Network Working Group D. Eastlake 3rd
Request for Comments: 4112 Motorola Laboratories
Updates: 3106 June 2005
Category: Standards Track
Electronic Commerce Modeling Language (ECML)
Version 2 Specification
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2005).
Electronic commerce frequently requires a substantial exchange of
information in order to complete a purchase or other transaction,
especially the first time the parties communicate. A standard set of
hierarchically-organized payment-related information field names in
an XML syntax is defined so that this task can be more easily
automated. This is the second version of an Electronic Commerce
Modeling Language (ECML) and is intended to meet the requirements of
Table of Contents
1. Introduction ....................................................22. Field Definitions, DTD, and Schema ..............................32.1. Field List and Descriptions ................................32.1.1. The Field List ......................................42.1.2. Field Footnotes .....................................72.2. Exemplar XML Syntax .......................................122.2.1. ECML v2 XML DTD ....................................132.2.2. ECML v2 XML Schema .................................183. Usage Notes for ECML v2 ........................................263.1. Presentation of the Fields ................................263.2. Methods and Flow of Setting the Fields ....................274. Security and Privacy Considerations ............................285. IANA Considerations ............................................295.1. ECML v2 Schema Template ...................................295.2. ECML v2 URN Template ......................................295.2.1. Sub-registration of v2.0 ...........................305.3. IANA Registries ...........................................306. Acknowledgements ...............................................30A. Appendix: Changes from v1.1 to v2 ..............................31
Normative References ..............................................31
Informative References ............................................321. Introduction
Numerous parties are conducting business on the Internet using ad hoc
fields and forms. The data formats and structure can vary
considerably from one party to another. Where forms are filled out
manually, some users find the diversity confusing, and the process of
manually filling in these forms can be tedious and error prone.
Software tools, including electronic wallets, can help this
situation. Such tools can assist in conducting online transactions
by storing billing, shipping, payment, preference, and similar
information and using this information to complete the data sets
required by interactions automatically. For example, software that
fills out forms has been successfully built into browsers, as proxy
servers, as helper applications to browsers, as stand-alone
applications, as browser plug-ins, and as server-based applications.
But the proliferation of more automated transaction software has been
hampered by the lack of standards.
ECML (Electronic Commerce Modeling Language) provides a set of
hierarchical payment-oriented data structures that will enable
automated software, including electronic wallets from multiple
vendors, to supply and query for needed data in a more uniform
Version 2.0 extends ECML Versions 1.0 [RFC2706] and 1.1 [RFC3106] as
described in the appendix to this document. These enhancements
include support for additional payment mechanisms and transaction
information and use of XML as the exemplar syntax.
ECML is designed to provide a simple baseline useful in a variety of
contexts. Likely uses for ECML v2 are consumer payment information
input and business-to-business transactions. At this time, the first
is still likely to occur through HTML forms. The second is more
likely to use XML documents.
1.2. History and Relationship to Other Standards
The ECML fields were initially derived from the W3C P3P base data
schema [P3P.BASE] by the ECML Alliance as described in [RFC2706,
RFC3106]. Technical development and change control of ECML was then
transferred to the IETF. In version 2, ECML is extended by the
fields in a W3C P3P Note related to eCommerce [P3P.ECOM], by
[ISO8583], and other sources. Its primary exemplar form is now an
2. Field Definitions, DTD, and Schema
ECML v2 is the definition and naming of a hierarchically structured
set of fields and the provision of an optional XML syntax for their
transmission. These fields can be encoded in other syntaxes.
Regardless of the encoding used, the fields can be transmitted via a
variety of protocols.
Section 2.1 below lists and describes the fields, Section 2.2.1
provides an XML DTD for use with the fields, and Section 2.2.2
provides an XML schema.
To conform to this document, field names must be named and
hierarchically structured as closely to the structure and naming
listed below as is practical given the syntax and transaction
protocol in use. (NOTE: This does not impose any restriction on
human visible labeling of fields, just on their name or names and
structure as used in on-the-wire communication.)
