IRC log of wpwg on 2022-09-12

Timestamps are in UTC.

15:36:13 [RRSAgent]: RRSAgent has joined #wpwg
15:36:13 [RRSAgent]: logging to https://www.w3.org/2022/09/12-wpwg-irc
15:36:21 [Ian]: Meeting: Web Payments Working Group
15:36:33 [Ian]: Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022
15:36:37 [Ian]: Chair: Nick
15:36:39 [Ian]: Scribe: Ian
15:36:41 [Ian]: present+ NickTR
15:37:11 [Ian]: present+ Rose_Robertson
15:37:15 [Ian]: present+ Ian_Jacobs
15:37:19 [Ian]: present+ Sameer_Tare
15:40:10 [Ian]: present+ Javad_Chamanara
15:43:42 [Ian]: present+ Bastien_Latge
15:44:11 [Ian]: present+ Magda_Sypulla
15:44:19 [Ian]: present- Magda_Sypulla
15:44:21 [Ian]: present+ Magda_Sypula
15:46:06 [Hari_]: Hari_ has joined #wpwg
15:48:37 [Ian]: present+ Nako_Siskov
15:49:18 [Ian]: present+ Devin_Rousso
15:52:01 [Ian]: present+ Erhard_Brand
15:52:34 [Ian]: present+ Adam_Kelly
15:53:53 [Ian]: present+ Vanitha_Balusamy
15:54:03 [SameerT]: SameerT has joined #wpwg
15:55:49 [Ian]: present+ Stephen+McGruer
15:55:56 [Ian]: present+ Etienne+Noel
15:55:59 [Ian]: present- Etienne+Noel
15:56:03 [Ian]: present+ Etienne_Noel
15:57:09 [bkardell_]: bkardell_ has joined #wpwg
15:58:24 [Ian]: present+ Takashi_Minamii
15:59:47 [Ian]: present+ Brant+Peterson
15:59:50 [Ian]: present- Brant+Peterson
15:59:53 [Ian]: present+ Brant_Peterson
16:00:13 [Hemnath]: Hemnath has joined #wpwg
16:00:23 [Ian]: present+ Renan_Renner
16:00:29 [Ian]: present+ Haribalu
16:00:34 [Ian]: present+ Jayadevi_Natarajan
16:00:40 [Ian]: present+ Praveena_SSubrahmanyam
16:00:48 [Ian]: present+ Peter_Cselenko
16:00:58 [Ian]: present- Praveena_SSubrahmanyam
16:01:03 [Ian]: present+ Praveena_Subrahmanyam
16:01:25 [Ian]: present+ Fahad_Saleem
16:01:31 [Ian]: present+ Solai
16:01:55 [Ian]: present+ Hemnath_Dhananjayan
16:02:10 [Ian]: present+ Jean-Luc_di_Manno
16:02:14 [Ian]: present+ Carey_Ferro
16:02:18 [Ian]: present+ Doug_Fisher
16:02:21 [JeanLuc]: JeanLuc has joined #WPWG
16:02:22 [Ian]: present+ Clinton_Allen
16:02:38 [rbyers]: rbyers has joined #wpwg
16:02:42 [Ian]: present+ Christian_Aabye
16:03:44 [Ian]: present+ Jorge
16:04:02 [Ian]: present+ Soumya_Chakrabarty
16:04:14 [Ian]: present+ Rufus_T
16:04:19 [rbyers]: present+ Rick_Byers
16:04:53 [Ian]: present+ Vinoth_Madhavan_Selkan
16:05:35 [Takashi]: Takashi has joined #wpwg
16:05:59 [Ian]: present+ Tess
16:06:07 [Ian]: Topic: Welcome
16:06:50 [Ian]: NicK: It's great to be back in the room together. Thanks to those who came to Vancouver and also to those joining us remotely.
