15:29:11 <RRSAgent> RRSAgent has joined #wpwg
15:29:11 <RRSAgent> logging to http://www.w3.org/2017/05/02-wpwg-irc
15:29:15 <Zakim> Zakim has joined #wpwg
15:29:19 <Ian> Meeting: Tokenization Task Force
15:29:23 <Ian> Chair: Roy
15:29:26 <Ian> Scribe: Ian
15:31:04 <Ian> present+
15:31:07 <Ian> present+ Christian
15:31:09 <Ian> present+ Olivier
15:31:34 <Ian> present+ Stan
15:33:37 <Ian> present+ Roy
15:34:00 <Ian> regrets+ AdrianHB
15:35:39 <Ian> Topic: The project
15:35:49 <mweksler> mweksler has joined #wpwg
15:35:50 <Ian> Roy: What do we need to do to get the spec to a place where it is supported?
15:36:05 <Ian> oyiptong: We did get some feedback in Chicago
15:36:22 <Ian> ...next steps included the possibility of multiple payment method specs
15:36:25 <Ian> q+
15:36:38 <Ian> present+ Sachin
15:36:43 <Ian> present+ Manash
15:37:31 <Roy> Roy has joined #wpwg
15:37:37 <SachinAhuja> SachinAhuja has joined #wpwg
15:37:38 <Manash> Manash has joined #WPWG
15:38:03 <Ian> https://www.w3.org/2017/03/24-wpwg-minutes#item03
15:38:40 <Ian> IJ: what problems do we want to solve?
15:39:49 <Ian> Roy: My rendition of "what problem we want to solve": basic card is a bootstrapping mechanism. Where we want to go as an industry is toward tokenization
15:40:03 <oyiptong> q+
15:40:05 <Ian> ...so the purpose of the spec is to make it easier to do tokenized (card) payments
15:40:06 <Ian> ack me
15:40:12 <Ian> ack oy
15:40:45 <Ian> oyiptong: If I may, I know you just mentioned that gateway tokens might be too proprietary ... I would like for us to consider also creating a gateway token spec
15:40:46 <Ian> q?
15:41:09 <Manash> q+
15:41:19 <Ian> roy: It's not that we don't think it's valuable, but we think that the inputs/outputs are so different, we weren't sure how to produce a payment method spec
15:41:20 <Ian> ack man
15:41:48 <Ian> manash: MC joined W3C the week before last. Sachin and I will be representing MC in the task force and we're happy to be here.
15:42:16 <Ian> ..MC (as well as Visa, Amex) have been promoting tokenization in the market for some time. EMVCo's standard has been adopted by issuer banks, acquirers, merchants, and gateways
15:42:51 <Ian> ..there are different types of tokenization...there is card on file but also card on file on the merchant side
15:43:04 <Ian> ..you can generate cryptograms through cloud-based methods
15:43:08 <Ian> ..there are tokens on secure elements
15:43:12 <Ian> ..there are tokens in the cloud
15:43:29 <Ian> ...we should look at existing standards in the market
15:43:48 <Ian> ...we think that tokens are more secure (than PAN)
15:43:52 <Ian> ..and also liability shift is an important consideration
15:44:15 <Ian> ....we should also understand what should motivate merchants when they adopt tokenization
15:44:24 <oyiptong> q+
15:44:27 <Ian> ack oy
15:44:34 <Ian> q+ oyipton
15:44:45 <Ian> sachin: I need some clarity on the drivers on this
15:45:13 <Ian> Roy: Spec had been focused on issuer/network tokens
15:45:20 <Ian> Sachin: the conversation is around acceptance...
15:46:05 <Ian> ...suppose stripe starts accepting network/issuer token...doesn't that solve e.g., the Airbnb use case and liability issue is covered?
15:46:07 <Ian> oyiptong: Yes
15:46:27 <Ian> Michel: I think issuer tokens would work, they would require a different integration than the one we have today, which is not a small undertaking.
15:46:45 <Ian> ..where olivier was going earlier was to try to create a standard that would more closely describe what many merchants have today
15:46:53 <Ian> ..where they have someone like braintree or stripe they integrate with .
15:47:01 <Ian> ...and those are gateway tokens
15:47:26 <Ian> ...I think that there are many merchants that have integrations like that....they get a token that they use
15:47:47 <Ian> ..I take roy's point that there's a lot of proprietary information, but I think that there's room to create a standard to make integration earier
15:47:57 <Ian> Sachin: There is merit in that conversation. The construct is similar
15:48:07 <Ian> ...there is definitely room for standardization. ...but
15:48:22 <Ian> ..the merchant might need to recode their backened to the new standard
15:48:29 <Ian> ..or there's a data arbitrage that does the conversion
15:49:07 <Ian> oyiptong: Where is tokenization done? At issuer level or gateway level?
