eastlake 3rd Request for Comments: 4112 Motorola Laboratories Updates: 3106 June 2005 Category: Standards Track
Electronic Commerce Modeling Language (ECML) Version 2 Specification
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
Electronic commerce frequently requires a substantial exchange of information in order to complete a purchase or other transaction, especially the first time the parties communicate. A standard set of hierarchically-organized payment-related information field names in an XML syntax is defined so that this task can be more easily automated. This is the second version of an Electronic Commerce Modeling Language (ECML) and is intended to meet the requirements of RFC 3505.
Eastlake 3rd Standards Track [Page 1]
RFC 4112 ECML v2 Specification June 2005
Table of Contents
1. Introduction ....................................................2 2. Field Definitions, DTD, and Schema ..............................3 2.1. Field List and Descriptions ................................3 2.1.1. The Field List ......................................4 2.1.2. Field Footnotes .....................................7 2.2. Exemplar XML Syntax .......................................12 2.2.1. ECML v2 XML DTD ....................................13 2.2.2. ECML v2 XML Schema .................................18 3. Usage Notes for ECML v2 ........................................26 3.1. Presentation of the Fields ................................26 3.2. Methods and Flow of Setting the Fields ....................27 4. Security and Privacy Considerations ............................28 5. IANA Considerations ............................................29 5.1. ECML v2 Schema Template ...................................29 5.2. ECML v2 URN Template ......................................29 5.2.1. Sub-registration of v2.0 ...........................30 5.3. IANA Registries ...........................................30 6. Acknowledgements ...............................................30 A. Appendix: Changes from v1.1 to v2 ..............................31 Normative References ..............................................31 Informative References ............................................32
Numerous parties are conducting business on the Internet using ad hoc fields and forms. The data formats and structure can vary considerably from one party to another. Where forms are filled out manually, some users find the diversity confusing, and the process of manually filling in these forms can be tedious and error prone.
Software tools, including electronic wallets, can help this situation. Such tools can assist in conducting online transactions by storing billing, shipping, payment, preference, and similar information and using this information to complete the data sets required by interactions automatically. For example, software that fills out forms has been successfully built into browsers, as proxy servers, as helper applications to browsers, as stand-alone applications, as browser plug-ins, and as server-based applications. But the proliferation of more automated transaction software has been hampered by the lack of standards.
ECML (Electronic Commerce Modeling Language) provides a set of hierarchical payment-oriented data structures that will enable automated software, including electronic wallets from multiple vendors, to supply and query for needed data in a more uniform manner.
Eastlake 3rd Standards Track [Page 2]
RFC 4112 ECML v2 Specification June 2005
Version 2.0 extends ECML Versions 1.0 [RFC2706] and 1.1 [RFC3106] as described in the appendix to this document. These enhancements include support for additional payment mechanisms and transaction information and use of XML as the exemplar syntax.
ECML is designed to provide a simple baseline useful in a variety of contexts. Likely uses for ECML v2 are consumer payment information input and business-to-business transactions. At this time, the first is still likely to occur through HTML forms. The second is more likely to use XML documents.
The ECML fields were initially derived from the W3C P3P base data schema [P3P.BASE] by the ECML Alliance as described in [RFC2706, RFC3106]. Technical development and change control of ECML was then transferred to the IETF. In version 2, ECML is extended by the fields in a W3C P3P Note related to eCommerce [P3P.ECOM], by [ISO8583], and other sources. Its primary exemplar form is now an XML syntax.
ECML v2 is the definition and naming of a hierarchically structured set of fields and the provision of an optional XML syntax for their transmission. These fields can be encoded in other syntaxes. Regardless of the encoding used, the fields can be transmitted via a variety of protocols.
Section 2.1 below lists and describes the fields, Section 2.2.1 provides an XML DTD for use with the fields, and Section 2.2.2 provides an XML schema.