2.1. Field List and Descriptions
The fields are listed below, along with the minimum data entry size
allowed. Implementations may accept larger data sizes, if doing so
makes sense, and, for some applications, they will need to allow for
larger data sizes.
Note that these fields are hierarchically organized as indicated in
this table by the embedded underscore ("_") characters. Appropriate
data transmission mechanisms may use this to request and send
aggregates, such as Ecom_Payment_Card_ExpDate (to encompass all of a
set of card expiry date components) or Ecom_ShipTo (to encompass all
the ship-to address components that a consumer is willing to
provide). The labeling, marshalling, and unmarshalling of the
components of such aggregates depend on the data transfer protocol
used. The suggested syntax is XML as specified in Section 2.2.
2.1.1. The Field List
The table below is the ECML v2 field list.
The NAME column gives the structured string name of each field as
explained above. The MIN column below is the minimum data size that
MUST be allowed for on data entry. It is NOT the minimum size for
valid contents of the field, and merchant software should, in many
cases, be prepared to receive a longer or shorter value. Merchants
dealing with areas where, for example, the state/province name or
phone number is longer than the MIN given below obviously must permit
longer data entry. In some cases, however, there is a maximum size
that makes sense, and where this is the case, it is usually
documented in a Note for the field.
The following fields are typically used to communicate from the
customer to the merchant:
FIELD NAME MIN Notes
ship to title Ecom_ShipTo_Postal_Name_Prefix 4 ( 1)
ship to first name Ecom_ShipTo_Postal_Name_First 15 (54)
ship to middle name Ecom_ShipTo_Postal_Name_Middle 15 ( 2)
ship to last name Ecom_ShipTo_Postal_Name_Last 15 (54)
ship to name suffix Ecom_ShipTo_Postal_Name_Suffix 4 ( 3)
ship to company name Ecom_ShipTo_Postal_Company 20
ship to street line1 Ecom_ShipTo_Postal_Street_Line1 20 ( 4)
ship to street line2 Ecom_ShipTo_Postal_Street_Line2 20 ( 4)
ship to street line3 Ecom_ShipTo_Postal_Street_Line3 20 ( 4)
ship to city Ecom_ShipTo_Postal_City 22
ship to state/province Ecom_ShipTo_Postal_StateProv 2 ( 5)
ship to zip/postal code Ecom_ShipTo_Postal_PostalCode 14 ( 6)
ship to country Ecom_ShipTo_Postal_CountryCode 2 ( 7)
ship to phone Ecom_ShipTo_Telecom_Phone_Number 10 ( 8)
ship to email Ecom_ShipTo_Online_Email 40 ( 9)
bill to title Ecom_BillTo_Postal_Name_Prefix 4 ( 1)
bill to first name Ecom_BillTo_Postal_Name_First 15 (54)
bill to middle name Ecom_BillTo_Postal_Name_Middle 15 ( 2)
bill to last name Ecom_BillTo_Postal_Name_Last 15 (54)
bill to name suffix Ecom_BillTo_Postal_Name_Suffix 4 ( 3)
bill to company name Ecom_BillTo_Postal_Company 20
bill to street line1 Ecom_BillTo_Postal_Street_Line1 20 ( 4)
bill to street line2 Ecom_BillTo_Postal_Street_Line2 20 ( 4)
bill to street line3 Ecom_BillTo_Postal_Street_Line3 20 ( 4)
bill to city Ecom_BillTo_Postal_City 22
bill to state/province Ecom_BillTo_Postal_StateProv 2 ( 5)
bill to zip/postal code Ecom_BillTo_Postal_PostalCode 14 ( 6)
bill to country Ecom_BillTo_Postal_CountryCode 2 ( 7)
bill to phone Ecom_BillTo_Telecom_Phone_Number 10 ( 8)
bill to email Ecom_BillTo_Online_Email 40 ( 9)
receipt to (32)
