12:54:24 <RRSAgent> RRSAgent has joined #autopay
12:54:24 <RRSAgent> logging to http://www.w3.org/2017/10/19-autopay-irc
12:55:23 <Ian> Meeting: Automotive Web Payments Task Force
12:55:24 <Ian> Chair: Ian
12:55:34 <Ian> Agenda: https://github.com/w3c/automotive-pay/wiki/Agenda-20171019
13:00:17 <Ian> present+
13:00:20 <Ian> present+ Ted
13:00:22 <Ian> present+ Matt
13:01:03 <Ian> present+ JohnStrutton
13:01:08 <Ian> present+ AdamCrofts
13:01:21 <Ian> regrets+ Rodrigo
13:01:26 <Matt> Matt has joined #Autopay
13:02:10 <AdamC> AdamC has joined #autopay
13:02:32 <john_s> john_s has joined #autopay
13:02:33 <Ian> https://github.com/w3c/automotive-pay/wiki/PayAtPumpExplainer
13:02:45 <ted> scribenick: ted
13:03:07 <ted> Ian: we are still in the process of building agenda for our F2F meeting at TPAC
13:03:09 <Ian> ---> https://github.com/w3c/automotive-pay/wiki/Agenda-20171019 Agenda
13:03:22 <ted> -> https://www.w3.org/2017/11/TPAC/ TPAC
13:03:34 <Ian> https://github.com/w3c/automotive-pay/wiki/PayAtPumpExplainer
13:04:07 <ted> Ian: last call we asked people to flush out use cases they were interested in
13:04:19 <ted> … I took a pass at an explainer for pay at the pump
13:04:58 <ted> … ultimately I felt somewhat comfortable saying there are limitations in payment method implementations and fraud prevention that digital/web payments may help overcome
13:05:32 <ted> … taking a look from cost reduction, convenience and improve security
13:05:57 <Ian> q+ to talk about First Data
13:06:00 <ted> Adam: we have previously built an application with Shell
13:06:19 <ted> … some information about the user is stored in the vehicle regarding their account
13:06:49 <ted> … various systems like OCR for plates aren't integrated at this point for unlocking the pump
13:08:05 <ted> Ian: I have seen a prototype of an integrated solution from FirstData at a conference
13:08:28 <ted> … I was told the regulatory requirements are complex
13:09:40 <ted> … unsure if that applies when it is the phone versus the car
13:09:45 <AdamC> Whilst petrol stations have ANPR (not OCR), they are not directly linked to the users and their accounts, they are purely for security.
13:10:21 <ted> Matt: you should not engage in your phone in any way while vehicle is in motion. it could interact with the vehicle and internet in the background
13:10:33 <AdamC> It was also john_s, rather than myself
13:11:02 <Ian> IJ: I Wanted to separate "safety" from "how data flows"
13:11:02 <Ian> q?
13:11:04 <Ian> ack me
13:11:04 <Zakim> Ian, you wanted to talk about First Data
13:11:48 <ted> Ian: after considering the problem statement, the opportunity is about streamlining, improving security etc
13:12:00 <ted> … we would have to treat poor or no connectivity differently
13:12:28 <Ian> http://www.plantuml.com/plantuml/proxy?fmt=svg&src=https://raw.githubusercontent.com/w3c/automotive-pay/gh-pages/flows/geolocation.pml
13:12:56 <ted> … station owner (or chain) could have a site that phone or car could interact with it to complete payment
13:13:08 <Ian> http://www.plantuml.com/plantuml/proxy?fmt=svg&src=https://raw.githubusercontent.com/w3c/automotive-pay/gh-pages/flows/ble.pml
13:13:42 <ted> … this UML shows the different paths for how the pertinent payment link is delivered. it can be done via NFC, BLE, GPS etc
13:13:46 <ted> q+
13:14:07 <ted> … this raises some security issues
13:14:36 <Ian> ack ted
13:16:36 <ted> Ian: FirstData limited the problem by having pre-existing relationships with stations elsewhere
13:17:33 <ted> s/ack ted/Ted: to avoid eg a bogus beacon, your vehicle could send GPS so payment provider can align before letting payment proceed/
13:17:48 <ted> s/AdamC:/JohnS:/
13:18:55 <ted> JohnS: there is a merchant certificate that is transferred to the device eg ApplePay at the outset
13:19:18 <ted> Ian: yes, our API aligns well with Apple with the exception of the merchant certificate part
13:20:03 <ted> … since on the web you may not have a previous relationship with the merchant. that can help and we have a proposal in the WG for addressing that
13:21:44 <ted> … there is business value in doing more on the web and not having heavy, constantly updating apps