To conform to this document, field names must be named and hierarchically structured as closely to the structure and naming listed below as is practical given the syntax and transaction protocol in use. (NOTE: This does not impose any restriction on human visible labeling of fields, just on their name or names and structure as used in on-the-wire communication.)
The fields are listed below, along with the minimum data entry size allowed. Implementations may accept larger data sizes, if doing so makes sense, and, for some applications, they will need to allow for larger data sizes.
Eastlake 3rd Standards Track [Page 3]
RFC 4112 ECML v2 Specification June 2005
Note that these fields are hierarchically organized as indicated in this table by the embedded underscore ("_") characters. Appropriate data transmission mechanisms may use this to request and send aggregates, such as Ecom_Payment_Card_ExpDate (to encompass all of a set of card expiry date components) or Ecom_ShipTo (to encompass all the ship-to address components that a consumer is willing to provide). The labeling, marshalling, and unmarshalling of the components of such aggregates depend on the data transfer protocol used. The suggested syntax is XML as specified in Section 2.2.
The NAME column gives the structured string name of each field as explained above. The MIN column below is the minimum data size that MUST be allowed for on data entry. It is NOT the minimum size for valid contents of the field, and merchant software should, in many cases, be prepared to receive a longer or shorter value. Merchants dealing with areas where, for example, the state/province name or phone number is longer than the MIN given below obviously must permit longer data entry. In some cases, however, there is a maximum size that makes sense, and where this is the case, it is usually documented in a Note for the field.
The following fields are typically used to communicate from the customer to the merchant:
FIELD NAME MIN Notes
ship to title Ecom_ShipTo_Postal_Name_Prefix 4 ( 1) ship to first name Ecom_ShipTo_Postal_Name_First 15 (54) ship to middle name Ecom_ShipTo_Postal_Name_Middle 15 ( 2) ship to last name Ecom_ShipTo_Postal_Name_Last 15 (54) ship to name suffix Ecom_ShipTo_Postal_Name_Suffix 4 ( 3) ship to company name Ecom_ShipTo_Postal_Company 20 ship to street line1 Ecom_ShipTo_Postal_Street_Line1 20 ( 4) ship to street line2 Ecom_ShipTo_Postal_Street_Line2 20 ( 4) ship to street line3 Ecom_ShipTo_Postal_Street_Line3 20 ( 4) ship to city Ecom_ShipTo_Postal_City 22 ship to state/province Ecom_ShipTo_Postal_StateProv 2 ( 5) ship to zip/postal code Ecom_ShipTo_Postal_PostalCode 14 ( 6) ship to country Ecom_ShipTo_Postal_CountryCode 2 ( 7) ship to phone Ecom_ShipTo_Telecom_Phone_Number 10 ( 8) ship to email Ecom_ShipTo_Online_Email 40 ( 9)
Eastlake 3rd Standards Track [Page 4]
RFC 4112 ECML v2 Specification June 2005
bill to title Ecom_BillTo_Postal_Name_Prefix 4 ( 1) bill to first name Ecom_BillTo_Postal_Name_First 15 (54) bill to middle name Ecom_BillTo_Postal_Name_Middle 15 ( 2) bill to last name Ecom_BillTo_Postal_Name_Last 15 (54) bill to name suffix Ecom_BillTo_Postal_Name_Suffix 4 ( 3) bill to company name Ecom_BillTo_Postal_Company 20 bill to street line1 Ecom_BillTo_Postal_Street_Line1 20 ( 4) bill to street line2 Ecom_BillTo_Postal_Street_Line2 20 ( 4) bill to street line3 Ecom_BillTo_Postal_Street_Line3 20 ( 4) bill to city Ecom_BillTo_Postal_City 22 bill to state/province Ecom_BillTo_Postal_StateProv 2 ( 5) bill to zip/postal code Ecom_BillTo_Postal_PostalCode 14 ( 6) bill to country Ecom_BillTo_Postal_CountryCode 2 ( 7) bill to phone Ecom_BillTo_Telecom_Phone_Number 10 ( 8) bill to email Ecom_BillTo_Online_Email 40 ( 9)