16:07:17 [Ian]: [Nick does a quick reminder of health requirements, linked from agenda]
16:08:04 [dcrousso]: dcrousso has joined #wpwg
16:08:06 [praveena]: praveena has joined #wpwg
16:08:09 [ChristianA]: ChristianA has joined #wpwg
16:08:09 [Magda_Sypula]: Magda_Sypula has joined #wpwg
16:08:10 [Ian]: present+ Rolf_Lindemann
16:08:12 [etiennenoel_]: etiennenoel_ has joined #wpwg
16:08:59 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
16:09:07 [Ian]: -> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022 Agenda
16:09:14 [Rolf]: Rolf has joined #wpwg
16:09:17 [Ian]: -> https://www.w3.org/Consortium/Legal/2017/antitrust-guidance Antitrust reminder
16:10:04 [Ian]: present+ Sue_Koomen
16:10:07 [Fahad]: Fahad has joined #wpwg
16:10:08 [MattC]: MattC has joined #wpwg
16:10:45 [Ian]: present+ Marie_Jordan
16:11:23 [Clinton]: Clinton has joined #wpwg
16:12:03 [Ian]: Nick: Just want to pause to celebrate PR API => Recommendation last week.
16:12:15 [Ian]: (Ian: We'll hear more tomorrow on this and discuss next features)
16:12:50 [Ian]: [Quick round of introductions, both remote and in person]
16:13:06 [Ian]: present+ Betül_Durak
16:14:08 [careyf]: careyf has joined #wpwg
16:18:00 [Ian]: present+ Matt_Crothers
16:18:20 [Ian]: present+ David_Benoit
16:19:20 [benoit]: benoit has joined #wpwg
16:19:30 [Ian]: present+ Rossen
16:19:39 [Ian]: present+ Rick_Byers
16:19:43 [Ian]: present+ Michael_Horne
16:20:04 [Ian]: Topic: Airbnb/Adyen SPC pilot update
16:20:58 [Ian]: Peter: Thank you. We'll start with an update on the pilot we've been running with Airbnb
16:21:14 [Ian]: ...to start with, why SPC?
16:21:26 [Ian]: ...5-9% drop-off rate with 3DS challenge flow
16:21:56 [Ian]: ...so we are looking for a PSD2-compliant solution that lowers drop-off while keeping low fraud rate. We want a better experience for the consumer.
16:22:29 [Ian]: ...our first year was limited pilot (one issuer, friends and family)
16:22:48 [Ian]: ...starting in Sep we want to open to all Airbnb users for a set of issuers.
16:23:04 [Ian]: ...some challenges:
16:23:08 [Ian]: 1) Generic error handling
16:23:23 [Ian]: 2) How to distinguish canceling SCA v just an error.
16:23:40 [Ian]: 3) Educating shoppers
16:24:17 [Ian]: Renan: Shoppers see a new screen in their checkout flow
16:24:30 [Ian]: ....just as 3DS learned previously, the UX of this screen is very important.
16:24:52 [Doug_F]: Doug_F has joined #wpwg
16:24:54 [Ian]: ...need to tell shoppers this is easier and faster, and connected to issuer experience
16:25:10 [Rossen_]: Rossen_ has joined #wpwg
16:25:51 [nicktr]: q?
16:27:09 [Ian]: NickTR: In which step are you using the errors?
16:27:16 [smcgruer_[EST]]: q+
16:27:20 [SameerT]: q+
16:27:26 [Ian]: Peter: Those issues were more early on
16:27:47 [Ian]: smcgruer_[EST]: These ambiguities are inherited from the web authn security model
16:28:04 [Ian]: ....we probably can and should do more in the dev tools
16:28:17 [Ian]: ....we can tell developers in the dev tools because it's their own machine.
16:28:23 [Ian]: ...it may not require standardization
16:28:52 [Ian]: ...this would help developers understand "what's going on" during the development process.
16:28:54 [nicktr]: ack smcgruer_[EST]
16:29:21 [Ian]: smcgruer_[EST]: I think we can do better for devs but I think we can also do better "in the field"
16:29:25 [Ian]: ack Sam
16:30:00 [Ian]: SameerT: In the 3DS ecosystem, issuers need to know what happened in authentication. If they can't tell what went wrong, they may be less inclined to use this as an authentication method.
16:30:04 [benoit__]: benoit__ has joined #wpwg
16:30:10 [Ian]: SameerT: Is the pilot a delegated auth model?
