W3C

Web Payments IG - Vision 2017 Task Force Meeting
17 Feb 2017

See also: IRC log

Attendees

Present
Ian, AmyZ, MarkTiggas, jeff, AdamLake, Natasha, Manu, dezell, Ken, Ted, Todd
Regrets
Chair
Ian
Scribe
ian

Contents

  1. Web-based Digital Wallets
  2. CNP Security
  3. Next meeting

Web-based Digital Wallets

https://docs.google.com/presentation/d/1A0Kv1A66eTw4_YMXjLXT-RQR0WDLwlqoiL_meoX1Jt8/edit

<scribe> scribe: ian

<manu> https://docs.google.com/presentation/d/1A0Kv1A66eTw4_YMXjLXT-RQR0WDLwlqoiL_meoX1Jt8/edit

Manu: This proposal is a bit different from the other proposals. It is more about coordination of work than new standards work
... the focus is web-based digital wallets
... we are using the term "digital wallet" for now
... combine payments, loyalty, offers

jeff: currently we are doing some standards work in payment. In loyalty and offers I'm not familiar with work in working groups...

Manu: currently there are three groups (at different levels of maturity) - digital offers community group, which has a goal of creating a WG.
... then we have payments WG and also verifiable claims we hope becomes a WG
... so one activity of the IG could be to help coordinate the work such that web-based payment apps could be as powerful as native

Jeff: Digital offers is not far along yet; caution about considering it certain

Manu: My assumption is that it will be successful in the future

[IJ plans to try to keep this discussion to 9:35 ET)

[Manu reviews coffee shop scenario]

Manu: The scenario ties together web payments, digital offers, and verifiable claims
... the scenario can be generalized to all retailers.

* Retailer provide digital loyalty card

* Retailer delivers digital offer to customer via the card

* Customer acts on the digital offer to perform a purchase

[Slide 4 on problems for stakeholders]

customers: value? spam? app fatigue?
... people don't want to install apps; app retention rate low; people don't want to install loyalty apps

retailers: loyalty programs are limited and expensive, typically tied to POS integration

consumers want real-time offers...requires digital but very few offers are digital right now; mostly print

IJ: I hear coupon industry wedded to print
... any data on obstacles we can address to get to digital offers?

Manu: Don't have that data and hope the CG can work on that
... we don't need CPG companies for this particular strategy
... this strategy is mostly for small retailers

dezell: the resistance to coupons is an ecosystem resistance. it's not just one particular stakeholder
... There's a lot of capital investment in physical copuons
... this is one of the things that slows this down
... at the IG's FTF meeting I intend to try to get guests who know this in more detail

manu: CPG have an "anemic" digital offer strategy; those coupons are not widely redeemable
... there ARE a number of entrenched interests
... understanding that is the job of the digital offers CG, but is not really critical to this proposal.

[Slide 5 - ecosystem]

Customers want loyalty programs to scale across devices

[Slide 7 - benefits to customers]

IJ: What does interop look like if problem is matching customer loyalty and retailer loyalty?
... I would not expect to be a user of loyalty program A with loyalty program B....I expect merchants would want to support multiple loyalty programs potentially.
... and so the analogy is that you want a single POS terminal

ManU: Right - the way you express loyalty is interoperable; the loyalty service providers are different

Adam: The average household has 29 loyalty programs...and typically they would need a different app for each

IJ: I understand protocol interop, but I don't see loyalty services going away.

dezell: the analogy to cards is a good one...there used to be one card per program


.e.g., each gas station had their own card

scribe: and companies did not want their cards used at other merchants
... but consumers wanted interop
... standards came about and that carried the day

Manu: What we are proposing is not to centralize or minimize...we want retailers to provide loyalty cards that are specific to that retailer
... they only want it to be used at their location

(But that is my point - you will then have N loyalty cards, each working in a small number of shops)

[Manu proceeds through additional incentives]

Manu: Software vendors want to be able to innovate in loyalty without entering the POS space
... they want to be able to provide digital wallets that include digital offers

[Demand for Ecosystem]

scribe: people want digital coupons but only 2.5% are digital today, so there's a bit opportunity
... digital coupons constitute 6% of redeemed coupons even though they constitute a much smaller proportion of all coupons

<dezell> Manu, suggest you include the redemption gap - reportedly %20 of face value (loss to merchant) for paper coupons.

[Why W3C]

Manu: I think part of vision needs to be weaving w3c technologies together to compete with native apps

Mark: On centralization - had there been a ubiquitous commercial network when cards developed we may not have ended up with a centralized model
... one problem in the past was hub and spoke for comms

Jeff: I like this idea in this space in general. I am unclear what exactly is the deliverable that you are proposing, a nd generated by whom

Manu: The deliverable is an analysis of the technologies we are working on and how they fit together
... digital bazaar is building a web-based wallet that uses these various technologies
... based on our implementation we think that it's possible, but we think there are gaps
... so this project would be a gap analysis
... So we should produce a gap analysis by the end of the year

Jeff: An architecture document that relates these things and identifies gaps .. that could be a methodology
... for a gap analysis, what methodology would you use?