receipt to title Ecom_ReceiptTo_Postal_Name_Prefix 4 ( 1)
receipt to first name Ecom_ReceiptTo_Postal_Name_First 15 (54)
receipt to middle name Ecom_ReceiptTo_Postal_Name_Middle 15 ( 2)
receipt to last name Ecom_ReceiptTo_Postal_Name_Last 15 (54)
receipt to name suffix Ecom_ReceiptTo_Postal_Name_Suffix 4 ( 3)
receipt to company name Ecom_ReceiptTo_Postal_Company 20
receipt to street line1 Ecom_ReceiptTo_Postal_Street_Line1 20 ( 4)
receipt to street line2 Ecom_ReceiptTo_Postal_Street_Line2 20 ( 4)
receipt to street line3 Ecom_ReceiptTo_Postal_Street_Line3 20 ( 4)
receipt to city Ecom_ReceiptTo_Postal_City 22
receipt to state/province Ecom_ReceiptTo_Postal_StateProv 2 ( 5)
receipt to postal code Ecom_ReceiptTo_Postal_PostalCode 14 ( 6)
receipt to country Ecom_ReceiptTo_Postal_CountryCode 2 ( 7)
receipt to phone Ecom_ReceiptTo_Telecom_Phone_Number 10 ( 8)
receipt to email Ecom_ReceiptTo_Online_Email 40 ( 9)
name on card Ecom_Payment_Card_Name 30 (10)
card type Ecom_Payment_Card_Type 4 (11)
card number Ecom_Payment_Card_Number 19 (12)
card verification value Ecom_Payment_Card_Verification 4 (13)
card issuer number Ecom_Payment_Card_IssueNumber 2 (53)
card expire date day Ecom_Payment_Card_ExpDate_Day 2 (14)
card expire date month Ecom_Payment_Card_ExpDate_Month 2 (15)
card expire date year Ecom_Payment_Card_ExpDate_Year 4 (16)
card valid date day Ecom_Payment_Card_ValidFrom_Day 2 (14)
card valid date month Ecom_Payment_Card_ValidFrom_Month 2 (15)
card valid date year Ecom_Payment_Card_ValidFrom_Year 4 (16)
card protocols Ecom_Payment_Card_Protocol 20 (17)
loyalty card name Ecom_Loyalty_Card_Name 30 (10)
loyalty card type Ecom_Loyalty_Card_Type 20 (52)
loyalty card number Ecom_Loyalty_Card_Number 40 (34)
loyalty card verification Ecom_Loyalty_Card_Verification 4 (13)
loyalty card expire day Ecom_Loyalty_Card_ExpDate_Day 2 (14)
loyalty card expire month Ecom_Loyalty_Card_ExpDate_Month 2 (15)
loyalty card expire year Ecom_Loyalty_Card_ExpDate_Year 2 (16)
loyalty card valid day Ecom_Loyalty_Card_ValidFrom_Day 2 (14)
loyalty card valid month Ecom_Loyalty_Card_ValidFrom_Month 2 (15)
loyalty card valid year Ecom_Loyalty_Card_ValidFrom_Year 4 (16)
consumer order ID Ecom_ConsumerOrderID 20 (18)
user ID Ecom_User_ID 40 (19)
user password Ecom_User_Password 20 (19)
user certificate Ecom_User_Certificate_URL 128 (55)
user data country Ecom_UserData_Country 2 ( 7)
user data language Ecom_UserData_Language 30 (33)
user data gender Ecom_UserData_Gender 1 (36)
user data birth day Ecom_UserData_BirthDate_Day 2 (14)
user data birth month Ecom_UserData_BirthDate_Month 2 (15)
user data birth year Ecom_UserData_BirthDate_Year 4 (16)
user data preferences Ecom_UserData_Preferences 60 (34)
schema version Ecom_SchemaVersion 30 (20)
wallet id Ecom_WalletID 40 (21)
wallet URL Ecom_Wallet_Location 128 (35)
customer device ID Ecom_Device_ID 20 (37)
customer device type Ecom_Device_Type 20 (38)
end transaction flag Ecom_TransactionComplete - (22)
The following fields are typically used to communicate from the
merchant to the consumer:
FIELD NAME Min Notes
merchant home domain Ecom_Merchant 128 (23)
processor home domain Ecom_Processor 128 (24)
transaction identifier Ecom_Transaction_ID 128 (25)
transaction URL inquiry Ecom_Transaction_Inquiry 500 (26)
transaction amount Ecom_Transaction_Amount 128 (27)