15:49:13 <Ian> ..I think it doesn't matter as long as there is one standard
15:49:24 <Ian> ..but I think we need to account for a transition period
15:49:42 <stan> stan has joined #wpwg
15:49:45 <Ian> ...there will still be knowledge needed to generate the tokens
15:49:55 <Ian> ..we could align ourselves with something that exists
15:50:52 <Ian> Sachin: We are calling both these things "tokens"...but they are fundamentally different
15:51:03 <Ian> ...PSP token is an identifier of data kept in the PSP's data store
15:51:21 <Ian> ..the issuer token is a cryptogram that is associated with a single-use transaction that can also provide a liability shift
15:51:41 <Ian> mweksler: Yes, they are different as described, but in their pattern of use they are not so different
15:51:51 <Ian> ...e.g., the user provides a PAN and the merchant gets a token
15:52:03 <Ian> ..they do have different characteristics
15:52:11 <Ian> ...but the distinction for user or merchant is less clear
15:52:22 <Ian> ..the way that the data is transmitted to the acquirer is very different
15:52:35 <Ian> 1) PSP token - the regular PAN is eventually transmitted
15:52:49 <Ian> 2) Gateway - Cryptogram is transmitted and PAN never leaves the vault.
15:53:14 <Ian> Manash: there is also additional data that is communicated
15:53:29 <Ian> ...the nature of tokens is different.
15:53:37 <Ian> mweksler: What are the differences?
15:53:56 <Ian> Sachin: It might help for us to have an overview session regarding network tokenization ... but before we do that:
15:54:16 <Ian> ..in the case of a network token is what we are generating is a cryptogram that goes in a specific field in the message sent to the acquirer.
15:54:21 <Ian> ..the funding PAN is never transmitted
15:54:53 <Ian> ..so there are big differences in what data is transmitted.
15:55:46 <Ian> Stan: I will take the voice of our users...I think of merchants and users speaking in terms of gateway tokens
15:55:56 <Ian> ..if they are happy users of their gateways, they don't want to switch
15:56:05 <Ian> ...at the end of the day, users/merchants really do want gateway tokens
15:56:26 <Ian> ..if we only come up with a standard that excludes gateway tokens, we will end up with client-side javascript libraries
15:56:44 <oyiptong> +1
15:56:49 <oyiptong> q+
15:56:50 <Ian> ..even if the w3c standard is used under the hood, stripe, braintree, etc. would have to use their own APIs
15:56:57 <Ian> ...in client-side libraries
15:57:03 <Ian> ..that's one argument for including gateway tokens
15:57:26 <Ian> sachin: I hear that ... want to understand a bit more
15:57:53 <Ian> ...suppose you have a merchant who is not PCI compliant..they will continue to use gateway tokens...and any issuer tokenization needs to be handled, it will be handled by the gateway (e.g., behind the scenes)
15:58:13 <Ian> mweksler: I think what's important to think about is from the user/merchant perspective..t.he fact that we are doing gateway or network does not look that different
15:58:17 <Ian> ..the merchant "does not care"
15:58:29 <Ian> ...of course the tokens are used differently and have different security properties
15:58:40 <Ian> ...but if you look at what the user and merchant see using the standard, is that they have a similar experience
15:58:46 <Ian> ...the user provides a PAN and out comes a token
15:58:54 <Ian> q?
15:59:03 <Ian> queue==oyiptong
15:59:19 <Ian> mweksler: If the differences are big we might end up with 2 standards....
15:59:26 <Ian> Sachin: I think the diffs are fundamentally large
15:59:40 <Ian> ..we can write down both types, or sequence diagrams to help
15:59:47 <Ian> ack oyiptong
16:00:00 <Ian> oyiptong: I want to add to michel / stan...i think there are current business needs met with gateway tokens
16:00:19 <Ian> ..vaults are important for recurring payments
16:00:39 <Ian> Sachin: Agreed. These are fundamentally different constructs
16:00:48 <Ian> ..I think the w3c need my be more toward gateway tokens
16:00:56 <Ian> ..and behind the scene activity may be different
16:01:22 <Ian> Topic: Next meeting
16:01:25 <Ian> 9 May
16:02:25 <Ian> Stan: I think the right spec should be a layering of network tokens and on top of that gateway tokens
16:02:45 <Ian> Sachin: I will take 2 actions
16:02:50 <oyiptong> q+
16:02:51 <Ian> 1) Present network token spec as an example
16:03:02 <Ian> 2) Sequence diagrams for both network and gateway
16:03:05 <Ian> ack oyiptong
16:03:21 <stan> stan has joined #wpwg
16:03:25 <Ian> oyiptong: It seems like the network and gateway tokens are orthogonal and we could come up with an abstraction
16:04:02 <Ian> IJ: Maybe we start thinking about things as layers
16:04:12 <Ian> RRSAGENT, make minutes
16:04:12 <RRSAgent> I have made the request to generate http://www.w3.org/2017/05/02-wpwg-minutes.html Ian
16:07:20 <Ian> RRSAgent, set logs public
16:39:34 <hober> hober has joined #wpwg
17:27:17 <cweiss> cweiss has joined #wpwg
17:50:23 <Ian> rrsagent, bye
17:50:23 <RRSAgent> I see no action items