Web Payments Workshop - Session 2

Minutes for 2014-03-24

  1. Toward an Ideal Web Payments Experience
  2. The Inputs to the Payments Standardization Process
  3. Lessons Learned from the Mozilla Marketplace
  4. General Discussion on the Ideal Payment Experiences
Daniel Appelquist
Evan Schwartz and Charles McCathie Nevile
Daniel Appelquist, Evan Schwartz, Natasha Rooney, Manu Sporny, Kumar McMillan, Martin Hepp, Stéphane Boyera, Bryan Sullivan, Ernesto Jimenez, Dave Birch, David Ezell, Virginie Galindo, Ricardo Varela, Prakash Hariramani, Jeremy King, Giridhar Mandyam, Hannes Tschofenig, Jeff Jaffe, Erik Anderson, Charles McCathie Nevile, Jörg Heuer, Wendy Seltzer, Stan Stalnaker, Ori Eisen, Tobie Langel, Mountie Lee, Dave Raggett, and 78 others for a total of 103+ people
Evan Schwartz is scribing.

This page contains minutes for an official W3C workshop event that have been cleaned up and reformatted by the Web Payments Community Group. The W3C and the Web Payments Community Group are two separate organizations. Readers should understand that while the workshop was an official W3C event, the operation of the Web Payments Community Group is not officially sanctioned by W3C's membership. More information on joining W3C (membership fees) and/or the Web Payments Community Group (free) can be found on the respective websites.

Topic: Toward an Ideal Web Payments Experience

Natasha Rooney: In this session, we're going to look at use cases for web payments, analyzing issues and questions associated. By the end we should have some guidelines on how to move forward with these issues

Topic: The Inputs to the Payments Standardization Process

Manu Sporny: "Cat Herding 101", everyone has a different idea of what to standardize
Manu Sporny: W3C creates standards through consensus, "ideal" payments experience is subjective and there are many, we can only realistically standardize parts of the experience
Manu Sporny: Don't want to beat innovation out in the process
Manu Sporny: 3 Main inputs to standardization: position papers, input from Web Payments Community Group, attendees of this workshop
Manu Sporny: Survey of papers, common themes: no verified identity / trust mechanism (72%), outdated security tech (50%), no payment request standard (38%), no proof of purchase standard (38%)
USE CASE: Verify identity or assess trust of partners in a transaction.
Manu Sporny: Didn't think identity was going to be such a common issue but it was the #1 issue cited amongst the papers
USE CASE: Initiate / request payment.
USE CASE: Issue, transmit, validate proof-of-purchase / digital receipt.
USE CASE: Find and compare payment options for transaction.
Manu Sporny: Other themes: bad payment provider competition and lock-in (38%), expensive for vendors to integrate with payment providers (31%), mobile payments are fragmented (31%), payment provider lock-in (28%), poor rate of extensibility
Manu Sporny: Web Payments CG - 146 members -- not an official group at the W3C, existed for ~3 years, creating space where open payment technologies can incubate
Manu Sporny: Currently working on 14 technologies that can be applied to payment problems, these are designed to be taken W3C standards track if we get consensus on them. Almost all of them apply to the problems raised by the attendees of this workshop. Very much aligned in "what's wrong, and how to fix it".
Manu Sporny: Machine-readable products and offers, initiating transactions, digital receipts, identity, web security upgrades
USE CASE: Create a common digital receipt format.
Manu Sporny: (Types of tech being worked on)
Manu Sporny: Workshop attendee input: looking to determine problems, constraints, use cases, goals, and actions for the W3C
Manu Sporny: If you are interested in following up with this work, please join the Web Payments CG, it's not official but there will be a lot of post-workshop work and that's where most of this work is happening now: https://web-payments.org/join

Topic: Lessons Learned from the Mozilla Marketplace

Slides for thsi presentation are here: http://kumar303.github.io/w3c-payments
Kumar McMillan: For the past several years Mozilla has been building mobile OS called Firefox OS
Kumar McMillan: Looked at HTML5 and available APIs, tried to create APIs that did not already exist
Kumar McMillan: Wanted to have commerce as part of the mobile operating system, for developers to sell apps
USE CASE: App Stores - selling apps in mobile scenarios.