receipt to (32) receipt to title Ecom_ReceiptTo_Postal_Name_Prefix 4 ( 1) receipt to first name Ecom_ReceiptTo_Postal_Name_First 15 (54) receipt to middle name Ecom_ReceiptTo_Postal_Name_Middle 15 ( 2) receipt to last name Ecom_ReceiptTo_Postal_Name_Last 15 (54) receipt to name suffix Ecom_ReceiptTo_Postal_Name_Suffix 4 ( 3) receipt to company name Ecom_ReceiptTo_Postal_Company 20 receipt to street line1 Ecom_ReceiptTo_Postal_Street_Line1 20 ( 4)
receipt to street line2 Ecom_ReceiptTo_Postal_Street_Line2 20 ( 4) receipt to street line3 Ecom_ReceiptTo_Postal_Street_Line3 20 ( 4) receipt to city Ecom_ReceiptTo_Postal_City 22 receipt to state/province Ecom_ReceiptTo_Postal_StateProv 2 ( 5) receipt to postal code Ecom_ReceiptTo_Postal_PostalCode 14 ( 6) receipt to country Ecom_ReceiptTo_Postal_CountryCode 2 ( 7) receipt to phone Ecom_ReceiptTo_Telecom_Phone_Number 10 ( 8) receipt to email Ecom_ReceiptTo_Online_Email 40 ( 9)
name on card Ecom_Payment_Card_Name 30 (10)
card type Ecom_Payment_Card_Type 4 (11) card number Ecom_Payment_Card_Number 19 (12) card verification value Ecom_Payment_Card_Verification 4 (13) card issuer number Ecom_Payment_Card_IssueNumber 2 (53)
card expire date day Ecom_Payment_Card_ExpDate_Day 2 (14) card expire date month Ecom_Payment_Card_ExpDate_Month 2 (15) card expire date year Ecom_Payment_Card_ExpDate_Year 4 (16) card valid date day Ecom_Payment_Card_ValidFrom_Day 2 (14) card valid date month Ecom_Payment_Card_ValidFrom_Month 2 (15) card valid date year Ecom_Payment_Card_ValidFrom_Year 4 (16)
Eastlake 3rd Standards Track [Page 5]
RFC 4112 ECML v2 Specification June 2005
card protocols Ecom_Payment_Card_Protocol 20 (17)
loyalty card name Ecom_Loyalty_Card_Name 30 (10) loyalty card type Ecom_Loyalty_Card_Type 20 (52) loyalty card number Ecom_Loyalty_Card_Number 40 (34) loyalty card verification Ecom_Loyalty_Card_Verification 4 (13) loyalty card expire day Ecom_Loyalty_Card_ExpDate_Day 2 (14) loyalty card expire month Ecom_Loyalty_Card_ExpDate_Month 2 (15) loyalty card expire year Ecom_Loyalty_Card_ExpDate_Year 2 (16) loyalty card valid day Ecom_Loyalty_Card_ValidFrom_Day 2 (14) loyalty card valid month Ecom_Loyalty_Card_ValidFrom_Month 2 (15) loyalty card valid year Ecom_Loyalty_Card_ValidFrom_Year 4 (16)
consumer order ID Ecom_ConsumerOrderID 20 (18)
user ID Ecom_User_ID 40 (19) user password Ecom_User_Password 20 (19) user certificate Ecom_User_Certificate_URL 128 (55) user data country Ecom_UserData_Country 2 ( 7) user data language Ecom_UserData_Language 30 (33) user data gender Ecom_UserData_Gender 1 (36) user data birth day Ecom_UserData_BirthDate_Day 2 (14) user data birth month Ecom_UserData_BirthDate_Month 2 (15) user data birth year Ecom_UserData_BirthDate_Year 4 (16) user data preferences Ecom_UserData_Preferences 60 (34)
schema version Ecom_SchemaVersion 30 (20)
wallet id Ecom_WalletID 40 (21) wallet URL Ecom_Wallet_Location 128 (35)
customer device ID Ecom_Device_ID 20 (37) customer device type Ecom_Device_Type 20 (38)
end transaction flag Ecom_TransactionComplete - (22)
The following fields are typically used to communicate from the merchant to the consumer:
transaction type Ecom_Transaction_Type 24 (30) transaction signature Ecom_Transaction_Signature 160 (31)
end transaction flag Ecom_TransactionComplete - (22)
The following fields are used to communicate between the merchant and a processor acting for the merchant (such a processor is commonly called an acquirer and is frequently a bank):
(1) For example: Mr., Mrs., Ms., Dr. This field is commonly omitted.