13:22:06 <ted> Adam: we definitely want a standard payment process which can interact with any bespoke service provider we deal with
13:22:26 <ted> … having this genericized would definitely help
13:22:50 <ted> Ian: [typing on the wiki
13:22:58 <Ian> https://github.com/w3c/automotive-pay/wiki/PayAtPumpExplainer
13:23:12 <ted> … there might not need a prior relationship with the service station
13:23:41 <ted> JohnS: while that makes sense the OEM wants to retain control to its app market
13:24:00 <ted> … they may want to limit based on partnerships
13:24:03 <ted> q+
13:25:00 <ted> Ian: even without partnerships you can monetize and direct to preferred stations without discarding others
13:25:13 <ted> … there are other ways to monetize
13:26:09 <ted> JohnS: we can implement the various steps in your UML up to 6 readily
13:26:27 <ted> … security issues are reduced when you have the previous merchant relationships
13:26:28 <Ian> John: We can enhance security based on database of locations and relationships (can be monetized)
13:27:05 <Ian> ack ted
13:27:15 <Ian> John: We could start with subset of merchants, then allow them to onboard easily
13:27:21 <Ian> Ted: John touched on part of what I wanted to say
13:27:50 <Ian> ...OEMs will control the app marketplace and have the opportunity to establish partnerships
13:28:24 <Ian> ...while you do want to leverage partnerships, you will also want to enable some additional relationships
13:30:06 <Ian> (IJ adds to fraud mitigation section: "OEMs may have partnerships with some merchants, and can increase security through an onboarding process. In this case, OEMs will also want to account for situations where users wish to get fuel from merchants that are not yet OEM partners.")
13:30:18 <ted> scribenick: ted
13:30:30 <ted> JohnS: on the merchant side you want to standardize processing
13:30:43 <ted> … OEM may want to provide a bespoke experience
13:31:21 <ted> … what needs to be returned to the merchant as part of the payload before proceeding
13:31:39 <ted> … I am keen to think about what information is necessary for this and other use cases like parking
13:31:57 <ted> Ian: in the vision outlined in the explainer the user is interacting directly with eg Shell
13:32:24 <ted> … Shell can ask me to provide any necessary information through their web service including pump number
13:32:48 <ted> … we can also make strides in streamling beyond just the payment piece
13:33:36 <ted> JohnS: in that scenario you are working with the merchants page and data needed
13:33:54 <ted> q+
13:35:06 <Ian> JohnS: Might be interesting to bundle other data relevant to the transaction (e.g., pump number) with the payment payload
13:35:08 <Ian> ack ted
13:35:29 <Ian> Ted: This is HTML but is not necessarily a "page" that loads
13:35:47 <Ian> ..people are mixing and matching various technologies in practice
13:35:57 <Ian> ...I note payment request API is being implemented in webkit
13:36:32 <ted> Ian: I am looking for some validation that people are interesting in persuing this use case
13:36:41 <ted> +1 I think this is the highest profile use case
13:36:49 <ted> (perhaps the most complicated as well)
13:37:30 <ted> Ian: the starting off point is how to get the device (phone or car) the URL
13:38:10 <ted> … I hear it is a regulatory and liability problem
13:39:36 <ted> … everyone here is welcome to edit this wiki page and contributions are welcome
13:39:54 <ted> JohnS: how does the UX operate under 2FA?
13:40:15 <ted> Ian: in some sense the ecosystem consists of merchant with buy button on their website
13:40:46 <ted> … it returns credentials, shipping address etc. browsers are starting to ship with ability to integrate with payment apps
13:41:09 <ted> … some data may be stored in browser and relayed to merchant and defer to the app for the transaction
13:41:36 <ted> … there is discussion in the Web Payments WG around 3d secure without further user verification
13:42:10 <ted> … we expect the strong auth to come from underlying payment app and send tokens through encrypted pipe
13:42:47 <Ian> https://w3c.github.io/webpayments-methods-tokenization/index.html
13:43:08 <ted> Matt: we recognize tokenization isn't universal yet but we're moving that way
13:43:41 <Ian> Ted: We could work on more than one use case.