transaction currency Ecom_Transaction_CurrencyCode 3 (28)
transaction date Ecom_Transaction_Date 80 (29)
transaction type Ecom_Transaction_Type 24 (30)
transaction signature Ecom_Transaction_Signature 160 (31)
end transaction flag Ecom_TransactionComplete - (22)
The following fields are used to communicate between the merchant and
a processor acting for the merchant (such a processor is commonly
called an acquirer and is frequently a bank):
FIELD NAME Min Notes
merchant identifier Ecom_Merchant_ID 8
merchant terminal Ecom_Merchant_Terminal_ID 8 (39)
merchant terminal data Ecom_Merchant_Terminal_Data 128
transaction process code Ecom_Transaction_ProcessingCode 6 (40)
transaction reference Ecom_Transaction_Reference_ID 12
transaction acquirer Ecom_Transaction_Acquire_ID 13 (41)
transaction forward Ecom_Transaction_Forward_ID 13 (42)
transaction trace Ecom_Transaction_Trace_Audit 6 (43)
transaction effective date Ecom_Transaction_Effective_Date 4 (44)
transaction CID Ecom_Transaction_CID 8
transaction POS Ecom_Transaction_POSCode 12 (45)
transaction private use Ecom_Transaction_PrivateUseData 166
transaction response Ecom_Transaction_ResponseData 27
transaction approval code Ecom_Transaction_ApprovalCode 12 (46)
transaction retrieval code Ecom_Transaction_RetrievalCode 128
transaction response action Ecom_Transaction_ActionCode 13 (47)
transaction reason Ecom_Transaction_ReasonCode 4
transaction AAV Ecom_Transaction_AAV 3
transaction settlement date Ecom_Transaction_Settle_Date 4 (48)
transaction capture date Ecom_Transaction_Capture_Date 4 (49)
transaction Track 1 Ecom_Transaction_Track1 39 (50)
transaction Track 2 Ecom_Transaction_Track2 39 (51)
2.1.2. Field Footnotes
(1) For example: Mr., Mrs., Ms., Dr. This field is commonly
(2) May also be used for middle initial.
(3) For example: Ph.D., Jr. (Junior), 3rd, Esq. (Esquire). This
field is commonly omitted.
(4) Address lines must be filled in the order line1, then line2, and
last line3. Thus, for example, it is an error for line1 to be
null if line2 or line3 is not.
(5) 2 characters are the minimum for the US and Canada; other
countries may require longer fields. For the US, use 2-
character US postal state abbreviation.
(6) Minimum field lengths for Postal Code will vary according to the
international market served. Use 5-character postal code or 5+4
ZIP for the US and 6-character postal code for Canada. The size
given, 14, is believed to be the maximum required anywhere in
(7) Use [ISO3166] standard two letter country codes.
(8) 10 digits are the minimum for numbers within the North American
Numbering Plan (<http://www.nanpa.com>: It includes the US,
Canada and a number of Caribbean and smaller Pacific nations,
but not Cuba). Other countries may require longer fields.
Telephone numbers are complicated by differing international
access codes, variant punctuation of area/city codes within
countries, etc. Although it is desirable for telephone numbers
to be in standard international format [E.164], it may be
necessary to use heuristics or human examination based on the
telephone number and addresses given to figure out how to call a
customer, since people may enter local formatted numbers without
area/access codes. It is recommend that an "x" be placed before
extension numbers and that the "x" and extension number appear
after all other parts of the number.