Kumar McMillan: Navigator.mozPay() is not on the standards track
Kumar McMillan: Talk will focus on what can be standardized based on mozilla's experience
Kumar McMillan: Web payments work today
Kumar McMillan: When presented with a choice between credit card and paypal, I'll almost always choose paypal. This works on the web, we have secure HTTP. There's also Stripe and Square in the US. Lots of startups disrupting the space
Kumar McMillan: There are some problems
Kumar McMillan: Credit card numbers are insecure, mobile billing is broken in some major ways, new customer info, no standard for asset ownership
USE CASE: Prove ownership over a particular asset (proof of purchase / ownership).
Kumar McMillan: Credit card numbers are totally insecure. Target got hacked and I had to cancel my card, get a new one, and update all of the accounts
Kumar McMillan: Why are we giving people credit cards when all they want to do is make a specific payment
Kumar McMillan: Payment tokens for merchants: merchants could give token that requests specific amount of money and token expires
USE CASE: Temporary payment tokens for merchants. If token is stolen, thief does not get access to financial account.
Kumar McMillan: Payment processor needs to move money from customer's account to merchant account -- merchant doesn't care how payment is executed
Kumar McMillan: PayPal hosted flow works with tokens, mozPay JSON web token works the same way, as well as Stripe and Square
Kumar McMillan: Merchant never receives credit card number
USE CASE: Billing through mobile operator (mobile billing) without hacks to HTTP.
Kumar McMillan: Mobile billing is broken, it's a nice way to pay and works on the web, but there is HTTP header injection, every operator is different, and there are SMS hacks
Kumar McMillan: Don't know how to fix this, operators need to step up and fix this
Kumar McMillan: At mozilla, introduced silent SMS API, they'd like to extract that from mozPay -- still just a better hack
Kumar McMillan: Apple's facetime has published how they do silent SMS
USE CASE: Make it simple to register as a new customer (get rid of the registration step, if possible, or make it transparent).
Kumar McMillan: Becoming a new customer is hard, you have to fill in home address, billing address, credit card number, and you need to do it all over again for each payment provider
Kumar McMillan: Request Autocomplete was developed by Google, shipping in Chrome, web page can request and autocompletion by the device and the info will be stored securely on the device
Kumar McMillan: Standard web identity could be one solution but it's pretty ambitious, there are strongholds around identity so it might be harder to use that
Kumar McMillan: How do you prove you own an item? FirefoxOS is trying to embrace fragmentation, they want firefox marketplace to sell app but other marketplaces can also sell that app -- to make this work they made a digital receipt format that is portable, decentralized, and verifiable
Kumar McMillan: Digital receipts could be standardized to help payments
Kumar McMillan: Payments work well, it's important to focus on things that are real problems
Kumar McMillan: Also important to think about what are the payment primitives? the basic, low-level building blocks like the token idea

Topic: General Discussion on the Ideal Payment Experiences

Denis: looking at the spec for web payments provider, it asks providers to be in a whitelist, what does it take to get in there?
Kumar McMillan: Whitelist of payment providers may end up being deprecated, need low-level building blocks for accessible APIs
Martin Hepp: How is the idea of digital receipts related to the work on schema.org? -- could be applied to JSON-LD representation
Kumar McMillan: No plan right now to align this with JSON-LD but it's a better idea than Mozilla's free-form JSON
Stéphane Boyera: MozPay seems like an interesting abstraction across other payment provider APIs
Kumar McMillan: It's an abstraction but anyone could make an abstraction, all the building blocks are on there on the web with HTML forms that have a submit button. I don't think we need to standardize an end-to-end flow, only focus on things that are missing like tokens. Stripe has its own abstraction
Daniel Appelquist: Working at Telefonica I agree with what Kumar said, but I don't agree that SMS is a hack
Daniel Appelquist: Using SMS is becoming pretty well cemented as mechanism for verification -- silent SMS may be useful in some cases but in others it might make the customer feel more secure
Daniel Appelquist: Is there really an ideal payment experience? Micropayments have long been needed. HTTP status code 402 was intended to support micro-payments. There were people in the mid-1990s trying to implement micropayments but there is plenty of room for innovation, shouldn't just focus on an ideal scenario. Need to focus on security and convenience
Daniel Appelquist: There are issues with the current security aspect, chromeless webapps or native applications, how can you determine if you're in a secure application
Daniel Appelquist: Certificate model of web security is broken because people don't pay attention to it, people click through even on old certificates
Daniel Appelquist: Innovations in payment UI like using camera to recognize credit card, but then there's a privacy issue
Daniel Appelquist: Loyalty cards have interesting developments
Daniel Appelquist: Mobile ticketing is also part of payments
Daniel Appelquist: Not currently convinced that we need payments as part of the core architecture of the web. we should incrementally strengthen existing work
Bryan Sullivan: ATT has operated as payment broker since 2002, APIs have improved over the years, also mobile wallet in the US. There isn't an ideal experience
USE CASE: Application of loyalty cards to purchases.