(2) May also be used for middle initial.
(3) For example: Ph.D., Jr. (Junior), 3rd, Esq. (Esquire). This field is commonly omitted.
(4) Address lines must be filled in the order line1, then line2, and last line3. Thus, for example, it is an error for line1 to be null if line2 or line3 is not.
Eastlake 3rd Standards Track [Page 7]
RFC 4112 ECML v2 Specification June 2005
(5) 2 characters are the minimum for the US and Canada; other countries may require longer fields. For the US, use 2- character US postal state abbreviation.
(6) Minimum field lengths for Postal Code will vary according to the international market served. Use 5-character postal code or 5+4 ZIP for the US and 6-character postal code for Canada. The size given, 14, is believed to be the maximum required anywhere in the world.
(7) Use [ISO3166] standard two letter country codes.
(8) 10 digits are the minimum for numbers within the North American Numbering Plan (<http://www.nanpa.com>: It includes the US, Canada and a number of Caribbean and smaller Pacific nations, but not Cuba). Other countries may require longer fields. Telephone numbers are complicated by differing international access codes, variant punctuation of area/city codes within countries, etc. Although it is desirable for telephone numbers to be in standard international format [E.164], it may be necessary to use heuristics or human examination based on the telephone number and addresses given to figure out how to call a customer, since people may enter local formatted numbers without area/access codes. It is recommend that an "x" be placed before extension numbers and that the "x" and extension number appear after all other parts of the number.
(9) For example: jsmith@example.com
(10) The name of the cardholder as it appears on the card.
(11) Case insensitive. Use up to the first 4 letters of the association name (see also Note 102):
AMER American Express BANK Bankcard (Australia) DC DC (Japan) DINE Diners Club DISC Discover JCB JCB MAST Mastercard NIKO Nikos (Japan) SAIS Saison (Japan) UC UC (Japan) UCAR UCard (Taiwan) VISA Visa
Eastlake 3rd Standards Track [Page 8]
RFC 4112 ECML v2 Specification June 2005
(12) Includes the check digit at the end but no spaces or hyphens [ISO7812]. The min given, 19, is the longest number permitted under the ISO standard.
(13) An additional cardholder verification number printed on the card (but not embossed or recorded on the magnetic stripe) such as the American Express CIV, MasterCard CVC2, and Visa CVV2 values.
(14) The day of the month. Values: 1-31. A leading zero is ignored, so, for example, 07 is valid for the seventh day of the month.
(15) The month of the year. Jan - 1, Feb - 2, March - 3, etc.; Values: 1-12. A leading zero is ignored, so, for example, 07 is valid for July.
(16) The value in the wallet cell is always four digits; e.g., 1999, 2000, 2001.