(9) For example: email@example.com
(10) The name of the cardholder as it appears on the card.
(11) Case insensitive. Use up to the first 4 letters of the
association name (see also Note 102):
AMER American Express
BANK Bankcard (Australia)
DC DC (Japan)
DINE Diners Club
NIKO Nikos (Japan)
SAIS Saison (Japan)
UC UC (Japan)
UCAR UCard (Taiwan)
(12) Includes the check digit at the end but no spaces or hyphens
[ISO7812]. The min given, 19, is the longest number permitted
under the ISO standard.
(13) An additional cardholder verification number printed on the card
(but not embossed or recorded on the magnetic stripe) such as
the American Express CIV, MasterCard CVC2, and Visa CVV2 values.
(14) The day of the month. Values: 1-31. A leading zero is ignored,
so, for example, 07 is valid for the seventh day of the month.
(15) The month of the year. Jan - 1, Feb - 2, March - 3, etc.;
Values: 1-12. A leading zero is ignored, so, for example, 07 is
valid for July.
(16) The value in the wallet cell is always four digits; e.g., 1999,
(17) A space separated list of protocols available in connection with
the specified card. The following is the initial list of case-
"Set" indicates that the card is usable with SET protocol (i.e.,
it is in a SET wallet) but that it does not have a SET
certificate [SET]. "Setcert" indicates that the card is usable
with SET and has a set certificate [SET]. "iotp" indicates that
the IOTP protocol [RFC2801] is supported at the customer.
"echeck" indicates that the eCheck protocol [eCheck] is
supported at the customer. "simcard" indicates an ability to
use the transaction instrument built into a Cellphone subscriber
for identification. "phoneid" indicates use for the transaction
of a billable phone number. "None" indicates that automatic
field fill is operating but that there is no further
(18) A unique order ID string generated by the consumer software.
(19) The user ID and password fields can be used if the user has a
pre-established account with the merchant to which access is
authenticated by such values. For that use, one would expect an
application to require exactly one user ID, and one password
field be present.
(20) URI [RFC3986] indicating version of this set of fields. Equal
to "urn:ietf:params:ecml:v2.0" for this version. See Section 5.
(See also Note 101.)
(21) A string to identify the source and version of form fill
software that is acting on behalf of a user. Should contain
company and/or product name and version; for example, "Wallets
Inc., SuperFill, v42.7". (See also Note 101.)
(22) A flag to indicate that this web-page/aggregate is the final one
for this transaction. (See also Note 101.)
(23) The merchant domain name [RFC1034], such as
www.merchant.example. (See also Note 101.)
(24) The domain name [RFC1034] of the gateway transaction processor
that is actually accepting the payment on behalf of the
merchant, such as www.processor.example. (See also Note 101.)
(25) A Transaction identification string whose format is specific to
(26) A URL [RFC3986] that can be invoked to inquire about the
transaction. (See also Note 100.)
(27) The amount of the transaction in ISO currency format [ISO4217].
This is two integer numbers with a period in between but with no
other currency mark (such as a "$" dollar sign).
(28) This is the three-letter ISO currency code [ISO4217]. For
example, US dollars is USD.
(29) ISO Transaction date.
(30) The type of the transaction, if known. Currently a value from
the following list:
(31) A digital signature, base64 encoded [RFC2045]. (See also Note
(32) The ReceiptTo fields are used when the BillTo entity, location,
or address and the ReceiptTo entity, location, or address are
different. For example, when using some forms of Corporate
Purchasing Cards or Agent Purchasing Cards, the individual card
holder would be in the ReceiptTo fields, and the corporate or
other owner would be in the BillTo fields.
(33) An IETF Language Tag, as defined in [RFC3066].
(34) User preferences, as specified by the merchant. (See also Note
(35) The Uniform Resource Locator [RFC3986] for accessing the
customer's "wallet" software. (See also Note 100)
(36) A single capital letter: M=male, F=Female, U=Unknown [ISO5218].