Bryan Sullivan: People should look at the push API he's working on with Telefonica
Bryan Sullivan: Payment is personal, enabling user choice in everything regarded to payment is a key aspect of the UI
Bryan Sullivan: W3C doesn't have to address entire industry but it should look at key use cases and requirements
Bryan Sullivan: UI for web on moblie is very diverse, all of contexts should be supported. Don't want a fragmented web UX
Bryan Sullivan: UX is going to be driven by how consistently the APIs are implemented, not so much about the UI -- you can set expectations but mandating a particular UX leads to narrowing scope of problem too much
Bryan Sullivan: Transfer of funds as an exercise is a really good place to start but we need to think of payments as an aspect of transaction processing in general, need to be able to exchange all types of value
Ernesto Jimenez: Used to work for Telefonica and Mozilla, background on what mozPay offered them -- it was good because everything is web-based, needed a way to verify trusted UI for entering details, the only problem was that there wasn't an option to open it up to every type of payment provider
Kumar McMillan: In mozPay there's a trusted UI, but it is still spoofable. That's not a payment-specific problem, it's a problem for all mobile. There's no way to trust that a site is connected to the right URL, all of mobile needs that
Dave Birch: If you assume payment token is the invoice signed by the provider, that's completely feasible. The client is going to pass the token to the payment service provider so they need to manage providers. They'll also resolve certificate chains
David Ezell: Digitally signed invoice can act as the receipts
David Ezell: If we assume most of this is going to move onto mobile, Trusted Execution Environments might add some optimism even if it's not ideal right now
Virginie Galindo: +1 To Dave Birch point on TEE optimism
Kumar McMillan: Maybe the token doesn't need the W3C but I want to see sites stop using credit card numbers
Kumar McMillan: With the receipts there's also the ownership part, like a cookie that lives on device so you could give it back to the website
Bryan Sullivan: People should look at global platform for TEE, this is a problem that's been around since feature phones
Bryan Sullivan: It's a general problem of the web that things can pop up and take over the screen
Virginie Galindo: Note : light explanation of Trusted Execution Environment technology there : http://poulpita.com/2014/02/18/trusted-execution-environment-do-you-have-yours/
Ricardo Varela: The moment we start getting into trusted elements, we're getting into manufacturers and browsers, etc. we'll need to decide if we want to involve those. Payments are not just a form, the actual payment is done later. The open question is whether payments should be a more integral part of the web. Similar to geolocation where you say I want your location, a merchant could say I want $10
Natasha Rooney: Many position papers separate UI and intent to pay, questioning whether UI should be standardized. What do people want from standards?
Kumar McMillan: Dangerous to standardize things that don't need to be standardized -- UI is easy to build on existing web technology. Risky to introduce APIs that are not useful. A 402 response is not as useful as a 301 redirect that redirects to a page saying you haven't purchased this option
Manu Sporny: I agree completely. It's dangerous to say this is exactly how payments look on the web, it's more about the intent to pay. Whitelists and digital receipts have been raised a number of times but if we say there will be a whitelist on payment provider signatures we'll continue having the same ecosystem we see today, no innovation. We could potentially put in the same infrastructure that was put in for the Certificate Authorities, we want a more flexible solution. Whitelists mean that we anoint winners and losers of a particular service, that's bad when it comes to payment, worse than what we have to Certificate Authorities today. Just say "No!" to whitelists.
USE CASE: When doing a payment, need a way to assure the customer he is his payment service provider and is not subject to phising. Specially problematic in mobile when browser chrome is not available.
Bryan Sullivan: Management of that type of data is the essence of evil, solution needs to be more scalable
Daniel Appelquist: We shouldn't describe things as "evil". On mobile, most apps are being used in a chromeless way, there is a disparity because there isn't the same kinds of visual cues.