(17) A space separated list of protocols available in connection with the specified card. The following is the initial list of case- insensitive tokens:
none set setcert iotp echeck simcard phoneid
"Set" indicates that the card is usable with SET protocol (i.e., it is in a SET wallet) but that it does not have a SET certificate [SET]. "Setcert" indicates that the card is usable with SET and has a set certificate [SET]. "iotp" indicates that the IOTP protocol [RFC2801] is supported at the customer. "echeck" indicates that the eCheck protocol [eCheck] is supported at the customer. "simcard" indicates an ability to use the transaction instrument built into a Cellphone subscriber for identification. "phoneid" indicates use for the transaction of a billable phone number. "None" indicates that automatic field fill is operating but that there is no further information.
(18) A unique order ID string generated by the consumer software.
(19) The user ID and password fields can be used if the user has a pre-established account with the merchant to which access is authenticated by such values. For that use, one would expect an
Eastlake 3rd Standards Track [Page 9]
RFC 4112 ECML v2 Specification June 2005
application to require exactly one user ID, and one password field be present.
(20) URI [RFC3986] indicating version of this set of fields. Equal to "urn:ietf:params:ecml:v2.0" for this version. See Section 5. (See also Note 101.)
(21) A string to identify the source and version of form fill software that is acting on behalf of a user. Should contain company and/or product name and version; for example, "Wallets Inc., SuperFill, v42.7". (See also Note 101.)
(22) A flag to indicate that this web-page/aggregate is the final one for this transaction. (See also Note 101.)
(23) The merchant domain name [RFC1034], such as www.merchant.example. (See also Note 101.)
(24) The domain name [RFC1034] of the gateway transaction processor that is actually accepting the payment on behalf of the merchant, such as www.processor.example. (See also Note 101.)
(25) A Transaction identification string whose format is specific to the processor.
(26) A URL [RFC3986] that can be invoked to inquire about the transaction. (See also Note 100.)
(27) The amount of the transaction in ISO currency format [ISO4217]. This is two integer numbers with a period in between but with no other currency mark (such as a "$" dollar sign).
(28) This is the three-letter ISO currency code [ISO4217]. For example, US dollars is USD.
(29) ISO Transaction date.
(30) The type of the transaction, if known. Currently a value from the following list:
debit credit
(31) A digital signature, base64 encoded [RFC2045]. (See also Note 101.)
Eastlake 3rd Standards Track [Page 10]
RFC 4112 ECML v2 Specification June 2005
(32) The ReceiptTo fields are used when the BillTo entity, location, or address and the ReceiptTo entity, location, or address are different. For example, when using some forms of Corporate Purchasing Cards or Agent Purchasing Cards, the individual card holder would be in the ReceiptTo fields, and the corporate or other owner would be in the BillTo fields.
(33) An IETF Language Tag, as defined in [RFC3066].
(34) User preferences, as specified by the merchant. (See also Note 102.)
(35) The Uniform Resource Locator [RFC3986] for accessing the customer's "wallet" software. (See also Note 100)
(36) A single capital letter: M=male, F=Female, U=Unknown [ISO5218].
(37) An immutable device identification or serial number. (See also Note 102.)
(38) User understandable device brand name. (See also Note 102)
(39) [ISO8583] field "card acceptor terminal identification".
(40) [ISO8583] field "processing code".
(41) [ISO8583] field "acquiring institution identification code".
(42) [ISO8583] field "forwarding institution identification code".
(43) [ISO8583] field "system trace audit field".
(44) [ISO8583] field "date effective".
(45) [ISO8583] field "point of sale date code".
(46) [ISO8583] field "approval code".
(47) [ISO8583] field "action code".
(48) [ISO8583] field "date settlement".
(49) [ISO8583] field "date capture".
(50) [ISO8583] field "trace 1 data".
(51) [ISO8583] field "trace 2 data".
Eastlake 3rd Standards Track [Page 11]
RFC 4112 ECML v2 Specification June 2005
(52) User-recognizable loyalty card brand name. Values for this field are not controlled, and there is no IANA or other registry for them. (See also Note 102.)
(53) The card issuer number required by the UK-based Switch and Solo acquirers.