16:30:21 [Ian]: Renan: Yes, Adyen is the RP
16:30:42 [Ian]: SameerT: So for issuer education, are you interested helping them understand the assertion data?
16:31:39 [Ian]: Renan: Adyen collects the assertion, we want issuers to help communicate to users this model
16:31:54 [Ian]: Sameer: We may have to break it down in more detail; the issuer may not know you are trying to enroll the user.
16:32:20 [Ian]: ...suppose issuer sends me a OTP; at that point (pre-SPC enrollment) the issuer does not know that a new enrollment will happen
16:32:33 [clinton]: clinton has joined #wpwg
16:32:35 [Ian]: Renan: Right, we want issuers to help users understand that these delegated flows are not scams.
16:32:50 [Doug_F]: Q+
16:32:56 [Ian]: present+ Manish_Garg
16:33:17 [Vanitha]: Vanitha has joined #wpwg
16:33:27 [dcrousso]: dcrousso has joined #wpwg
16:33:45 [dcrousso]: test
16:33:52 [Ian]: nicktr: I assume the trust relationship between issuer and acquirer lies outside of the world of w3c
16:33:57 [Ian]: ...these are commercial relationships.
16:34:36 [Ian]: Sameer: You are mostly right, but see the FIDO white paper on what FIDO data can be consistently sent into 3DS .
16:35:01 [Ian]: ack Doug_F
16:35:31 [Ian]: Doug_F: In the current pilot, the merchant/PSP is the RP. Are there future plans to extend the pilot to when issuers can be RPs.
16:35:43 [Ian]: ...do you at Adyen see the longer term approach being delegated?
16:35:50 [Ian]: Renan: We envision that we will be the RP
16:36:03 [clinton]: q+
16:36:57 [Ian]: Renan: We see this similar to liability shift patterns we've seen previously
16:37:06 [Ian]: ack clinton
16:37:30 [Ian]: clinton: I've heard people comment that they'd like to have help from issuers on X, Y, Z. Could we summarize those points?
16:38:13 [Ian]: Renan: We can show some of this in the demo
16:38:30 [Ian]: [Demo]
16:39:51 [Ian]: present+ Dean_Jordaan
16:40:03 [smcgruer_[EST]]: q?
16:40:28 [smcgruer_[EST]]: q+
16:40:39 [Ian]: Renan: Issuers can let cardholders know that this sort of enrollment UX can occur to minimize surprise
16:40:48 [Ian]: ...they can tell cardholders that this is a possible flow.
16:41:33 [SameerT]: q+
16:41:57 [Ian]: Praveena: People are used to OTP and need to be educated that biometrics can happen, and that they are secure.
16:43:25 [Ian]: Renan: This week are are rolling out an updated pilot to expand it.
16:43:30 [Ian]: ...will include more issuers
16:43:40 [Ian]: q?
16:43:46 [Ian]: ack smcgruer_[EST]
16:44:27 [Ian]: smcgruer_[EST]: Note that the enrollment UX never shipped (this is an old video)
16:44:40 [Ian]: ...the reason was that PSPs wanted to control the content.
16:44:58 [Ian]: ...but if there is value to educating users through consistent language and UX, is there value adding it back?
16:45:11 [Ian]: ack SameerT
16:45:39 [Ian]: SameerT: In registration, do you envision that you can provide enrollment as an out-of-band feature (not during the transaction)?
16:46:04 [Ian]: Renan: Do you mean that they user did not opt-in during flow but we can prompt them later?
16:46:50 [Ian]: SameerT: I'm thinking instead that the transaction completes, and then the user sees an optional button to enroll. And at that time the PSP has full control over the language presented to the user.
16:46:50 [nicktr]: q+
16:46:53 [Ian]: Renan: That's an interesting idea.
16:47:47 [Ian]: Sameer: There are a couple of benefits (1) user has no concerns about their actual transaction (2) it's a separate journey that could be made clear to the user.
16:48:05 [Ian]: Renan: Yes, that makes sense
16:48:30 [Ian]: Sameer: 3DS 1.0 had "enrollment during shopping" which was considered bad. The transaction took too long and errors messed with the transaction.