Bryan Sullivan: Trusted consent is a general problem of the web
Prakash Hariramani: Murkiness in terms of the standard for payment tokens, what does the Fed and European Commission think of the standards?
Virginie Galindo: Note : some trusted user interface like work is discussed in WebAppSec see : http://www.w3.org/TR/wsc-ui/
Jeremy King: The standard that Mastercard and Visa have just related is taking tokenization from the issuer perspective and using token to initiate transaction
Jeremy King: From PCI standards there is tokenization from the acquirer's side
Jeremy King: Everyone's talking about tokenization from different ends of the spectrum, so we need to get our terminology straight.
USE CASE: Tokenization mechanism that protects the buyer and merchant from theft of credentials.
Bryan Sullivan: Not sure how the tokenization spec relates to the UX, maybe this can be clarified
Giridhar Mandyam: Re: mozilla telefonica paper -- why aren't client technologies for geolocation good enough? How will third party payment providers being included?
Virginie Galindo: Note emvco tokenization framework : https://www.emvco.com/specifications.aspx?id=263
Kumar McMillan: We're not sure, that's why there's a whitelist right now. There are really sensitive APIs, there are privacy reasons why we don't want to allow access to that
Natasha Rooney: Want to pull conversation away from mozPay because they're not going to spec it
Jeremy King: Re comments about SMS, not long ago there was a laptop and mobile phone, but now they've merged into one so SMS is ineffective 2FA
Hannes Tschofenig: There's always a reluctance to standardize UI but the standardization is gone on mobile, as well as the certificate validation. Is there any possibility to improve the mobile experience? No one wants someone to dictate UI but it's not a good state now
Bryan Sullivan: Re SMS use in stolen phones, the solution there is faster response for locking phones. And anyway in most cases the thief will pull the SIM first thing, which prevents the SMS from being an attack vector.
Kumar McMillan: Any time you're talking to any website on mobile phone, need better mechanism than a lock icon for non-crypto users to know they're talking to the right site
Parslow says - there is not only stolen phones but a lot of stolen OTP are due to cloned SIM issued by the operators
Daniel Appelquist: Security is a payments issue. per PHB, HTTPS was designed for payments, i.e., to make consumers feel confident enough to make payments online.
Bryan Sullivan: Re earlier point on location, I agree it should be entirely adequate (GeoLoc API) for payment purposes. Newer tech and networks e.g. LTE will also support indoor location soon.
Jeff Jaffe: Both Kumar and Manu have made strong points about not standardizing UI, but if we're talking about an ideal UX for payments, we have to get people to trust us with their dollars or Euros, it's different than browsing the web for information
Kumar McMillan: There's a lot of innovation on the current web with UI. Amazon payments are incredibly fast, Stripe has made it super easy to pay. We'd hold people back
Manu Sporny: I'm hearing people say that they want to standardize a UI, but does anyone even have an idea of what the ideal UI would be? I've never heard a solid proposal over the last several years that ended up gaining any sort of consensus (and there have been a few by big companies).
Natasha Rooney: Too many stakeholders
Stéphane Boyera: I believe we are mixing ideal functional interface vs ideal design
Bryan Sullivan: Shouldn't focus too much on UI
Erik Anderson: UI will always be branded by the organization. They will want their own particular theme. Standardizing the UI will never go anywhere.
Chaals wanted to ask what the relation is between digital receipts and EME, and to offer the counter-example of EV certificates and standardisation of UI
Bryan Sullivan: The problem is that solutions that focus on UI get reduced to a solvable surface, in the case of tracking protection for example limited to web browsers, and leaving all other web contexts off the table.
Charles McCathie Nevile: When we created extended validation certificate system, one of the things we did at W3C was standardization of UI to show that you were on an extended validated system. There's not a full spec but there are some clear guidelines to help users be sure they know what they're getting. You do have to dictate something about the UI to pass a clear message across different UIs, need to pass minimal viable set. Perhaps we should talk to the group that has done the most with digital receipts... the EME folks have been dealing with this stuff for a long time, we should talk to them.
Bryan Sullivan: UI can come from many places... Web servers are the most flexible source of UI, and OAuth servers have the same advantage of being able to dynamically pull in content/info to present to the user, and don't impact browser code bases (another limiting factor).
Charles McCathie Nevile: Might be way to standardize receipts
Natasha Rooney: Who thinks it's a good idea to start looking into UI elements of payments?
