W3C

Web Payments Working Group

10 Jun 2021

Agenda

Attendees

Present
Ian Jacobs (W3C), Rouslan Solomakhin (Google), Clinton Allen (American Express), Jean-Luc Di Manno (FIME), David Benoit, Anne Pouillard (Worldline), Amy Slack (American Express), Sophia Rainford (American Express), Werner Bruinings (American Express), Gavin Shenker (Visa), Jean-Michel Girard (Wordline), Chris Wood, Fawad Nisar (Discover), Tom Bellenger (Visa), Adrian Hope-Bailie (Coil), Gustavo Kok (Netflix)
Regrets
Nick Telford-Reed
Chair
Adrian
Scribe
Ian

Contents

Payment Request Call for Consensus

Ian: Not a lot to do by the WG at this point.
... we will make our case to the Director
... and update the implementation report ... See the draft timeline to Rec.

SPC discussions

Ian: Please complete the SPC prioritization survey.

AdrianHB: You can provide feedback and suggest new use cases.
... or raise issues on GitHub

Dynamic binding of instrument info

See 7 June SPC task force discussion

Rouslan: Two main reasons for suggesting dynamic binding of authentication credentials with instrument information rather than static enrollment:

1) Updates to card information can be made at authentication time
... if we ONLY store the public key, that opens lots of possibilities
... including reuse of key for login and payment
... so when merchant sends to the browser, browser can verify it.
... that could reduce timing attacks and reduce tracking
... the sticking point is the dynamic challenge.
... I think it should be a goal that the browser generate the challenge.
... the RP could always say "I don't know these credentials"
... or "some other bit is invalid"

<AdrianHB> ian: sounds like a good feature for card on file use cases

<AdrianHB> ... the merchant could be updating this data out of band

Clinton: Not really.
... any delegation would happen by contract.
... if you delegate random generation to someone else, however, then you do.

IJ: Anybody have early insights?
... they will provide the info to the merchant at authentication time

rouslan: We have been in discussion with 3DS about v 2.3

IJ: Would Google be creating documentation for developers?

Rouslan: We are not working on that yet.

<AdrianHB> ian: Is anyone at Google currently working on developer docs for SPC

<benoit> Marqeta

AdrianHB: Yes, ACS folks should be doing experiments.
... or similarly for alternative payment methods

Review different friction flows

<AdrianHB> ian: the last is not a priority

clinton_: The descriptions make sense.

[Architecture]

- identity

- instrument selection

- authentication

<AdrianHB> ian: we have an SPC related issue wrt identifying the user

clinton_: outside of SRC, wouldn't that identity always be a topic?

Ian: Yes

AdrianHB: I think this relates again to what the browser stores.

<Zakim> AdrianHB, you wanted to discuss the last flow

Next meeting

Next meeting: 24 June

Summary of Action Items

Summary of Resolutions

    [End of minutes]
    Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.200 (CVS log)
    $Date: 2021/06/10 16:00:35 $