16:48:36 [Ian]: ....so we dropped that flow.
16:48:56 [Bastien]: Bastien has joined #WPWG
16:49:02 [Ian]: ...if you enroll outside the transaction you are clear of 3DS limitations today
16:49:03 [careyf]: +1 to sameer's point
16:49:03 [Ian]: q?
16:49:03 [nicktr]: q?
16:49:09 [Ian]: ack nick
16:50:00 [Ian]: nicktr: Another SPC registration moment could be at the moment that the user provides a card-on-file to Airbnb?
16:50:13 [Ian]: Renan: We do need some ID&V [with the issuer]
16:50:22 [Ian]: ....so we leverage the 3DS challenge for that
16:50:31 [Ian]: ....before that we cannot trust the card with this device
16:50:56 [Ian]: ...we use 3DS2 for device binding
16:53:27 [clinton]: q+
16:53:31 [JeanLuc]: q+
16:54:08 [Ian]: Nick: Any more to say on trust model between PSP and issuers?
16:54:26 [Ian]: SameerT: Some of the trust comes through standardization in 3DS.
16:55:22 [Ian]: NickTR: There are fewer risk providers than issuers.
16:55:24 [Ian]: ack clin
16:55:34 [careyf]: q+
16:55:45 [Ian]: clinton: Regarding delegation, are your questions related to SPD2?
16:56:08 [Ian]: Nick: Yes, that's where I'm heading. At the moment we have provided a strong signal to issuers where they don't have to do a step-up
16:56:32 [Ian]: ...what I'm hoping to do is achieve a technical link between assertions signed by delegated RPs and the issuers.
16:56:41 [Ian]: ...can there be cryptographically established delegation
16:57:04 [Ian]: zakim, close the queue
16:57:04 [Zakim]: ok, Ian, the speaker queue is closed
16:57:17 [Ian]: ack jean
16:57:45 [Ian]: JeanLuc: In 3DS there is a place to tell the issuer not to do a challenge.
16:57:53 [Ian]: ...so there is a place for the merchant to share information
16:58:16 [Ian]: ...but there is no place to share the SPC attestation
16:58:20 [Ian]: ...could that be useful?
16:59:28 [Ian]: Ian: I think that's available in the FIDO/EMVCo model
16:59:36 [Ian]: Sameer: The question is whether the data could be made available.
16:59:47 [Ian]: smcgruer_[EST]: If WebAuthn has it, it would be available
16:59:58 [Ian]: ACTION: smcgruer_[EST] to check whether the attestation is available during SPC flow
17:00:24 [Ian]: JeanLuc: I think there is no way to carry the information in SPC context.
17:00:37 [nicktr]: q?
17:00:44 [Ian]: ack careyf
17:00:56 [Ian]: careyf: In the pilot, does Adyen own the issuer relationship?
17:01:01 [SameerT]: q+ : EMV 3DSWG will consider this for future enhancement if SPC/WebAuthn allows collection of this data
17:01:34 [ChristianA]: ChristianA has joined #wpwg
17:01:34 [jyrossi]: jyrossi has joined #wpwg
17:01:35 [Ian]: Renan: We as a RP have to fulfill scheme requirements
17:02:02 [Ian]: SameerT: Regarding attestation, we can consider that in future 3DS revision
17:02:13 [Ian]: smcgruer_[EST]: For delegated auth today with 3DS is there a field for attestation?
17:02:21 [Ian]: SameerT: You have a place for attestation and/or assertion
17:02:39 [Ian]: Doug: In the case where the issuer is the RP, the issuer already has it. If the merchant in the RP, then I think there is a gap.
17:03:06 [Bastien]: q+ : just want to make sure the action is minuted
17:03:31 [JeanLuc]: 3DS threeDSReqAuthData field could contains SPC attestation from merchant delegation flow. therefore, issuer could perform risk analysis and recognized the authenticator behind
17:03:48 [Ian]: ACTION: Sameer to see about enhancing 3DS flow to include attestation if available in SPC context.