(37) An immutable device identification or serial number. (See also
(38) User understandable device brand name. (See also Note 102)
(39) [ISO8583] field "card acceptor terminal identification".
(40) [ISO8583] field "processing code".
(41) [ISO8583] field "acquiring institution identification code".
(42) [ISO8583] field "forwarding institution identification code".
(43) [ISO8583] field "system trace audit field".
(44) [ISO8583] field "date effective".
(45) [ISO8583] field "point of sale date code".
(46) [ISO8583] field "approval code".
(47) [ISO8583] field "action code".
(48) [ISO8583] field "date settlement".
(49) [ISO8583] field "date capture".
(50) [ISO8583] field "trace 1 data".
(51) [ISO8583] field "trace 2 data".
(52) User-recognizable loyalty card brand name. Values for this
field are not controlled, and there is no IANA or other registry
for them. (See also Note 102.)
(53) The card issuer number required by the UK-based Switch and Solo
(54) The field names "first_name" and "last_name" have been retained
for compatibility with earlier versions of ECML. However,
"last_name" should be understood to refer to family or inherited
names(s), whereas "first_name" is the first given or non-
inherited name and "middle_name" is the subsequent given or
non-inherited name or names, if any.
(55) The Uniform Resource Locator [RFC3986] for accessing the user's
X.509v3 certificate encoded as binary DER. (See also Note 100.)
Meta Notes (referenced by other notes)
(100) ECML, a basic field-naming and structuring convention, does not
impose any particular requirements on these URLs. It is to be
expected that most applications that make use of ECML will
impose such limitations and perform checking to be sure that
provided URLs conform to such limitations before attempting to
(101) This is a field that, when presented in a web page, is usually
(102) An ASCII [ASCII] character string with no leading or trailing
2.2. Exemplar XML Syntax
The following sections provide an XML DTD and an XML Schema that
express the ECML fields with ECML v2 naming and ECML v2 hierarchical
structure. In case of conflict between this DTD and Schema, the
Schema should prevail. Note that the ECML v2 naming and structure
may be used in non-XML syntaxes.
The ECML v2 XML syntax is deliberately liberal because it is assumed
that specific applications making use of ECML will impose their own
For internationalization of ECML, use the general XML character-
encoding provisions [XML] (which mandate support of UTF-8 and UTF-16
and permit support of other character sets) and the xml:lang
attribute, which may be used to specify language information.
<xs:element name="StateProv" type="EcomSimpleText"/>
<xs:attribute ref="Mode" use="optional"/>
<xs:attribute ref="id" use="optional"/>
<xs:attribute name="Line2" use="optional"/>
<xs:attribute name="Line3" use="optional"/>
<xs:element name="Trace" type="EcomSimpleText"/>
<xs:element name="Track1" type="EcomSimpleText"/>
<xs:element name="Track2" type="EcomSimpleText"/>
<xs:element name="UserID" type="EcomSimpleText"/>
3. Usage Notes for ECML v2
This section provides a general usage guide for ECML v2.
3.1. Presentation of the Fields
ECML v2 merely names fields and specifies their content and
hierarchical organization. It does not constrain the order or
completeness of communication of or query for these fields.
Some parties may wish to provide or ask for more information, and
some for less by omitting fields. Some may ask for the information
they want in one interaction or web page, and others may ask for
parts of the information at different times in multiple interactions
or different web pages. For example, it is common to ask for "ship
to" information earlier so that the shipping cost can be computed
before the payment method information. Some parties may require that
all the information they request be provided whereas others may make
much of the information optional. Other variations are likely.
Every element may be flagged as a query or assertion by including,
when XML syntax is in use, the optional Mode attribute with the value
"Query" or "Assert" respectively. The Mode attribute effects all
descendant elements until overridden by a lower level element with a
Mode attribute. Thus it is easy to indicate that all of the elements
in an ECML v2 structure are present as queries or assertions.
