<scribe> Scribe: Ian
https://lists.w3.org/Archives/Public/public-payments-wg/2018May/0009.html
IJ: Any agenda changes?
IJ: Any feedback?
... Thanks Brian for participating patiently at all hours
... Anything shareable from the EMVCo meeting?
BrianPiel: I attended day one ... I didn't hear feedback directly about the next day's conversations
IJ: I heard browsers say they wanted to prototype but time frame uncertain
Ken: From my view there were three sections:
- Ian's slides; not sure how well they were understood
https://www.w3.org/2018/Talks/ij_3ds_201804/3ds-201804.pdf
- Browser/card network breakout
scribe: Sachin emphasized browser
fingerprint role
... Sachin endeavored to recap Brian's slides about 3DS
2.0
... third topic was to determine any browser interest in
initiating flows
... marcos indicated that there is not lack of interest, there
is a bandwidth issue from his perspective
... so marcos requested technical discussion and JSON
files
... I think the browser vendors were committed to looking more
closely, but not immediately
Sachin: We are aligned
... the question of resources came up on the tokenization call
as well
Brian: What are next steps and
deliverables for this group?
... we walked away and said we would take on some of that to
define some of the concepts and come up with a functional
solution
... I noticed you had sent a few things around
... See documentation here: https://www.emvco.com/emv-technologies/3d-secure/
... would be good to determine roles and responsibilities in
this task force
IJ: My suggestion would be to prioritize third-party payment handlers in the immediate term
BrianPiel: That makes sense to
me
... suppose a web or native payment handler - what is required
data when a merchant says they want to get a 3DS2
transaction
... a flag to say "I want 3DS" and additional data required to
do so via a payment handler
Ian: +1
https://w3c.github.io/webpayments-methods-tokenization/index.html
IJ: And can we get some payment handler prototyping happening to validate the data model
BrianPiel: +1
IJ: could we do a hackathon with implementers over 2-3 days?
BrianPiel: that makes sense; we'd
have to understand back end components
... so I would (1) define the strategy for the data set and put
in a presentable format (2) how that works in a payment request
world
https://github.com/w3c/3ds/wiki/request_params
IJ: I think we need a whiteboard
Brian: +1
IJ: I would like
- more FIDO/W3C/EMVCo conversations (and we are working on that)
- face-to-face time to white board flows, data models
- more work to convince ourselves of the value of third party payment handler approach and who would fulfill roles in the ecosystem
https://www.w3.org/2018/Talks/ij_3ds_201804/3ds-201804.pdf
asolove: +1 to that set of
questions
... who will be parties that have responsibility and have
control to issue these?
... issuers? card networks?
... EMVCo all cards in a wallet?
<asolove> imagine that I'm nodding my head in a semi-noticeable but deniable way
stpeter: when I think about these
flows, issuers could issue payment handlers, but there are also
contracts and trust relationships and could see (as we see with
Apple Pay, for example), that there is an enrollment process
through third party apps
... those handlers could be built by browser vendors but not
part of the browser
... I'm curious where that leads
asolove: I think it's fair to say
that tokenization is a pre-requisite for having payment
handlers that do SCA.
... there will not be a world of third party payment apps that
store PANs and who do 3DS.
IJ: Should we do in parallel or focus on tokenization?
asolove: Tokenization is
different from the Tokenized Card Payment spec
... the tokenization that relates to 3DS will not necessarily
align with just getting a tokenized card number
https://w3c.github.io/webpayments-methods-tokenization/index.html
IJ: And yet, eci is part of the tokenization spec, so that hints to me that the Tokenized Card Spec is being aligned with 3DS
asolove: I had assumed it would be a separate payment method
https://github.com/w3c/3ds/wiki/request_params
IJ: I think there is a flag and some other data about the merchant
asolove: It could be that the flag is more nuanced like "SCA if the customer is also in Europe"
IJ: Feel free to add to notes / use cases
Ken: Has Mastercard has a prioritization in mind?
BrianPiel: We need to define the
data set first
... and then determine how to bring it to the API
IJ: I think we can do the API design at a later date after figuring out how it works and how would do it.
17 May
candidate agenda items:
- revised payment handler based flows
- consider a ftf meeting this summer
- Ian to reach out to brian to chat about flows