13:44:02 <Ian> ...do people want to focus on this one or start to explore others like parking or tolls?
13:44:25 <ted> Adam: as a team here at JLR we are looking at the other use cases as well
13:44:46 <ted> John: I think it comes down to the payment types, fuel needs to be pre-authorized
13:45:13 <ted> … if we segment the workflow then common components will apply to other use cases such as parking
13:45:41 <ted> Ian: what we have done so far in web payments is streamline checkout
13:46:13 <ted> … there are a number of things in our queue such as recurring payments, preauth and those are on agenda for F2F
13:47:09 <ted> … cards on file get stale. through API it can know when you update your credit card and could as a convenience communicate that out to recurring service needs
13:47:32 <Ian> present+ Evgeny
13:47:54 <ted> Ian: Tolls and parking are of interest
13:48:33 <Ian> Topic: Toll roads
13:48:37 <ted> Adam: there are a couple interesting use cases for handling Tolls
13:48:48 <ted> … they vary widely across the world
13:49:11 <ted> … some use ANPR and give owner N days to make payment
13:49:36 <ted> … others can be handled with a toll and credit card
13:49:51 <ted> John: some have card on file and use RF and create charge automatically
13:51:02 <ted> Ted: here I keep 40US on my RF account, if there is an issue eg stale card I get flashing yellow at toll
13:51:11 <ted> Ian: what is broken today?
13:51:35 <Ian> Ted: One thing that's broken is "wide variety" around the world
13:53:11 <ted> Ian: two main cases are prepaid/card on file or pay within N days
13:55:16 <Ian> Ted: What user confirmation is required for transaction?
13:56:35 <ted> Ian: web payments doesn't require user confirmation but PCI in some cases prevents storing of CVV and considers entry as confirmation
13:56:58 <ted> … there could be logic in the payment app for a certain type of payment (toll) to proceed
13:57:12 <ted> … it is possible
13:57:36 <ted> (avoid distracting driver)
13:58:12 <ted> Adam: what about use case of paying tolls at the end of your journey? user can choose which payment method they wish for all the tolls incurred on the trip
13:58:28 <ted> Ian: I like and that is a good UX
13:59:06 <Ian> +1 to a consistent user experience where the car helps me manage interactions with different merchants (e.g., pre-order food, buy fuel, pay tolls)
13:59:18 <Ian> ..the car helps me manage my merchant needs.
13:59:37 <ted> John: what is the value on doing this from car instead of just from someone's phone?
14:00:05 <ted> Ian: from user perspective I can see both, from car point of view the partnerships
14:00:33 <ted> Adam: apps can be preinstalled. user might not want to download an app to complete a transaction
14:01:17 <ted> Ian: app on phone can know you have pending tolls and you can pay that while waiting in queue at movie theater...
14:02:45 <Ian> [Discussion of "phone" v. "head unit"]
14:03:32 <ted> Ted: both and pairing and being able to get to pending and completed transactions from either has many advantages to the user
14:04:09 <ted> Ian: I encourage people to work on UML mockups and contribute to wiki
14:04:42 <ted> Ian: the BT folks have a proposal that came out this week
14:04:59 <ted> Topic: Next meeting
14:05:36 <Ian> IJ: Let's hammer on this over the next week and see if we can refine it / raise issues
14:05:46 <Ian> Next meeting - 26 October at 9am ET
14:06:55 <RRSAgent> I have made the request to generate http://www.w3.org/2017/10/19-autopay-minutes.html Ian
14:06:59 <ted> Ted encourages JLR to open up use cases they're working on
14:07:05 <ted> John: will do
14:07:06 <RRSAgent> I have made the request to generate http://www.w3.org/2017/10/19-autopay-minutes.html ted
14:07:08 <Ian> RRSAGENT, set logs public
15:51:22 <Zakim> Zakim has left #autopay
16:01:16 <Ian> RRSAGENT, bye
16:01:16 <RRSAgent> I see no action items