3DS Task Force

<scribe> Scribe: Ian

https://lists.w3.org/Archives/Public/public-payments-wg/2018May/0009.html

IJ: Any agenda changes?

Feedback from Singapore

IJ: Any feedback?
... Thanks Brian for participating patiently at all hours
... Anything shareable from the EMVCo meeting?

BrianPiel: I attended day one ... I didn't hear feedback directly about the next day's conversations

IJ: I heard browsers say they wanted to prototype but time frame uncertain

Ken: From my view there were three sections:

- Ian's slides; not sure how well they were understood

https://www.w3.org/2018/Talks/ij_3ds_201804/3ds-201804.pdf

- Browser/card network breakout

scribe: Sachin emphasized browser fingerprint role
... Sachin endeavored to recap Brian's slides about 3DS 2.0
... third topic was to determine any browser interest in initiating flows
... marcos indicated that there is not lack of interest, there is a bandwidth issue from his perspective
... so marcos requested technical discussion and JSON files
... I think the browser vendors were committed to looking more closely, but not immediately

Sachin: We are aligned
... the question of resources came up on the tokenization call as well

Brian: What are next steps and deliverables for this group?
... we walked away and said we would take on some of that to define some of the concepts and come up with a functional solution
... I noticed you had sent a few things around
... See documentation here: https://www.emvco.com/emv-technologies/3d-secure/
... would be good to determine roles and responsibilities in this task force

IJ: My suggestion would be to prioritize third-party payment handlers in the immediate term

BrianPiel: That makes sense to me
... suppose a web or native payment handler - what is required data when a merchant says they want to get a 3DS2 transaction
... a flag to say "I want 3DS" and additional data required to do so via a payment handler

Ian: +1

https://w3c.github.io/webpayments-methods-tokenization/index.html

IJ: And can we get some payment handler prototyping happening to validate the data model

BrianPiel: +1

IJ: could we do a hackathon with implementers over 2-3 days?

BrianPiel: that makes sense; we'd have to understand back end components
... so I would (1) define the strategy for the data set and put in a presentable format (2) how that works in a payment request world

https://github.com/w3c/3ds/wiki/request_params

IJ: I think we need a whiteboard

Brian: +1

IJ: I would like

- more FIDO/W3C/EMVCo conversations (and we are working on that)

- face-to-face time to white board flows, data models

- more work to convince ourselves of the value of third party payment handler approach and who would fulfill roles in the ecosystem

https://www.w3.org/2018/Talks/ij_3ds_201804/3ds-201804.pdf

asolove: +1 to that set of questions
... who will be parties that have responsibility and have control to issue these?
... issuers? card networks?
... EMVCo all cards in a wallet?

<asolove> imagine that I'm nodding my head in a semi-noticeable but deniable way

stpeter: when I think about these flows, issuers could issue payment handlers, but there are also contracts and trust relationships and could see (as we see with Apple Pay, for example), that there is an enrollment process through third party apps
... those handlers could be built by browser vendors but not part of the browser
... I'm curious where that leads

asolove: I think it's fair to say that tokenization is a pre-requisite for having payment handlers that do SCA.
... there will not be a world of third party payment apps that store PANs and who do 3DS.

IJ: Should we do in parallel or focus on tokenization?

asolove: Tokenization is different from the Tokenized Card Payment spec
... the tokenization that relates to 3DS will not necessarily align with just getting a tokenized card number

https://w3c.github.io/webpayments-methods-tokenization/index.html

IJ: And yet, eci is part of the tokenization spec, so that hints to me that the Tokenized Card Spec is being aligned with 3DS

asolove: I had assumed it would be a separate payment method

https://github.com/w3c/3ds/wiki/request_params

IJ: I think there is a flag and some other data about the merchant

asolove: It could be that the flag is more nuanced like "SCA if the customer is also in Europe"

IJ: Feel free to add to notes / use cases

Strategy Summary

• Look into third party payment apps as 3DS2 flow initiators
  • what are the data requirements?
  • what is the value of doing this over just merchant-side adoption?
  • who needs to be involved in the discussions?
  • what parties will distribute software?
• Meet face-to-face to white board this
• Organize prototyping activity once we've hammered out the data model
• Continue conversations with browser vendors on longer-term integration questions
• Foster conversations among EMVCo, FIDO, W3C on the overall picture of strong authentication

Ken: Has Mastercard has a prioritization in mind?

BrianPiel: We need to define the data set first
... and then determine how to bring it to the API

IJ: I think we can do the API design at a later date after figuring out how it works and how would do it.

Next meeting

17 May

candidate agenda items:

- revised payment handler based flows

- consider a ftf meeting this summer

- Ian to reach out to brian to chat about flows