See also: IRC log
Last week's discussion => https://www.w3.org/2017/02/17-wpay-minutes#item02
<scribe> scribe: Ian
Ken: If this topic ends up on FTF
agenda I will prepare slides for that meeting
... Last time I focused on how important EMV is in the payments
industry
... and in the US there's a technology migration....that
typically causes fraud to move to where there is less security,
e.g. online payments
... we focus on security as a pre-emptive measure but also
analyze breaches that have occurred
... e.g., home depot (56M cards impacted)
... estimated $70M cost (+ brand damage)
... JP Morgan Chase 76M cards + personal
... estimated remediation cost $250M
... Target 40M card accounts....248M remediation
... Sony playstation 100M customer accounts impacted
... they suffered a second breach in 2014...cost of remediation
was $38M
... our risk and security teams look closely about what
happened, trends, etc.
... we believe security should be handled collaboratively
... US office of personnel management suffered breach - 18M US
gov employee records lost
... remediation cost estimate $133M
... US Postal breached, ....
<scribe> ....New York Atty General reported 22-23M records in a breach
UNKNOWN_SPEAKER: for us these are
big breaches from a cost and brand perspective
... the size and scale is tremendous, the cost of remediation
is high and can take years to recover from damage
... CF the Gemalto incident report
scribe: relevant to w3c because
(1) standards are global
... the disparity in NA compared to other regions
... e.g., 76% of incidents allocated to NA, 12% to Europe, Asia
8%, ...
... I'm sharing this information to convey the importance of
the topic, and some Amex perspective
... Jeff asked last week - how and why do we think it's
relevant to the WPIG and not just the security WGs at w3c?
Manu: Thank you for the helpful
background information. I'm interested to know whether there
are any ideas for specific things the group can work on
... e.g., if there are tokenization requirements
Ken: I'm going to speak more to
the opportunities (even if myopic) and that can foster
discussion to get to the question of what specs might be worked
on
... One question is "does it have to be part of the spec"
... My security team asked "who is involved in the spec
development who has security expertise?"
... I couldn't answer the question
... the other thing that I think is relevant to the merchant
adoption strategy task force - are there security issues that
might hinder adoption? E.g., related to PCI compliance
... PCI is the bare minimum of what we encourage (or mandate)
merchants
... and our mutual clients
... Does it have to be part of the spec and why?
... we came at this question from 2 perspectives
... when our security team looked several months ago at the
specs, what they didn't see in the specs
... was, within the protocol, to ensure that certain data
elements were called out so that our issuers
... (banks, etc.) receive the information they need to take a
risk based approach
... from a security perspective, we look at things from a
risk-based approach
... the reason that we think data is so important is that our
issuers look at it, and make decisions according to
criteria
... some criteria may also be region-sensitive
... e.g., size of payment may trigger an action differently in
different regions
... if geolocation information unavailable, then they might
look at other data
... we look at credit risk and security risk.
... one thing the security team though was to give rigor to the
IDMV process
... e.g., we might come up with requirements for ANY payment
app to help people make risk assessment
... if that information is not available, then other forms of
verification might be helpufl
... we want to streamline checkout but are also mindful that
data may be required by payment app owner to make a risk-based
decision
... there are also opportunities for payment app distributor to
return to merchant for additional information
... another recommendation is to collaborate with PCI early to
get a security review
dezell: +1 to Ken's remarks
... I am anxious to figure out how to turn this topic into an
interesting problem for W3C to engage with
... harvesting ISO 20022 security info may be helpful
Ken: EC just came out with a new
CDM mandate
... my preference is to use a light hand initially - we don't
want to slow down the work that's being done; just want to
incorporate other considerations early (from security +
regulatory perspectives)
<Zakim> manu, you wanted to note that DB has been frustrated with the lack of security thinking in the current work. Risk-based adds complexity, how can we automatically protect
manu: Digital bazaar has been
frustrated by lack of security thinking in the current
work
... risk based analysis is good but one down side is that it
provides too many options for people deploying payment
apps
... the easiest path for a payment app today is PAN in the
clear; there was a good reason to do that, but it also puts
payment apps in full PCI scope
... tokenized specs are in development
... but it's not clear to me that the group is taking the full
end-to-end security of tokenization into account
... it's fine if the specs we work on, but if it's not the
easiest way, then it may not be implemented
... it took many years for HTTPS everywhere; but that's just a
basic layer of security that the web is moving towards
... right now we are not on the path of promoting end-to-end
security easily
... I'd like W3C to push ecosystem towards path of security
end-to-end
Ken: I have two thoughts (1)
there are trade-offs between usability and security...