(54) The field names "first_name" and "last_name" have been retained for compatibility with earlier versions of ECML. However, "last_name" should be understood to refer to family or inherited names(s), whereas "first_name" is the first given or non- inherited name and "middle_name" is the subsequent given or non-inherited name or names, if any.
(55) The Uniform Resource Locator [RFC3986] for accessing the user's X.509v3 certificate encoded as binary DER. (See also Note 100.)
Meta Notes (referenced by other notes)
(100) ECML, a basic field-naming and structuring convention, does not impose any particular requirements on these URLs. It is to be expected that most applications that make use of ECML will impose such limitations and perform checking to be sure that provided URLs conform to such limitations before attempting to invoke them.
(101) This is a field that, when presented in a web page, is usually hidden.
(102) An ASCII [ASCII] character string with no leading or trailing white space.
The following sections provide an XML DTD and an XML Schema that express the ECML fields with ECML v2 naming and ECML v2 hierarchical structure. In case of conflict between this DTD and Schema, the Schema should prevail. Note that the ECML v2 naming and structure may be used in non-XML syntaxes.
The ECML v2 XML syntax is deliberately liberal because it is assumed that specific applications making use of ECML will impose their own additional constraints.
For internationalization of ECML, use the general XML character- encoding provisions [XML] (which mandate support of UTF-8 and UTF-16 and permit support of other character sets) and the xml:lang attribute, which may be used to specify language information.
<!ATTLIST ReceiptTo id ID #IMPLIED Mode (Query|Assert) #IMPLIED >
<!ELEMENT Postal ( #PCDATA | Name | Company | Street | City | StateProv )* > <!ATTLIST Postal id ID #IMPLIED PostalCode NMTOKEN #IMPLIED Mode (Query|Assert) #IMPLIED CountryCode NMTOKEN #IMPLIED >
<!ELEMENT Name EMPTY > <!ATTLIST Name id ID #IMPLIED Mode (Query|Assert) #IMPLIED
Eastlake 3rd Standards Track [Page 13]
RFC 4112 ECML v2 Specification June 2005
Prefix NMTOKEN #IMPLIED First NMTOKEN #IMPLIED Middle NMTOKEN #IMPLIED Last NMTOKEN #IMPLIED Suffix NMTOKEN #IMPLIED >
<!ELEMENT Street EMPTY > <!ATTLIST Street id ID #IMPLIED Mode (Query|Assert) #IMPLIED Line1 CDATA #REQUIRED Line2 CDATA #IMPLIED Line3 CDATA #IMPLIED >
<!ELEMENT Company (#PCDATA) > <!ATTLIST Company Mode (Query|Assert) #IMPLIED >
<!ELEMENT City (#PCDATA) > <!ATTLIST City Mode (Query|Assert) #IMPLIED >
ECML v2 merely names fields and specifies their content and hierarchical organization. It does not constrain the order or completeness of communication of or query for these fields.
Some parties may wish to provide or ask for more information, and some for less by omitting fields. Some may ask for the information they want in one interaction or web page, and others may ask for parts of the information at different times in multiple interactions or different web pages. For example, it is common to ask for "ship to" information earlier so that the shipping cost can be computed before the payment method information. Some parties may require that all the information they request be provided whereas others may make much of the information optional. Other variations are likely.
Every element may be flagged as a query or assertion by including, when XML syntax is in use, the optional Mode attribute with the value "Query" or "Assert" respectively. The Mode attribute effects all descendant elements until overridden by a lower level element with a Mode attribute. Thus it is easy to indicate that all of the elements in an ECML v2 structure are present as queries or assertions.
Eastlake 3rd Standards Track [Page 26]
RFC 4112 ECML v2 Specification June 2005
Query elements may have data content. Such content SHOULD be interpreted as a default value to be returned if no better value is known.
There is no way with Version 2.0 of ECML to indicate what query fields a party considers mandatory to be answered. From this point of view, all fields queried are optional to complete. However, a party may give an error or re-present a request for information if some field it requires is not completed, just as it may if a field is completed in a manner that it considers erroneous.