Some people think it's a good idea, a few think it's an awful idea
Natasha Rooney: Good case to start looking at it
Virginie Galindo: Note : UI with security merits may be worth looking at
Jörg Heuer: Need to differentiate between UI and user interaction patters, need to get into user interaction patters which blend into technical transaction interactions
Charles McCathie Nevile: [Having a digital receipt that is transferable doesn't solve all of EME, but one part of what they want to do is determine whether you have the right to use the content]
Bryan Sullivan: To address offline use cases, we also have service workers and other new tech that can serve the same goals e.g. local OAuth servers that can on the back end integrate with TEE Trusted Applications or Secure Elements, which can provide a truly trusted UI capability for the web.
Daniel Appelquist: +1 To thinking about interaction (not interface).
Bryan Sullivan: Would web components provide a means to create secure interactive elements?
Natasha Rooney: Bryan, just what I was going to say!
Jeff Jaffe: [+1 The distinction between interaction and interface is a helpful distinction]
Daniel Appelquist: Interaction is the more accurate term than interface
Charles McCathie Nevile: [... I.e. a digital receipt. And having a decentralised receipt instead of your prof-of-ownership being provided as a service by a particular provider would, for example, reduce the problem of your key expiring with the company that made it]
Bryan Sullivan: What would be the role of web components? they could provide secure interactive elements
Natasha Rooney: B2B payments haven't come up yet
Ricardo Varela: Bryan, I don't think so: web components at its basic form are just glorified client-side template engines, they don't solve anything we couldn't do already (of course they have benefits like reusability but they don't add new "use cases")
Bryan Sullivan: Whole range of relationships beyond B2C, in order to really reach scale, need to look at end-to-end interaction and see all of the players. Need means of exchange between providers and a market
USE CASE: Payments / digital receipts should be applicable to Encrypted Media Extension authorization to show content.
Ernesto Jimenez: 2 Tracks for UI, browser or OS UI and there's also UI for payment flow from payment processor. need way to show customer in mobile and desktop that they're in a trusted environment. shouldn't standardize how that looks but should provide means for browsers to show it's in a trusted environment
Ernesto Jimenez: Different aspects of this could be standardized separately as layers
Bryan Sullivan: Businesses and enterprise user use cases are just as important as consumer use cases. For example, the parties involved in enterprise use cases might aggregate or authorize payments on behalf of the enterprise, thus represent a B2B use case.
Charles McCathie Nevile is scribing.
Manu Sporny: Don't think anyone is arguing against a layered approach
Daniel Appelquist: Agreed
Stephane wanted to talk about merchant ideal experience - adding easily psps without changing a line
Stéphane Boyera: We talk a lot about users. I feel we need a holistic approach. Think of the merchant UI. What merchants want is to support more payment providers without changing the website for each one... that has a huge impact.
Kumar McMillan: Would be nice, don't see it happening. People woudn't follow a standard for an API.
... the incentives are not there. Open source is a good answer
... that would get traction.
Chaals thinks a standard is a far better tool than an Open Library...
David Ezell: +1 To chaals
Stéphane Boyera: There is an abstraction that can be done like mozpay, routing the user through the payment layer generically seems a clever way to provide benefits to merchants and customers.
Bryan Sullivan: Isn't the interface between a virtual wallet and payment providers valuable to standardize?
... think that could be a good goal, allowing innovation where it makes sense and a generic approach where it is required.
Manu Sporny: Big problem for merchants- if there is an open mechanism, the merchant still needs to get the money.
... They want to accept all payment, but don't want to make individual deals with each processor. Not sure we touched on that.
Bryan Sullivan: The merchants don't need to know or use the API between the wallet and payment provider, just the web API that provides access to the wallet.
Stéphane Boyera: Think that would solve the issue. It isn't just an account today, it is also writing a whole backend.
Manu Sporny: So where do they open the account? Without an open standard, it matters where you open the account - that's a big problem.
Natasha Rooney: Wallets might be able to handle that, giving a bundle of accounts.
... people innovating around there can cause issues.
Wendy Seltzer wants to discuss privacy.
Wendy Seltzer: Wanted to re-emphasise Dan's quote about HTTPS - giving customers confidence to make payments on the web.
... shared interest is giving the customer confidence in transactions.
... and we have interest in making that confidence justified.