... but the flip side of it is "what can we do proactively to
stimulate merchant adoption?"
... what will be initial hurdles we need to overcome?
<manu> +1 - that's a very solid strategy! Involve PCI from day one.
<Zakim> dezell, you wanted to recommend one more point I left out...
dezell: +1 to security considerations early
<adam> yes, get PCI involved. Are they currently participating at W3C?
<manu> Ian: I wanted to support looking at security topics closely, collaborating with PCI, but also indicate that security has not been neglected during the process. A number of features and discussions could be pointed to.
<manu> Ian: We are moving in the direction of more security. I wouldn't dismiss those efforts to create a secure ecosystem and ensure that payment apps are authorized by proprietary payment mechanisms.
<manu> Ian: Further analysis of ecosystem and finding out what the critical features are sounds like a very healthy exercise. We should do that sort of gap analysis.
<manu> Ian: Where are the next spaces where we should provide improved technology to do secure end-to-end payments. Building on the work that's been done, bringing in the ideas of other organizations, and determining wether there is Web-wide security needs, or more specific ones.
Ken: My security team is happy to join a call to share their perspectives on how they look at security.
<manu> Ian: I'd like people to be able to leave this call with a sense of what they need to prepare for wrt. face-to-face meeting.
<manu> Ian: What are the topics we're going to cover, what are the deliverables we'd like to see.
<manu> Ian: We have four main topics that we'd like to discuss in the forum - automotive, security, wallets, and digital receipts.
<manu> Ian: Based on wallets, the topic is most closely tied to digital offers and we try to tie that into Digital Offers discussion.
<manu> Ian: This is largely about integration of digital offers, digital offers discussion - piece that has to do w/ integration is a project, unearth specific requirements. That discussion on it's own can happen in digital offers space. It's about articulating use cases tied to digital offers. In the context of payments/search.
Manu: I don't know if I can get through all the content and do the demo in 30 minutes
(25)
<manu> Ian: Assigning another half hour would be difficult, bulk of it is about digital offers...
https://www.w3.org/community/digitaloffers/wiki/Discussion_Topics
<manu> Ian: We could condense the presentation in the Digital Offers discussion...
Manu: next step is how to schedule time in the digital offers portion
dezell: We are still working on the digital offers session
https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Mar2017
<manu> Ian: Digital Offers agenda is still being fleshed out.... if 1.5 hours, including demo, isn't enough, we could take another 30 minutes.
<manu> Ian: I'm leery about manu doing 30 minutes that is not integrated into very similar use cases in Digital Offers CG.
<manu> Ian: It's cool if the demo highlights missing pieces of Web Architecture, but in addition to that, to have another half hour that's going to be duplicative of the digital offers conversation, that's not good.
<scribe> ACTION: David to work with Manu and Linda to flesh out the digital offers agenda and determine whether 2 hours is needed rather than 1.5 [recorded in http://www.w3.org/2017/02/24-wpay-minutes.html#action01]
<trackbot> 'David' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., dbaron, dezell2, djackso3, dlehn, dmnicol, dsinger2).
<manu> Ian: Second topic to go over is Automotive, it should be part of our agenda...
PROPOSED: Digital offers
integrated into digital offers session
... Ted Guild to present automotive proposal at IG FTF
meeting
<manu> Ian: I continue to hear a growing number of automotive use cases, number of auto companies doing work at W3C is growing, we've had conversations with them in the past, they still want to move this forward.
<manu> +1 to include automotive
dezell: +1
<manu> +1 to include Ken's security discussion
<dezell> +1 to security
<adam> +1
<todd_a> +1
+1
<manu> +1 for digital receipts - understanding how the ecosystem works.
<dezell> +1 for working to revise
<manu> how do you provide endpoint for storage, and send to endpoint.
<manu> I can offer to help on digital receipts because it's important to Digital Bazaar. Adam may be looking into it.
IJ: I have not understood what the problem is yet.
dezell: I have been working on a list of benefits.
IJ: What is preventing us from achieving those benefits today?
dezell: We don't have a single way of doing it
IJ: I am not convinced that consistency of receipt format is not the main problem (or one for W3C to address)
<Zakim> manu, you wanted to outline the problem - how does a digital wallet store a digital receipt? What's the interaction look like?
manu: +1 to digital receipt
format. We want to be able to store them.
... right now we have no idea how merchant gets receipt to
customer
Ian: Strongly +1 to consideration of the protocol to get merchant receipt to user payment app
<manu> Ian: I am interested in the digital receipt storage solution
<dezell> Note that "format" is not the same as content.