<scribe> Scribe: Ian
https://github.com/w3c/webpayments-methods-tokenization/wiki/Tokenized-Card
[Ian background]
Tokenized Card Payment Method Updates
https://github.com/w3c/webpayments-methods-tokenization/wiki/Tokenized-Card
Sachin: PCI, Encryption are moved
down since in development
... the PCI scope notes are heads-up...
... we also updated the request/response definitions
... clearer now what is for "display" v. "transaction"
... we made some MC things Optional
(e.g., trid)
scribe: encryption is required
for this payment method
... but encryption details are deferred to the other work of
this task force
... the request has been streamlined
... almost identical to basic card request
... with some bits from PR API itself
<crallen> I cannot connect to github for some reason. :(
Manash: I am wondering whether
the group thinks we are sufficiently far along to speak more
directly with the browser vendors
... to get some implementation experience...what does this task
force feel?
IJ: Do you mean native browser implementation of the payment method?
Manash: We are working with Cap
One and Worldpay on a prototype of this payment method
... in order to implement the prototype we need recognition of
the short string
Sachin: We may also want to talk about browser implementation of the payment method itself
Peter: We are definitely interested in tokenization (at Mozilla).
IJ: What are the steps you'd like to go through?
Sachin: Move to more formal specification and ask for short name support to start prototyping.
Manash: I recommend that we add this to our next week agenda: yea or nay on requesting moving forward with browser implementation, then if supported move to the main WG session.
https://w3c.github.io/webpayments-methods-tokenization/index.html
<scribe> ACTION: Ian to move wiki to https://w3c.github.io/webpayments-methods-tokenization/index.html after 16 Jan call
<trackbot> 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs, ijmad).
<asolove> I can commit to doing a review and gathering feedback from Stripe.
<scribe> ACTION: AdamSolove to review the Tokenized Card Payment Method spec, due 16 January
<trackbot> Error finding 'AdamSolove'. You can review and register nicknames at <http://www.w3.org/Payments/WG/track/users>.
<scribe> ACTION: stpeter to review the Tokenized Card Payment Method spec, due 16 January
<trackbot> Created ACTION-75 - Review the spec, due 16 january [on Peter Saint-Andre - due 2018-01-16].
https://github.com/w3c/webpayments-crypto/wiki
https://github.com/w3c/webpayments-crypto/wiki/Encryption
https://github.com/w3c/webpayments-crypto/wiki/Signatures
IJ: Trying to get security reviews and early prototyping
Sachin: I will look at this this
week from a tokenization POV
... I will also see if I can get some review from our security
team by our next call
IJ to Peter: Could you ask internally whether appetite to experiment?
Peter: I will check
... Would be good to have a description of threat model
... are there other attacks we have in mind.
+1 to getting security people to speak to that
Peter: Will need to dig down into, e.g., how to use the IETF specs
<crallen> +q
<stpeter> sorry, I haven't been using "q+"
crallen: From a data security
perspective, whatever exists within PCI for data-at-rest is
good for PAN and token
... if people are storing PAN and tokens in the same location,
they may fall under the additional guidance from PCI about the
token environment
... for payment tokens specifically
IJ: I am happy to reach out to PCI if we have specific questions
16 January
<crallen> PCI Contact Troy Leach for PCI interactions
Then propose to update the spec and discuss on 18 Jan implementing the short name
<asolove> What is the right format for feedback? Just bring items to discuss, or write it somewhere?
=> https://github.com/w3c/webpayments-methods-tokenization/wiki/Tokenized-Card
Tokenized Card Payment Method
Encryption => https://github.com/w3c/webpayments-crypto/wiki
Ken: Can we stick around to do some meeting planning?