A variety of methods of communication is possible between the parties by which each can indicate what fields it wants the other to provide. Probably the easiest method for currently deployed mass software is through fields in an [HTML] form. Other possibilities include using an [XML] exchange, the IOTP Authenticate transaction [RFC2801], or proprietary protocols.
So that browser software can tell what version it is dealing with, it is REQUIRED that the Ecom_SchemaVersion field be included in every transaction when ECML is being used on the web. Ecom_SchemaVersion SHOULD appear on every web page that has any Ecom fields. It is usually a hidden field in HTML Forms.
User action or the appearance of the Ecom_SchemaVersion field are examples of triggers that can be used to initiate a facility capable of providing information in response to an ECML-based query or of using information from ECML assertions. Because some web software may require user activation, it is RECOMMENDED that there be at least one user-visible Ecom field on every web page with any Ecom fields present when ECML is used via the web.
Under some circumstances, communications can proceed very slowly, so it may not be clear to an automated processing function when it is finished receiving ECML fields on a web page or the like. For this reason, it is RECOMMENDED that the Ecom_SchemaVersion field be the last Ecom field on a web page.
Transfer or requests for information can extend over several interactions or web pages. Without further provision, a facility could either require re-starting on each page or possibly violate or appear to violate privacy by continuing to provide personal data beyond the end of the transaction with a particular business. For this reason, the Ecom_TransactionComplete field, which is normally hidden when it is part of an HTML Form, is provided. It is RECOMMENDED that it appear on the last interaction or web page
Eastlake 3rd Standards Track [Page 27]
RFC 4112 ECML v2 Specification June 2005
involved in a transaction, just before an Ecom_SchemaVersion field, so that multi-interaction automated logic receives a hint as to when to stop if it chooses to check for this field.
The information called for by many of these fields is sensitive. It should be protected from unauthorized modification and kept confidential if it is stored in a location or transmitted over a channel where it might otherwise be observed. In addition, the authenticity of the information will be a concern in many systems.
Mechanisms for such protection and authentication are not specified herein but might, depending on circumstances, include object security protocols (such as XMLDSIG [RFC3275], XML encryption [XMLENC], or CMS [RFC3852]), or channel security (such as TLS [RFC2246] or IPSec [RFC2411]). Systems in which an ECML field or fields are stored and later forwarded will likely find object security the most appropriate.
When information is being requested from a user, the user's control over the release of such information is needed to protect the user's privacy.
Software that is installed on shared or public terminals should be configurable so that memory of any sensitive or individual identity information is fully disabled. This is vital to protect the privacy of library patrons, students, and customers using public terminals, and of children who might, for example, use a form on a public terminal without realizing that their information is being stored.
When sensitive or individual identification information is stored, the operator or user should have an option to protect the information; for example, with a password without which the information will be unavailable, even to someone who has access to the file(s) in which it is being stored.
Any multi-page/screen or other multi-aggregate field fill-in or data provision mechanism SHOULD check for the Ecom_TransactionComplete field and cease automated fill when it is encountered until fill is further authorized.
It should be remembered that default, hidden, and other values transferred to another party may be maliciously modified before being returned.
Index value: Values subordinate to urn:ietf:params:ecml are registered by RFC publication. As provided in [RFC3553], once such a value is registered, it may never change.
The subordinate value "v2.0" is hereby permanently registered so that the URN
urn:ietf:params:ecml:v2.0
is used to indicate an ECML field or fields that conform to this specification. Although it is not anticipated that deeper values subordinate to this URN will need to be registered, if necessary, they are registered by IESG approval.
