W3C

Card Payment Security Task Force

13 May 2020

Agenda

Attendees

Present
Manoj Kannembath (Visa), Ian Jacobs (W3C), Mercia le Roux (Entersekt), David Benoit, Jonathan Grossar (Mastercard), Fawad Nisar (Discover), Jalpesh Chitalia (Visa), Clinton Allen (American Express), Tomasz Blachowicz (Mastercard), Peter St Andre (Mozilla), Gerhard Oosthuizen (Mozilla), Brian Piel (Mastercard), Adrian Hope-Bailie (Coil), Justin Toupin (Google), Tobie Langel, Erhard Brand (Entersekt), Jeff Hodges (Google)
Regrets
Nick Telford-Reed
Chair
Ian
Scribe
Ian

Contents

Comments from American Express on Proposed Architecture

Proposed Architecture

Clinton: We've reviewed the proposal. We have some questions about specifics, but are not overly concerned with anything in the proposal. It's good progress. We'd like to continue to push forward.

IJ:Would you prefer to discuss details here or via GitHub?

Clinton: GitHub

... I meant "built in support of the payment method"

Who will host common payment handler?

IJ: Who would host the origin?
... Who will create the common payment handler?

Clinton: I think it could now be a good time to get an answer to that question.
... I hear a tentative consensus, so good time to raise with EMVCo

Jonathan: +1

<Fawad> +1

<benoit_> is there any desire to create a shared/cooperative/alliance that would code, review, host, and maintain this? or are we asking if there is a single entity willing to take this on?

IJ: What questions should be asked within EMVCo?

jalpesh: I think that question is important (on hosting)
... +1 to discussion at EMVCo

Clinton: One interesting topic is how best to communicate the proposal within EMVCo. I can have a better time frame sense in a week or so

IJ: Maybe we can do a presentation (e.g., starting with MC work)

Jonathan: +1 we can work with you

IJ: Thank you ; we'll come back to this on next call

Starting work on a POC

IJ: The upcoming https://github.com/w3c/webpayments/wiki/Code-A-Thon-2020 provides a good opportunity to do some work on an SRC proof of concept. Who would like to participate? Take the lead? Is code-a-thon useful?

Clinton: We think a POC would be valuable; unable to take the lead at this time

Gerhard: We are planning in participating in the code-a-thon. We are reviewing options and have a number of ideas
... we could be interested in an SRC project
... how could we bootstrap an SRC payment handler or put an identity into it

IJ: Should we wait for POC before working on payment method definition?

jalpesh: I think we should do a POC first
... I am still trying to convince myself of the benefit of the proposal compared to current implementation

Jonathan: +1 to waiting for a POC before starting work on a specification; I think we need to validate the architecture

Use cases for merchant identifying SRCI through request data.

IJ: Will PSP and SRCI usually be the same?

crallen_: The way that this proposal is written, it seems that the merchant would have to identify the SRCI. As opposed to a "preference"

IJ: What is SRCI if unavailable?

Tomasz: We've not gone into that in the proposal. The focus is on the ability to specify the SRCI
... The SRCI could nominate itself to host the transaction in the payment handler window

<scribe> ACTION: Ian to raise issue on proposal about whether merchant "pref" or something else re: SRCI

(Editor's note: see issue 40)

IJ: What are the use cases that validate the decoupling?

Tomasz: I think we should maintain flexibility.
... as there are different integration models
... e.g., SDK provides library to merchant
... that's one model we want to cover
... but we may also want to offer greater flexibility for merchants that want to leverage the PR API directly
... we also have hasEnrolledINstrument functionality that can verify if an SRCI can support a given transaction.
... before show() is called

jalpesh: You are basically talking about 2 use cases: (1) PSP renders UX (2) Merchant is rendering UX
... in scenario 2, wouldn't the merchant provide their own URL? They might delegate that to another system, but it's not quite decoupling

Tomasz: What I have in mind is that we may have a merchant who calls PR API and uses the PSP under the hood to process the credential.
... the payment handler experience is provided by the SRCI

Jalpesh: Let's assume that there are 2 payment patterns without Payment Request: PSP does UX or merchant does UX. I am hearing a third use case where merchant delegates experience to payment app where SRCI handles display

<scribe> ACTION: Tomasz to edit the proposed architecture document multiple integration models

Next meeting (10 June)

10 June

Note on blog posts

Payments and Authentication: Driving toward a Whole Greater than Parts

AOB?

Tomasz: How will we proceed with the definition of the payment method, assuming we'll have a POC.

(IJ goes through process)

IJ: Any other reviews or new thoughts?

Jalpesh: I made some edits to the architecture document.

https://github.com/w3c/src/wiki/ProposedArchitecture#native-support-for-payment-method-into-the-browser

<scribe> ACTION: Ian to review new text from Jalpesh (Native Support for Payment Method Into the Browser)

<scribe> ACTION: Tomasz to review new text from Jalpesh

ADJOURNED

Summary of Action Items

[NEW] ACTION: Ian to raise issue on proposal about whether merchant "pref" or something else re: SRCI
[NEW] ACTION: Tomasz to edit the proposed architecture document multiple integration models
[NEW] ACTION: Ian to review new text from Jalpesh
[NEW] ACTION: Tomasz to review new text from Jalpesh
 

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/05/13 17:50:18 $