15:26:22 RRSAgent has joined #wpwg 15:26:22 logging to http://www.w3.org/2017/05/30-wpwg-irc 15:26:25 Zakim has joined #wpwg 15:26:31 Meeting: Gateway Tokenization 15:26:40 Scribe: Ian 15:32:34 is there a webex going? I receive a "meeting not started" message. 15:32:39 we have a Skype thing 15:32:40 hold on 15:33:44 thanks 15:33:51 alyver has joined #wpwg 15:34:02 alyver has left #wpwg 15:34:56 ClintonA has joined #wpwg 15:35:22 Please note: this week's call on gateway tokens not the full tokenization task force...but all welcome to join! 15:37:20 I do not have Skype Connection details. 15:38:05 I am sending them to you 15:39:43 topic: Gateway tokens 15:39:55 Manash: Let's use this call to identify the major gateway token approaches 15:40:12 ...where there are commonalities 15:40:24 ...second, when a merchant integrates with W3C we want to show that onboarding process is simple 15:40:44 ..how do you create a process by which the merchant can support multiple gateway tokens without having to specify each item? 15:41:00 ...from a large merchant perspective, what are the benefits of gateway tokens? (and tokenization generally) 15:42:41 present+ Manash 15:42:45 present+ Clinton 15:42:47 present+ alyver 15:42:51 present+ oyiptong 15:42:53 present+ Ian 15:43:03 present+ Steve 15:43:26 https://docs.google.com/spreadsheets/d/1v1BPvR7Z7apBrxSNgTF-ifYJAvLEECYh7tHW-cpSUq4/edit#gid=0 15:43:48 topic: Commonalities 15:43:53 agenda+ Commonalities 15:44:00 agent+ Simple onboarding possible? 15:44:08 agenda+ Benefits of gateway tokenization? 15:44:15 agenda? 15:44:22 alyver has joined #wpwg 15:44:32 alyver has left #wpwg 15:44:38 agenda+ Simple onboarding 15:44:44 agenda? 15:44:51 q+ 15:45:03 ack ol 15:45:05 ack oyiptong 15:45:22 zakim, take up item 2 15:45:22 agendum 2. "Benefits of gateway tokenization?" taken up [from Ian] 15:45:29 oyiptong: I'd like to speak about benefits to Airbnb....first is security 15:45:37 ..it's more secure for our customers 15:45:53 ...on our end, it allows us to not have most of our infrastructure need to be PCI/DSS compliant 15:46:04 ..but in terms of other merchants, it lowers the barrier to entry to doing ecommerce 15:46:10 ...activation cost is lower 15:46:26 ...we still have pci/dss compliant infrastructure, but with tokens, we can reduce the space of the infrastructure that needs to comply 15:46:40 ...also gateway tokenization lets us do offline transactions security (recurring) 15:46:53 ...having card on file in some form allows us to do different types of payment methods 15:47:23 Manash: Right now, Airbnb had form fill and Airbnb stores that card....and user can also use paypall 15:48:02 alyver has joined #wpwg 15:48:20 Manash: Let's say the card PAN number changes or card is reissued or a fraudulent transaction is reported and a card is blocked, how do you update your database? 15:48:36 oyiptong: We receive different responses from the gateway telling us about the status of the token 15:48:45 ..if it's something that is retry-able we might try later 15:49:02 ..and we send comm to the user letting them know that a payment was not accepted and they are returned to another checkout page 15:50:03 ..the way that we communicate with the gateway is non-standard...gateways don't have standard (exception) response codes and behaviors 15:50:19 Steve: I don't know if you can standardize that part of it 15:50:30 ...every payment gateway is different and a lot depends on the marketplaces they focus on 15:50:45 ...e.g., our API might be geared to hospitality industry 15:51:21 Manash: I think there are three use cases that are relevant 15:51:23 q? 15:51:32 - one time transaction 15:51:49 - recurring transactions 15:52:27 ...other services that are typically part of card on file is to manage card changes 15:52:35 ..or card attribute changes 15:52:47 q+ on interoperability 15:53:04 q+ to discuss Shopify's implementation and usage of gateway and network tokens. 15:53:19 Manash: You want high acceptance (and avoid false declines) 15:53:34 ...for Airbnb, are there different gateways in different countries? 15:53:37 oyiptong: yes 15:53:47 ..having a standard allows for some gateway inteorperability 15:54:12 ...we also do this for risk mitigatino 15:54:17 ..redundancy 15:54:28 ...and competition 15:55:12 Manash: There are also opportunities to optimize among gateways based on information like time, acceptance rate, other parameters 15:55:34 ...large merchants more likely to use multiple gateways (than smaller merchants) 15:56:14 Steve: Regarding the tokenization part of the question...there are really 2 types that are focused on ecommerce.... 