Query elements may have data content. Such content SHOULD be
interpreted as a default value to be returned if no better value is
There is no way with Version 2.0 of ECML to indicate what query
fields a party considers mandatory to be answered. From this point
of view, all fields queried are optional to complete. However, a
party may give an error or re-present a request for information if
some field it requires is not completed, just as it may if a field is
completed in a manner that it considers erroneous.
3.2. Methods and Flow of Setting the Fields
A variety of methods of communication is possible between the parties
by which each can indicate what fields it wants the other to provide.
Probably the easiest method for currently deployed mass software is
through fields in an [HTML] form. Other possibilities include using
an [XML] exchange, the IOTP Authenticate transaction [RFC2801], or
So that browser software can tell what version it is dealing with, it
is REQUIRED that the Ecom_SchemaVersion field be included in every
transaction when ECML is being used on the web. Ecom_SchemaVersion
SHOULD appear on every web page that has any Ecom fields. It is
usually a hidden field in HTML Forms.
User action or the appearance of the Ecom_SchemaVersion field are
examples of triggers that can be used to initiate a facility capable
of providing information in response to an ECML-based query or of
using information from ECML assertions. Because some web software
may require user activation, it is RECOMMENDED that there be at least
one user-visible Ecom field on every web page with any Ecom fields
present when ECML is used via the web.
Under some circumstances, communications can proceed very slowly, so
it may not be clear to an automated processing function when it is
finished receiving ECML fields on a web page or the like. For this
reason, it is RECOMMENDED that the Ecom_SchemaVersion field be the
last Ecom field on a web page.
Transfer or requests for information can extend over several
interactions or web pages. Without further provision, a facility
could either require re-starting on each page or possibly violate or
appear to violate privacy by continuing to provide personal data
beyond the end of the transaction with a particular business. For
this reason, the Ecom_TransactionComplete field, which is normally
hidden when it is part of an HTML Form, is provided. It is
RECOMMENDED that it appear on the last interaction or web page
involved in a transaction, just before an Ecom_SchemaVersion field,
so that multi-interaction automated logic receives a hint as to when
to stop if it chooses to check for this field.
4. Security and Privacy Considerations
The information called for by many of these fields is sensitive. It
should be protected from unauthorized modification and kept
confidential if it is stored in a location or transmitted over a
channel where it might otherwise be observed. In addition, the
authenticity of the information will be a concern in many systems.
Mechanisms for such protection and authentication are not specified
herein but might, depending on circumstances, include object security
protocols (such as XMLDSIG [RFC3275], XML encryption [XMLENC], or CMS
[RFC3852]), or channel security (such as TLS [RFC2246] or IPSec
[RFC2411]). Systems in which an ECML field or fields are stored and
later forwarded will likely find object security the most
When information is being requested from a user, the user's control
over the release of such information is needed to protect the user's
Software that is installed on shared or public terminals should be
configurable so that memory of any sensitive or individual identity
information is fully disabled. This is vital to protect the privacy
of library patrons, students, and customers using public terminals,
and of children who might, for example, use a form on a public
terminal without realizing that their information is being stored.
When sensitive or individual identification information is stored,
the operator or user should have an option to protect the
information; for example, with a password without which the
information will be unavailable, even to someone who has access to
the file(s) in which it is being stored.
Any multi-page/screen or other multi-aggregate field fill-in or data
provision mechanism SHOULD check for the Ecom_TransactionComplete
field and cease automated fill when it is encountered until fill is
It should be remembered that default, hidden, and other values
transferred to another party may be maliciously modified before being
5. IANA Considerations
The sections below provide for:
1. registration of the ECML v2 XML schema contained in this
2. a version URN for ECML versions,
3. the subsidiary registration of particular ECML versions and the
specific registration of Version 2.0, and
4. three additional IANA registries for elements appearing in three
ECML v2 fields.
5.1. ECML v2 Schema Template
The ECML v2 schema give in Section 2.2.2 above is registered as
Registrant Contact: The IESG <firstname.lastname@example.org>
XML: The XML Schema in Section 2.2.2 above.