Manu: The goal is to focus on a basic scenario (which we also think is relevant generally)
... The proposal right now is to do a low-level gap analysis - can the web do this thing?

Jeff: + to "more specific". My only worry when I look at slide 5 and see "gap analysis"...to me that has to be framed carefully.

as long as it's framed more tightly, then it makes sense to me

IJ: Is there a barrier to having this conversation in the digital offers community?
... I would not want to have 2 digital offers conversations going on

Manu: It's not about digital offers. It's about a lifecycle.
... they get a digital offer and make a payment
... there's another piece which is "linked data communications"

IJ: Digital offers are out of scope for payments WG

Manu: I think the IG is the right place since it does not cleanly fit into digital offers

CNP Security

Ken: Apologies to not have slide; tough to get approval to do so

[IJ Notes that Ken's docs not in our archive]

Ken: Amex key priority is fighting fraud. The current focus these days is EMV in the physical world
... (big migration happening in the US)
... back in September Amex commissioned a survey...about 1000 consumers and 400 merchants
... some US-centric data here
... most US consumers use a mobile device
... about half of consumers experienced online fraud, and about 60% merchants said they experienced fraud
... based on how we look at payments in general, when we look at online payments we see both good news and challenging news
... while online payments are growing exponentially, fraud is as well
... EMV (in simplest form) is a chip; superior to magnetic strip because cryptograms are used
... most of the world's markets have been moving to EMV
... the US is currently going through the transition
... for petroleum merchants to replace a terminal is complicated; they have received an extension
... in the US, most brands are seeing that they are close to being completely EMV on the issuing side (most cards in the market now have chips)
... only about 30% of merchants are currently enabled for EMV, so still some way to go
... where we have seen EMV migration we have seen a spoke in online fraud
... we are expecting this to hit the online market as well
... most of the payments world is focused on card-not-present (CNP) transactions
... these are more vulnerable because (traditionally) they do not benefit from both software and hardware advances
... what people consider "CNP" may vary and there are lots of scenarios, but for the purposes of these calls are those related to online commerce.

<Zakim> manu, you wanted to ask specifically about fraud mitigation - is it just "implement EMV?" or is there more? "EMV for the Web"? This sounds like a new W3C WPWG payment method?

Manu: One idea is "implement EMV one the way"
... from what you are saying, it sounds like the web payments WG could implement something like an EMV payment method
... is that the type of outcome you'd like to see?

Ken: Good question, you are ahead of me

(We are working on a tokenization spec => https://w3c.github.io/webpayments/proposals/tokenized_cards.html )

Ken: I am not focusing on EMV...
... at least in some of my experience participating so far in calls, I don't see what we would consider an adequate focus on security
... it doesn't have to be EMV, it doesn't have to be 3D Secure, or tokenization...the point is that we think the group would benefit by spending more time on security
... we think that there is an opportunity to educate constituents, including about security
... I see great stuff happening from a coding perspective (easier payments) and from a user experience
... and also a merchant experience
... all of that is good, what we are saying here is that there is an opportunity to do more, in part by educating people about how to do more secure payments
... what I will pick up on the next call ... previous breaches and what they have cost, and why it makes sense to address them

<dezell> I agree strongly with Ken about the value of the discussion in the IG.

<Zakim> dezell, you wanted to comment if there's time.

dezell: +1 to Ken. One note is that mobile may obviate need for EMV equipment updates
... it's not just crypto, it's about flow

<manu> +1 for putting more of a focus on security, especially digital signatures on data sent via Payment Request...

jeff: I am most interested in security issues as they relate to specific recommendations that we are doing

<manu> (and encrypted fields in Payment Request)

jeff: in some cases there may be opportunities to provide feedback on specs in developments in various working groups (and guidelines for usage)
... is there some specific call-out that we need to make to these working groups?

Ken: I hear that. I want to ensure I am not being myopic (Amex perspective only, or traditional ways we would address an issuse)
... Authentication is an important issue; I want to continue to advocate relationships with other organizations such as X9, PCI, EMVCo, [FIDO]

<manu> Ian: We can try to map the existing security work at W3C to Amex's perspective... where should we focus? That'll help us get more concrete about this.

https://www.w3.org/Payments/IG/wiki/Vision2017

<jeff> possible regrets next week, traveling in Europe

<manu> call next week, please... would like to hear more from Ken wrt. security... have a number of thoughts on it.

Next meeting

<manu> Ian: Let's hear more about Ken's proposal next week

24 Feb at 9am ET

regrets for that meeting: Jeff

Minutes formatted by David Booth's scribe.perl version 1.148 (CVS log)
$Date: 2017/02/17 15:27:21 $