There are three fields described in Section 2.1.2 that require the establishment of IANA registries as described below:
Ecom_Payment_Card_Type A registry of case-insensitive alphanumeric ASCII [ASCII] card-type designations from one to four characters in length with no white space. See Section 2.1.2, Note 11, for the initial 12 designations. Designations are added based on expert approval. Applicants for registration will normally be required already to have an ISO Issuer Identification Number (IIN) or set of IINs.
Ecom_Payment_Card_Protocol This field holds a space-separated list of protocols designated by case-insensitive alphanumeric ASCII [ASCII] tokens from this registry or holds the token "none". See Section 2.1.2, note 17, for the initial seven registered tokens (including "none") and further information. Tokens are added to the registry based on expert approval.
Ecom_Transaction_Type A case-insensitive alphabetic ASCII [ASCII] value indicating the type of transaction. See Section 2.1.2, note 30, for the initial two registered values. Values are added based on expert approval.
The following, listed is alphabetic order, have contributed to the material herein: Ray Bellis, Steve Bellovin, Scott Hollenbeck, Russ Housley, Jon Parsons, Lauri Piikivi, David Shepherd, and James J. Peter.
Substantial rewording of text to change the emphasis from HTML Form Fields to XML Syntax.
Addition of the merchant -> processor fields.
Addition of the Ecom_Wallet_Location and Ecom_User_Certificate_URL fields.
Addition of the "Mode" attribute.
Addition of the ECom_Payment_Card_IssueNumber, Loyalty Card fields, Device ID, Valid From, and User Data fields.
Addition of an XML schema.
Some minor fixes related to telephone numbers.
Addition of IANA Considerations section.
Updating of RFC references for obsoleted RFCs.
Normative References
[ASCII] USA Standard Code for Information Interchange, X3.4 American National Standards Institute; New York, 1968.
[E.164] ITU-T Recommendation E.164/I.331 (05/97): The International Public Telecommunication Numbering Plan. 1997.
[ISO3166] "Codes for the representation of names of countries and their subdivisions -- Part 1: Country codes", ISO 3166-1, 1997.
[ISO4217] "Codes for the representation of currencies and funds", ISO 4217, 2001.
[ISO5218] "Information interchange -- Representation of human sexes", ISO 5218, 1977.
[ISO7812] "Identification card - Identification of issuers - Part 1: Numbering system", ISO 7812-1, 2000.
[ISO8583] "Financial transaction card originated messages - Interchange message specifications - Part 1: Messages, elements and code values", ISO 8583-1, 2001.
Eastlake 3rd Standards Track [Page 31]
RFC 4112 ECML v2 Specification June 2005
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, November 1996.
[RFC3066] Alvestrand, H., "Tags for the Identification of Languages", BCP 47, RFC 3066, January 2001.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005.
[XML] Extensible Markup Language (XML) 1.0 (Third Edition), Yergeau, F., Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and F. Yergeau, February 2004, <http://www.w3.org/TR/REC-xml>.
[P3P.BASE] "The Platform for Privacy Preferences 1.0 (P3P1.0) Specification", Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., and J. Reagle, December 2000, <http://www.w3.org/TR/WD-P3P/>.
[P3P.ECOM] "Using P3P for E-Commerce", Coco, J., Klien, S., Schutzer, D., Yen, S., and A. Slater, November 1999, <http://www.w3.org/TR/P3P-for-ecommerce>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
[RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998.
[RFC2706] Eastlake 3rd, D. and T. Goldstein, "ECML v1: Field Names for E-Commerce", RFC 2706, October 1999.
[RFC2801] Burdett, D., "Internet Open Trading Protocol - IOTP Version 1.0", RFC 2801, April 2000.
Eastlake 3rd Standards Track [Page 32]
RFC 4112 ECML v2 Specification June 2005
[RFC3106] Eastlake 3rd, D. and T. Goldstein, "ECML v1.1: Field Specifications for E-Commerce", RFC 3106, April 2001.
[RFC3275] Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF URN Sub-namespace for Registered Protocol Parameters", BCP 73, RFC 3553, June 2003.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the Internet Society.