15:56:30 ...card on file (esp for large merchants) 15:56:51 ...but for small merchants, there is often direct connection to PSP (so merchant never sees PAN) 15:57:24 [IJ what is the terminology here? "hosted solution" v. ....?] 15:57:48 alyver: Stripe.js (creates token) or Braintree hosted fields hosted in iframes 15:57:52 ...or a hosted redirect 15:58:51 oyiptong: We have a page with iframes to gateways..but that still need to be PCI/DSS compliant. That's because we need to customize the page to make it work for the customer, and the various gateway providers don't provide that level of customization 15:59:04 Steve: Right, larger merchants want more control over the user experience 15:59:33 adamR has joined #wpwg 16:00:13 Ken has joined #wpwg 16:00:21 mweksler1 has joined #wpwg 16:00:41 Manash: Open question - different gateways handle card updates and fraud mitigation in different manners 16:00:48 ..I think our focus will be on commonalities 16:01:09 ...if you are a merchant and you use PR API...the intention is that you work with a few gateways, 16:01:26 ...what is the burden on the merchant of declaring support for tokens? 16:01:38 ....will merchant need to indicate (in request data) supported gateway tokens? 16:01:48 q+ on interface 16:03:24 ack oyiptong 16:03:24 oyiptong, you wanted to comment on interoperability and to comment on interface 16:03:30 sorry, just realized we were using queues 16:03:33 oyiptong: I think both Manash and Steve have hit the crux of the issue 16:03:37 MANASH_MC has joined #WPWG 16:03:43 ...we'd like a standard way to specify different payment methods with different parameters 16:03:58 ...yes, there needs to be an existing relationship with the PSP ... we provide them with a merchant ID 16:04:19 ...android, for example, has a config in the payment request...as a payment method they allow for params to send information to each gateway 16:04:43 ...then there might be some communication (e.g., confirmation that gateway has tokenized the PAN) 16:05:14 alyver: I shared that view on the last call - the android pay PR API implementation allows you to specify which provider, and the chrome implementation will call the vault and get a token back and that gets passed back to the merchant 16:05:22 ...the customer doesn't know anything about gateway tokens 16:05:33 ...they just know they want to pay with their credit card 16:05:35 q+ 16:05:37 ack aly 16:05:37 alyver, you wanted to discuss Shopify's implementation and usage of gateway and network tokens. 16:06:14 alyver: Our use cases are similar to Airbnb's...can go into more detail 16:06:16 +1 on alyver 16:06:18 Manash_MC_ has joined #WPWG 16:06:50 alyver: We are a platform that supports 400K merchants, but they use our (hosted) checkout...we are in the flow of the transaction...we have our own PCI environment 16:07:14 ...we securely store data...we also have "Shopify me" where users can store information with us, to streamline checkout across merchants running our platform 16:07:24 ...in that way we have our own tokenization solution 16:07:34 ..we have our own payment gateway but support several hundred others downstream 16:07:39 ...we support the *Pay flows 16:07:56 ...we do offer support for third party gateways like Stripe for some of our marketplaces and channel partners 16:08:07 ...usually we've done the integration with the channel partner 16:08:40 ...marketplaces where merchants have relationship with Stripe..they pass on token to us and we send it on through to Stripe 16:09:08 Manash: How does shopify tokenization work? 16:09:16 ...user enters card information and creates "in house" token 16:09:32 alyver: We recognize them for subsequent transactions (since we have card on file) and reuse the token 16:09:41 Manash: Would you also be sending information to Stripe? 16:10:32 alyver: No. When a merchant has a relationship with, say, Stripe we pass information on to Stripe. When customer is checking out (using Shopify API) the gateway token is sent through the API 16:10:48 ..we don't support all the gateway token providers; limited integration 16:11:17 q+ on gateway specification 16:11:24 Manash: (Recap)....today merchants say "they support gateway tokens"...and then they could forward the information to the gateway with whom they have a relationshiop 16:11:44 ...currently you can't reuse a token across multiple gateways... 