5.2. ECML v2 URN Template
As specified by the template below from [RFC3553],
urn:ietf:params:ecml is permanently registered with sub-registration
via RFC publication.
Registry name: urn:ietf:params:ecml
Specification: RFC 4112
Repository: RFC 4112
Index value: Values subordinate to urn:ietf:params:ecml are
registered by RFC publication. As provided in
[RFC3553], once such a value is registered, it may
5.2.1. Sub-registration of v2.0
The subordinate value "v2.0" is hereby permanently registered so that
is used to indicate an ECML field or fields that conform to this
specification. Although it is not anticipated that deeper values
subordinate to this URN will need to be registered, if necessary,
they are registered by IESG approval.
5.3. IANA Registries
There are three fields described in Section 2.1.2 that require the
establishment of IANA registries as described below:
A registry of case-insensitive alphanumeric ASCII [ASCII]
card-type designations from one to four characters in length
with no white space. See Section 2.1.2, Note 11, for the
initial 12 designations. Designations are added based on
expert approval. Applicants for registration will normally be
required already to have an ISO Issuer Identification Number
(IIN) or set of IINs.
This field holds a space-separated list of protocols designated
by case-insensitive alphanumeric ASCII [ASCII] tokens from this
registry or holds the token "none". See Section 2.1.2, note
17, for the initial seven registered tokens (including "none")
and further information. Tokens are added to the registry
based on expert approval.
A case-insensitive alphabetic ASCII [ASCII] value indicating
the type of transaction. See Section 2.1.2, note 30, for the
initial two registered values. Values are added based on
The following, listed is alphabetic order, have contributed to the
material herein: Ray Bellis, Steve Bellovin, Scott Hollenbeck, Russ
Housley, Jon Parsons, Lauri Piikivi, David Shepherd, and James J.
A. Appendix: Changes from v1.1 to v2
Substantial rewording of text to change the emphasis from HTML Form
Fields to XML Syntax.
Addition of the merchant -> processor fields.
Addition of the Ecom_Wallet_Location and Ecom_User_Certificate_URL
Addition of the "Mode" attribute.
Addition of the ECom_Payment_Card_IssueNumber, Loyalty Card fields,
Device ID, Valid From, and User Data fields.
Addition of an XML schema.
Some minor fixes related to telephone numbers.
Addition of IANA Considerations section.
Updating of RFC references for obsoleted RFCs.
[ASCII] USA Standard Code for Information Interchange, X3.4
American National Standards Institute; New York, 1968.
[E.164] ITU-T Recommendation E.164/I.331 (05/97): The
International Public Telecommunication Numbering Plan.
[ISO3166] "Codes for the representation of names of countries and
their subdivisions -- Part 1: Country codes", ISO 3166-1,
[ISO4217] "Codes for the representation of currencies and funds",
ISO 4217, 2001.
[ISO5218] "Information interchange -- Representation of human
sexes", ISO 5218, 1977.
[ISO7812] "Identification card - Identification of issuers - Part 1:
Numbering system", ISO 7812-1, 2000.
[ISO8583] "Financial transaction card originated messages -
Interchange message specifications - Part 1: Messages,
elements and code values", ISO 8583-1, 2001.
[RFC3106] Eastlake 3rd, D. and T. Goldstein, "ECML v1.1: Field
Specifications for E-Commerce", RFC 3106, April 2001.
[RFC3275] Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible
Markup Language) XML-Signature Syntax and Processing", RFC
3275, March 2002.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004.
[SET] Secure Electronic Transaction,
[XMLENC] "XML Encryption Syntax and Processing", Eastlake 3rd, D.
and J. Reagle, December 2002,
Donald E. Eastlake 3rd
155 Beaver Street
Milford, MA 01757 USA
Phone: 1-508-786-7554 (work)
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
Funding for the RFC Editor function is currently provided by the