Web Payment Security Interest Group Charter

The mission of the Web Payment Security Interest Group is to enhance the security and interoperability of Web payments. The group pursues its mission by creating a forum for organizations to define areas of collaboration and identify gaps between existing technical specifications in order to increase compatibility among different technologies.

It is not part of this group’s mission to establish dependencies between specifications or to endorse products or implementations.

Start date 17 April 2019
End date 25 March 2021
Chairs
Team Contacts Ian Jacobs (FTE %: 5)
Meeting Schedule Teleconferences: Teleconferences to be held as required.
Face-to-face: Participants generally meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the Participants, usually no more than 2 per year.

W3C Members join the Web Payment Security Interest Group. Note: See the group home page for information about how FIDO and EMVCo Members join the group.

Introduction

The payments ecosystem is complex and undergoing significant change due to technology advances, the rise of mobile computing, regulatory changes, faster payments initiatives, and more. The complexity and rapid changes increase the challenge of securing end-to-end payments and ensuring privacy protection.

Each of the Founding Organizations —EMVCo, the FIDO Alliance, and W3C— has undertaken steps to improve online payment security. As those efforts have matured, it has become more apparent that greater coordination will help ensure compatibility and foster broader deployment.

In particular, the organizations acknowledge the growing importance of strong customer authentication in payments and other interactions. For example, the FIDO Alliance is simultaneously collaborating with W3C (on Web Authentication) and with EMVCo (related to EMV® 3-D Secure) on strong authentication solutions. The organizations recognize the value of building and sharing a vision of the future of strong authentication on the Web, including streamlining the user experience.

Scope

Interest Group Activities in Scope

  • Formulate a vision: Formulate a vision for improving Web Payment Security, taking into consideration a variety of payment methods.
  • Describe use cases: Collect industry needs at the high level of desired functionality. However, because Participants make no patent licensing commitments by virtue of participation in this forum, discussion of specification details, including potential changes to existing specifications, remains out of scope.
  • Conduct gap analyses: Gain understanding of whether current or planned technology can be used to enhance security and interoperability of Web payments. This activity may include:
    • identification of gaps;
    • interpretation of specifications.
    • identification of potentially conflicting requirements;
    • use of prototypes and mockups as tools for understanding;
    • identification of which organization(s) should address issues.
  • Liaise: Build a shared understanding of how the work of the Partner Consortia relates, in order to foster compatibility and interoperability, and avoiding conflicting requirements. This activity may include discussions with other groups, standards organizations, regulatory agencies/bodies, and Web developers.
  • Communicate: Communication of Interest Group vision, use cases, and best practices to the broader community.
  • Identify standardization opportunities: Identification (e.g., through use cases) of capabilities that exist or need to be created to improve Web payment security and interoperability.

Activities Out of Scope

Web Payment Security Topics in Scope

This Interest Group discusses the intersection of the activities of the Partner Consortia around payments and authentication. Within that scope, the Interest Group will address these topics:

  • Technology compatibility / interoperability
  • Fraud reduction mechanisms, including through strong customer authentication and data security
  • Privacy protection
  • Emerging rules and regulations (e.g., Payment Services Directive 2 (PSD2) in Europe)
  • Harmonization with other standards activities (e.g., ISO 20022)

Topics Out of Scope

  • Topics internal to a Partner Consortium that do not require collaborative discussion.

Deliverables

Although the Interest Group may publish vision, use cases, gap analyses or other deliverables consistent with the scope of this charter, the initial expectation is that such deliverables will be rare. Instead, conversations are likely to be redirected at the appropriate time to the most relevant group.

This Interest Group might recommend standardization activities in any of the Founding Organizations, and participation in that standardization work would follow the general rules of those organizations.

Participation

Interest Group Participants ("Participants") are eligible participants of Partner Consortia and Invited Experts. All participants must follow the W3C Code of Ethics and Professional Conduct and W3C's Antitrust and Competition Guidance.

Participation in this Interest Group will not preclude or interfere with any collaboration (bi-lateral or multi-lateral) between any set of Participants under terms developed and agreed to outside the context of this Charter.

Each Partner Consortium will provide a registration mechanism for its eligible participants.

Founding Organizations

The Founding Organizations for this Interest Group are EMVCo, the FIDO Alliance, and W3C.

Partner Consortia

A Partner Consortium is either:

  • A Founding Organization, or
  • A Member Consortium that is invited by the Founding Organizations to participate, and that accepts the invitation. All Founding Organizations must support an invitation. Such an invitation is revoked when any Founding Organization no longer supports it. Each Founding Organization establishes its own internal process for reaching a decision to invite a Member Consortium to participate or revoke that invitation. A Member Consortium that seeks an invitation should contact the co-Chairs.

Participant Eligibility

Each Partner Consortium determines which people associated with the Partner Consortium are eligible to participate in this Interest Group. For the Founding Organizations:

  • From W3C: W3C staff and W3C Member representatives.
  • From EMVCo: EMVCo staff and employees of any EMVCo Member. This does not include Associates and Subscribers. However, EMVCo staff may also invite an Associate or Subscriber to participate, in which case that organization's employees become eligible to participate in this Interest Group on behalf of that organization.
  • From FIDO: FIDO staff and employees of any FIDO Member.

Each Member Consortium invited by the Founding Organizations must declare its participant eligibility policy prior to joining the group.

Invited Experts

From time to time, the Founding Organizations may invite individuals with expertise to participate who are not employees of a Partner Consortium or its Membership. These individuals, who must be invited with the unanimity of the Chairs, participate under the W3C Invited Expert and Collaborator Agreement and according to the W3C Process for Invited Experts. These individuals must disclose employment affiliation when participating in W3C work.

Communication

The Founding Organizations operate under different confidentiality levels. To best accommodate diverse requirements, and because this Interest Group does not publish technical specifications, Participants generally communicate in non-public channels. By joining the Interest Group, all Participants agree to keep such information "non-public" according to terms specific to each Partner Consortium (e.g., W3C participants agree to keep the communications of this group Member-only).

Non-public artifacts of the Interest Group must indicate the appropriate level of visibility for all the Partner Consortia.

Each Partner Consortium may archive and distribute non-public communications within its own membership (including participants in EMVCo programs, such as Associates and Subscribers).

In general, each Partner Consortium does not plan to share its own confidential materials with the other Partner Consortia. Participation in this group does not grant access to other non-public information outside of this group's activities.

From time to time and where there is consensus to do so, the Interest Group may make available public summaries or statements to keep the community apprised of its progress or suggestions.

Decision Policy

The Chairs of the Interest Group will pursue consensus decisions among the Participants for matters involving deliverables or group operations.

Copyright Licensing of Public Deliverables

This Interest Group will use the W3C Software and Document license for any material published with the consensus of the Participants.

About this Charter

Each Founding Organization will determine the process by which it approves this charter.