8-1 PAYMENT CARD SECURITY Oauth 2.0 Protocol Flow

ECOSYSTEM OF PAYMENT DEVICES, APPLICATIONS, INFRASTRUCTURE AND USERS

1. In order to receive “ShopBack” at an offline partner store, the credit card or debit card used must be registered on the DonaBlock mobile APP. Many people are unaware that similar card-linking apps can see their consumption habits and personal information. DonaBlock does not collect or sell consumer personal information, and the information collected during card use is protected securely. We only use the information necessary to convert the “ShopBack” received from the seller to DonaBlock Tokens when consumers shop at partner stores. For the most reliable security, we will use OAuth connection for credit card linking to build an encrypted “ShopBack” service.

2. The DonaBlock card-linking system uses the most advanced technology to comply with the PCI DSS standard and maintain strict access control to prevent accidents. We collect and process only the data necessary to calculate and authenticate partner store and transaction categories and related account types for “ShopBack” provision. We identify but do not store consumer creditworthiness. We comply with the PCI DSS standard and handle sensitive information with the highest level of security.

3. A) (APP User) This requests permission to access user data. Conceptually, the app requests this from the user, but in practice, it is often a third-party authority that mediates between the app and the user to provide the necessary permissions.

(B) (User APP) We issue an authorization grant that proves consent to access. RFC 6749 defines four types of authorization grants. The type of authorization grant to be used is determined by the type of app and the support of the granting authority.

(C) (APP Authority Granting Agency) We submit an authorization grant to request an access token. The access token is the key that unlocks the locked safe of user data.

(D) (Authority Granting Agency APP) We verify the authorization grant and provide an access token that contains information about the data items, scope, and period that the user has agreed to. In other words, we provide the key to access the user’s data when needed.

(E) (APP Data Providing Agency) We submit an access token to request user data.

(F) (Data Providing Agency APP) We provide user data. We verify that the access token submitted by the app is valid and confirm the information in the access token to determine the data items, scope, and validity period to be provided.

Last updated