16:11:54 +q 16:12:01 q- 16:12:21 oyiptong: Thank you for bringing up the topic - reusing tokens across gateways 16:12:33 ...there are advantages to that - makes granularity of revocation easier 16:12:51 q+ 16:13:03 ...right now we cannot specify which gateway to speak with ... ideally the PR API could provide data about which gateway to route to 16:13:29 ...I imagine a world where we could specify multiple tokens at once...that would be beautiful 16:13:34 Manash: How would that work? 16:14:12 oyiptong: I think it's a problem that larger merchants have. They want to increase acceptance rate and redundancy and competition ...having the ability to control on the merchant side would be the benefit 16:14:37 Manash: In order to support multiple gateways....would help merchants achieve, say, better rates / optimization 16:14:42 ...helpful for me to hear the rationale 16:14:47 ack oy 16:14:47 oyiptong, you wanted to comment on gateway specification 16:14:48 ack sh 16:15:24 Steve: Are we talking about separating roles further here? 16:15:57 mweksler1 has joined #wpwg 16:16:02 grr 16:16:19 q+ on separation 16:16:25 (go on) 16:16:55 ----- 16:17:11 * easier to get tokens 16:17:12 * easier to reuse tokens across gateways 16:17:22 it's choppy 16:18:03 Join by phone 1-636-722-2222 USA-Canada Local-Caller Paid (United States) English (United States) 1-816-713-4466 USA-Canada Local-Caller Paid (United States) English (United States) 1-844-802-4805 USA-Canada Toll Free (United States) English (United States) Find a local number Conference ID: 4957039 16:19:05 cweiss has joined #wpwg 16:19:36 q? 16:19:49 Manash: I think we have covered (1) why important to merchants 16:19:58 (2) token acceptance criteria 16:20:04 q+ 16:20:20 Manash: having interop of tokens could provide advantages to large merchants 16:20:35 ....regarding topic 3: similarities among token formats 16:21:11 ack alyver 16:21:32 alyver: I'd like to revisit oyiptong's use case - redundancy across gateways and being able to tokenize in multiple locations 16:21:42 ..but most merchants are likely to have a relationship with a single gateway provider 16:22:07 ...in terms of use case, wouldn't you still require clear text card for your own purposes before tokenizing with MULTIPLE gateways? 16:22:21 oyiptong: Not right now. That is correct we might have some use cases for PAN 16:22:36 ...but I agree with you that the redundancy is a large merchant need 16:23:00 ..I think if we create a system with less friction we will help merchants of all sizes 16:23:11 I agree that it can benefit smaller merchants by reducing costs. 16:23:32 mweksler1 has joined #wpwg 16:23:46 q? 16:24:03 alyver: Agree that if this were available to small merchants, could still help them e.g., in switching providers 16:24:26 ...at the same time, I wanted to bring to peoples' attention here "PAN forwarding"...some companies have business models where you vault with a company 16:24:40 and they will gladly forward a PAN to any of hundreds of gateways they connect with 16:25:01 oyiptong: I think the interop we are talking about here could facilitate that model 16:25:06 ack oyiptong 16:25:06 oyiptong, you wanted to comment on separation 16:25:24 ====== 16:25:42 * reuse tokens across gateways 16:26:21 * making it easier for merchants to get tokens when they build or use a checkout page 16:27:33 q+ 16:27:45 https://docs.google.com/spreadsheets/d/1v1BPvR7Z7apBrxSNgTF-ifYJAvLEECYh7tHW-cpSUq4/edit#gid=0 16:28:19 MANASH_MC has joined #WPWG 16:29:49 IJ: Are there other "interop things" we imagine doing? 16:29:51 ack shift4sms 16:29:52 ack me 16:30:15 shift4sms: What I think we would need to define in this is almost like a DNS server capability where the merchant says "I'm using such and such a gateway" 16:30:23 ..then a DNS lookup to figure out what the gateway supports 16:30:33 ..and client can get stuff 16:30:52 ...then the token itself...maybe could be accomplished by metadata 16:30:53 q? 16:31:19 Ian: your voice dropped 16:31:23 Response data I imagine: 16:31:30 * Token 16:31:37 * Metadata to use the token (e.g., type, provider, etc.) 16:31:42 we can hear you 16:32:35 Do we know the request data and response data? 16:33:41 QuestionsL: 16:33:48 1) what does the payment method spec look like? 16:34:02 2) Other than a payment method spec, what interop goals do we have (e.g., token reusability across gateways)? 