Erik Anderson: Merchants dont want to be exposed to all of the underlying payment sources or technologies. They want it to be more simple.
Stan Stalnaker: Deep thought - what would an http:// protocol look like as a means of annotating a potential payment marker?
Wendy Seltzer: Some attention to the UX is needed. We need some workto standardise and help people see they don't need to be an expert in choosing providers to do business, don't need to do a lot of research before knowing if payment will work on the web.
... we want this to happen, where can we do the work?
Charles McCathie Nevile: Stan, you mean like: payto: ?
David Ezell: Merchants want choice, but not necessarily infinite choice. Having ANY choice would be a huge improvement over status quo.
Hannes Tschofenig: Raises an interesting question for W3C. On the one hand you create building blocks, and let industry innovate, but how do you ensure that these are sound for security, which is the sum of, not just individual block properties.
... relates to whitelisting/certification.
... When people meet the right criteria they get the User Experience. I see layers in standardisation - some blocks at W3C, but some maybe somewhere else (dunno where)
... to provide a block that people get which is trustable. There are examples in other sectors, like FIDO or Bluetooth.
Bryan Sullivan: I agree that trusted UI is an important thing to be considered but in general, not just for payments. And we should keep a broader focus when we consider this, remembering that much of the Web's UI exists outside the user agent, at least in how the presentation layer is crafted.
Natasha Rooney: Has happened in eg WebRTC too.
Ori Eisen: Suggest we keep the UI and visual to the end. Computers are great in shell before they had UIs. Let's fix the core issue and then worry about how to signal what we are trying to solve.
... Think there are plenty of things W3C can and should do. BUT there is no standardisation of fighting viruses. The bad guys are too agile to make standards of how we fight them.
Bryan Sullivan: APIs are the analogy of the shell
Wendy Seltzer: [Cough Kerckhoffs's Principle, that a cryptosystem should be secure even if all is disclosed but the key; transparency can aid security cough]
Ori Eisen: Any standard we make will be so slow that bad guys have a roadmap in advance.
... need to figure what should and what shouldn't be standardised.
... who takes responsibility for paymetn security if it goes bad. How do people who take responsibility for lost money fit into the standardisation.
... Don't forget there is an adversary watching us.
Daniel Appelquist: My perspective is this workshop is looking to feed a process in W3C, but the thinking we are doing can have a big influence too.
... documented record of the meeting might produce outcomes which are work items but not for W3C.
Tobie wanted to comment on non-normative UI/UX work.
Tobie Langel: Following up on UX. The reason not to standardise is 1: IPconcerns, 2: don't block innovation. Which are important points. However, there would be value in some non-normative documents on the topics.
Jeff Jaffe: [Jeff supports Tobie's point. We often call that "Best Practices".]
Erik Anderson: All the merchant cares about is getting the money into their bank. What is their experience going to be?
Manu Sporny: We are focusing on customer experience and especially security issue for them, not "does their payment provider match the merchant"?
... When merchants accept Visa and MasterCard both them and the customer doesn't care who people bank with. Unless we're building on existing powers, you have to have a standard where the merchant and customer can have different bank accounts, otherwise we can't compete with what we already have.
Daniel Appelquist: Agree. E.g. Stripe's value-add is simplifying life for the merchant.
... Yandex proposal has some issues but the thinking behind it to make it easy for merchants to integrate payment is something we really need to understand how to do, and to get right as an output.
Kumar McMillan: Why do we need to standardise? Merchant can already accept bitcoin.
Charles McCathie Nevile: There are some governments who take a dim view of merchants doing that (accepting Bitcoin).
Stéphane Boyera: -1 To what Kumar said.
Bryan Sullivan: Downside is fragmentation inhibits growth. Developers always complain about the lack of standard APIs. The developer experience is horrible and they don't have bandwidthto track the fragmented world.
... standardising at least a digital receipt might help as a minimum.
Manu Sporny: What we want is "any merchant can integrate any currency, so long as the value ends up at what they asked for". Ideal is that when a vendor implements a cart, the mechanism is the same across currencies and national boundaries. They just want a receipt for the amount they asked for.
Stéphane Boyera: +1 To what Manu just said.
Daniel Appelquist: Sometimes the vendor needs more info than the credit, e.g. for regulatory requirements (reporting, etc)
Mountie Lee: Re certificates, a strength is that it is not yet fully standardised. Problem of transport medium. Web is on the application layer.
