W3C

Web Payments Working Group

05 August 2021

Attendees

Present
Adrian Hope-Bailie (Fynbos), Anne Pouillard (Worldline), David Benoit, Clinton Allen (American Express), Fawad Nisar (Discover), Gavin Shenker (Visa), Gerhard Oosthuizen (Entersekt), Ian Jacobs (W3C), Jean-Luc Di Manno (FIME), John Fontana (Yubico), Manish Garg (Banksly), Rolf Lindemann (Nok Nok Labs), Rouslan Solomakhin (Google), Susan Pandy (Discover), Tom Bellenger (Visa), Werner Bruinings (American Express)
Regrets
Nick Telford-Reed
Chair
Adrian
Scribe
Ian

Meeting minutes

Charter

Draft charter

Rolf: Is SPC covered?

Ian: Yes

(We review scope, deliverables)

John: Are we going to have 2 browser implementations

TPAC meeting

https://www.w3.org/wiki/TPAC/2021

https://www.w3.org/2020/10/TPAC/public-breakouts.html

https://www.w3.org/2020/10/TPAC/breakout-schedule.html

PROPOSED: WPWG meeting 25-28 October 2021

Ian: I expect 7-9am each day

(Pacific)

Ian: We'll finalize this in 2 weeks

SPC

Ian: CfC Expected 9 August

IJ: Question about UX when no matching credential id (as opposed to no UX when returning null).

Rouslan: Current plan is an information dialog that will have iconography that pertains to payments
… will let the user know that the merchant is going to try to authenticate the payment in some other way
… it's an info message, not an error message
… if the user does not want to share identity from the standpoint of the web site, we want to make it not distinguishable between "has no credentials" and "doesn't want to share credentials"
… in WebAuthn today, if somebody requests to authenticate and the user doesn't have the credential on the device, the error returned is very generic
… if the user does have credential on file but user cancels prompt, then the error message is the same as if they didn't have credential

Ian: What does the spec say about this?

Rouslan: Silent today, but would be added.

Rolf: I'm not sure this is a good solution for users.
… I don't have a better solution right now...but I think we may need more work here.
… in an ideal world, the user would not see the interstitial prompt, but rather an alternative prompt to SPC. The issue is how to do that in a privacy protecting way

Ian: I think we used to have a fallback URL alternative.

Rolf: That may not work if the UX is "fast" and disappears quickly.
… what if there's a fallback screen to go with an alternative payment method (if there is one)

AdrianHB: A problem is that the user has already chosen an instrument.
… I think that SPC's initial usage will be with 3DS ...so the user is planning to pay with a known instrument.
… what we want is a way for the browser to prompt the user for a different authentication
… I'm not sure "fallback" is the right solution (and at least not fall back to an alternative payment method)

Rolf: In EU, many payment methods send me to a payment app (and previously did OTP)
… SPC should be more convenient, but if it doesn't work, essentially the system wants to fall back to these other methods (app, OTP)
… if I could input the OTP via browser dialog instead of loading web page, maybe that could be the solution.

Ian: Remind me what was problem with fallback URL?

Rouslan: I think a timing attack on fallbackURL was an issue (so we removed it)

Action: Ian to raise an issue about UX in case of no matching credential

Editor's Note: See issue 98, created after the meeting.

Payment Request API

https://github.com/w3c/payment-request/wiki/REC_2020_Plan

Next Meeting

19 August

Summary of action items

  1. Ian to raise an issue about UX in case of no matching credential
Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).