16:34:18 I have made the request to generate http://www.w3.org/2017/05/30-wpwg-minutes.html Ian 16:34:23 RRSAgent, set logs public 16:34:32 Manash: What we discussed today I think answers those questions in part 16:35:08 ...in terms of dataset, I don't think there's any different 16:35:28 ...suppose a merchant reaches a gateway and says "tokenize this" I don't see much difference across formats 16:36:24 Flow: 16:36:29 Merchant: Get me a token! 16:36:30 q+ on token flow 16:36:36 Browser: Hey user, pick an app 16:36:40 User: I want to pay with this 16:36:43 App: Tokenize this! 16:36:48 Browesr: here you are merchant 16:37:01 Merchant: I don't want to see this, it goes straight to my gateway with "how to use" data 16:37:17 ack oy 16:37:17 oyiptong, you wanted to comment on token flow 16:37:22 q+ 16:37:26 oyiptong: I think you got it mostly right 16:37:36 ..the merchants do want the tokens is so that we can keep on file for recurring transactions 16:37:56 ...we want to say which gateway we want to do the tokenization 16:38:09 ...ideally we'd like to get the token back 16:38:12 q+ 16:38:16 ack MA 16:38:28 MANASH_MC: The other situation...suppose W3C supports both network and gateway tokens 16:38:41 q+ 16:38:54 ...payment app can send back an EMV Token as well 16:39:02 ...now the merchant is getting back an EMV token 16:39:15 ....in that situation, the merchant should be able to handle how it works with its gateway 16:41:07 ack Clin 16:41:09 ack me 16:41:18 IJ: We can treat EMV tokens the same way 16:41:28 ...merchants decide what to do with it (handle it or send through API) 16:42:12 Clinton: I think at a high level, the type of token that is requested should be determined by the merchant request properties 16:42:15 (IJ: +1) 16:42:27 Clinton: If there's an API that's possible, it should be common across whatever the token type 16:44:34 alyver has joined #wpwg 16:44:37 IJ: +1 to (1) merchant decides what they accept and (2) merchant decides what they do with that 16:44:50 ...let's assume we have the mechanisms available to enable merchants to do that 16:45:40 https://github.com/w3c/webpayments-methods-tokenization/wiki 16:46:44 +1 can help with parameters for tokens 16:47:09 https://github.com/w3c/webpayments-methods-tokenization/wiki/gateway_params 16:47:15 \o/ 16:47:26 +1 on Mission statement 16:47:31 mweksler1 has joined #wpwg 16:47:42 +1 on Mission statement too if you need help 16:48:02 ACTION: Manash (e.g., to work with Ian) to update mission statement with refined understanding, scope, interoperability goals, benefits 16:48:03 Created ACTION-58 - (e.g., to work with ian) to update mission statement with refined understanding, scope, interoperability goals, benefits [on Manash Bhattacharjee - due 2017-06-06]. 16:48:06 +1 on mission stmt 16:48:23 ACTION: Oyiptong to begin to write down request/response params 16:48:24 Created ACTION-59 - Begin to write down request/response params [on Olivier Yiptong - due 2017-06-06]. 16:49:04 RRSAgent, make minutes 16:49:04 I have made the request to generate http://www.w3.org/2017/05/30-wpwg-minutes.html Ian 16:49:15 Ian: +1 for mweksler and I on mission statement as well 16:49:44 IJ: We can review at 6 June call and have people say whether they agree with mission updates 16:49:53 Topic: Next meeting 16:49:56 6 June full task force meeitng 16:50:00 sounds good ! 16:50:02 +1 16:50:07 I have made the request to generate http://www.w3.org/2017/05/30-wpwg-minutes.html Ian 16:51:19 I have made the request to generate http://www.w3.org/2017/05/30-wpwg-minutes.html Ian 16:51:28 RRSAgent, set logs public 16:52:31 RRSAgent, bye 16:52:31 I see 2 open action items saved in http://www.w3.org/2017/05/30-wpwg-actions.rdf : 16:52:31 ACTION: Manash (e.g., to work with Ian) to update mission statement with refined understanding, scope, interoperability goals, benefits [1] 16:52:31 recorded in http://www.w3.org/2017/05/30-wpwg-irc#T16-48-02 16:52:31 ACTION: Oyiptong to begin to write down request/response params [2] 16:52:31 recorded in http://www.w3.org/2017/05/30-wpwg-irc#T16-48-23