... certificate has ???
... 2nd point, payment can be connected to the merchant or delivery or ID service providers. Have to think about integrating the process from initiating, getting the receipt...
... 3rd We can use recommendation systems to determine trust.
... we can rent the idea from bitcoins and use users instead of whitelisting, exchange w/o trust.
Daniel Appelquist: So learn from cryptocurrency and bring ideas into mainstream payment?
Bryan Sullivan: The third idea seems to call for vendor reputation integration into the UX for payment.
Mountie Lee: No, we get votes from users. Accumulating votes can use the bitcoin transaction history mechanism to increase trust.
Manu Sporny: So, you're saying that the trust of the merchant based on other transactions. More people work with them, the more you an trust them.
Mountie Lee: Also user experience reports. No trust until you get "xyz" accumulated experiences
Charles McCathie Nevile: The problem with that is how do new entrants get on board?
Manu Sporny: Yep, that is a problem - no clear solution to that right now. Perhaps they get on board just like every other merchant does on the Web today, although that's less than ideal. Gives enormous power to the Amazon, Walmart, and Tescos of the world.
USE CASE: Merchant and User reputation system accessible to the payments mechanism.
Bryan Sullivan: Reputation is integral. If we could integrate verifiiable reputation recommendation it would be valuable
Wendy Seltzer: I hear "two-sided market".
Dave Raggett: Bryan, reputation is important for all the parties, not just merchants
USE CASE: Reputation based selection of providers in a payment transaction, or info about merchants to help the user choose whether to complete the transaction.
Ricardo Varela: Payments with cards are optimised for merchants. I ahve no idea what I get charged when I make an international purchase.
... The same will happen here. Merchants already whitelist payment providers - won't accept some card because of various factors.
... question is who does whitelisting.
... in B2B, a merchant cannot ust receive money out of everywhere, they have to justify the income.
Parslow says - now in France you can be charged for exchange rate between EUR and EUR...
Jörg Heuer: Important to understand that the security things are about risk management, since 100% security is an illusion. We need to keep that in mind and associate risk with the right players.
... in many cases the system holds the user free of liabilities - this is a service of the payment provider.
... if they can make the browser secure easily, they can make things cheaper. We're not looking for *a* security mechanism but a framework that supports many. We want to give users and merchants a choice.
... I go to a shop and they say what they accept. I want to see that on the web, and then choose the instrument of those I want. two places where choices can be matched, which is a protocol thing that we can work on.
Natasha Rooney: Seemed from position papers that stronger solutions were the simple things. Is a simple solution the right thing to do? What would it be?
Kumar McMillan: Think we need to focus on the small pieces, not an end-to-end solution. Everyone has different incentives. So they won't adopt a standard that doesn't match their incentive.
... If we focus on e.g. receipts, someone finds that useful but will want to e.g. maintain their own control over identity provision. So think we can only focus on the primitives.
Manu Sporny: Largely agree. Important to know where we are going. Would expect work to happen in phases. Primitives first, then maybe higher-level concepts. Can we give anyone the ability to crowdfund up to X value? Not in generation 1, but with the right primitives in place it might be possible to handle that in a future iteration.
... A big standardization initiative will result in failure, we need to start with small blocks.
Bryan Sullivan: Keep it simple. Don't make a thin abstraction layer covering a mess of javascript that covers all the horrors.
... finding the sweet spot is complex (we're going through that with PushAPI)
Hannes Tschofenig: It was interesting that all panel members argued for **simple** solution
Hannes Tschofenig: (Nobody every argues for complex solution and for standards that are hard to understand. How boring is that?)
Hannes Tschofenig: Even consultants argue for simple solutions. They just add that the search for simple solutions is still ongoing and requires lots of work
USE CASE: Whitelisting of parties - users, merchants, payment providers without scalability / anti-compete issues.
Natasha Rooney: Wrapping: Trust and security is a big topic.
... we focused on trust and trustworthy UI. Lot of attention paid to digital receipts and tokens. Whitelisting has scalability issues but we want to look at what they really are.
... flow from the merchant perspective is important - we are all users, but not all merchants.
... for standards, keep things simple and/or standardise in modules.
... We dabbled in stakeholders, and wallets (there is a session on that tomorrow)
... I'm eating your break, but while there, think of the primitives to standardise around and tweet with #w3cpayment hashtag
End of session 2.