Hi Steve, thanks for posting. Good Qs!
As for the first question about secure Customer Card flows, I believe the expectation and standard integration flow would be that you would, in addition to collecting email for return visit login and card use, tie that email to a password and account. That is, the user would have to return and enter their email along with a password to access the account and stored card. Additionally, you could require verification of ownership of the email via one time codes or similar methods for added protection. Customer Cards enable you to stash a card with a Customer Record, but you still need to wrap that functionality in standard, appropriate login and verification mechanisms. @sjosey – does that sound right to you?
re: Automatic customer profile merging – I can speak to that part (I’m the Product Manager for Customers API):
(1) our predictive duplicate detection methods will NOT merge profiles that contain cards on file.
(2) our deterministic duplicate detection methods are primarily based on identifying duplicate profiles based on the same phone or email appearing on multiple profile. It is possible we would merge customers with Customer Cards that have matching phones or emails, but only if there was no conflicts in either field. As a result, there should not be situations where a profile with a Customer Card is merged and the resulting merged profile has any destructive changes to an email or phone field. So, if you were using either identifier for account login tied to a card, it would not be modified in a merging operation. I believe this would address the concern your envisioning.
Please let us know what follow up Qs you have. Thanks!