17:04:42 [Ian]: [Peter, Renan leave]
17:04:52 [Ian]: Topic: Airbnb/Adyen SPC pilot update
17:05:00 [Ian]: Topic: SPC on Android
17:05:25 [Ian]: smcgruer_[EST]: I'm the primary editor of SPC spec and lead this work in Chrome. Here's an update on implementation.
17:05:42 [NakjoShishkov]: NakjoShishkov has joined #wpwg
17:05:54 [NakjoShishkov]: NakjoShishkov has joined #wpwg
17:08:00 [etiennenoel]: etiennenoel has joined #wpwg
17:08:06 [Ian]: -> http://www.w3.org/2022/Talks/spc-google-20220912.pdf Stephen's slides
17:08:50 [Ian]: smcgruer_[EST]: the thirdPartyPayment extension has landed in CTAP2
17:08:58 [Ian]: ...no immediate impact but good foundation
17:09:00 [nicktr]: q+ to ask about remote authenticators
17:09:05 [Ian]: ...still work needed to figure out the story for remote authenticators
17:09:06 [nicktr]: zakim, open the queue
17:09:06 [Zakim]: ok, nicktr, the speaker queue is open
17:09:09 [nicktr]: q+ to ask about remote authenticators
17:09:38 [Ian]: smcgruer_[EST]: We also renamed rp->rpid and we'll do both fields for some period of time (3 milestones)
17:10:04 [Ian]: smcgruer_[EST]: We started origin trial with opt-out (optional) feature
17:10:23 [Ian]: ...the opt-out relates to RP storage
17:10:30 [Ian]: ...this relates to interpretations of GDPR
17:11:09 [Ian]: ...the payment request error indicates opt-out, and then the caller's responsibility is to share that with the RP
17:11:44 [Ian]: ...we ARE contemplating changing the message to "successful opt-out" instead of Abort
17:12:08 [Ian]: smcgruer_[EST]: We are in discussions with Web Auth about allowing cross-origin create()
17:12:25 [Ian]: ...we want to move this into Web Authn for all credentials.
17:12:35 [Ian]: ...I hope we'll have robust discussion tomorrow on this
17:13:07 [Ian]: smcgruer_[EST]: Regarding SPC in Android, we changed both spec and implementation to allow resident keys
17:13:17 [Ian]: ...I don't know when Android will support discoverable credentials.
17:13:34 [Ian]: ...we still need to add opt-out and a few other things, but you can try it out today
17:13:57 [Ian]: smcgruer_[EST]: Why did it take so long to ship on Android?
17:14:46 [Ian]: ...the main reason has to do with the browser caching information about credentials as being special for payment
17:14:54 [Ian]: ...(the feature that is moving to CTAP2)
17:16:14 [Ian]: ...this caching approach is per-browser, limiting reuse of credentials
17:17:07 [Ian]: ...several problems including both false negatives and false positive.
17:17:18 [Ian]: ...it also doesn't support the "first party payment" use case for SPC
17:17:31 [Ian]: ...so on android, we added OS-level credential support
17:17:49 [Ian]: ...chrome tells android to mark the credential as a 3p payment credential
17:18:17 [praveenas]: praveenas has joined #wpwg
17:18:48 [Ian]: ...some consequences this approach:
17:18:54 [Ian]: a) works for first-party context use case
17:19:04 [Ian]: b) Third party payment is no longer browser-scoped
17:19:29 [Ian]: q?
17:19:59 [Ian]: smcgruer_[EST]: We change the OS API to support thirdPartyPayment bit
17:20:39 [Ian]: ... we have built on top of listCredentials(rp_id); and the browser also gets back the thirdPartyPayment bit.
17:21:07 [Ian]: ...so the browser looks to see whether it's a 1p or 3p context, whether the bit has been set, and after filtering decides whether there are matching credentials
17:21:31 [Ian]: [SPC Demo on Android]
17:22:50 [Ian]: smcgruer_[EST]: You can turn on a flag today and do this yourself. But not yet shipped: opt-out support.
17:23:19 [Ian]: ...also not yet shipped: 1p use case
17:25:10 [JeanLuc]: q+
17:25:23 [Ian]: [Nick tries out the demo to show that it works on his phone]
17:26:17 [Ian]: smcgruer_[EST]: What's next?
17:26:24 [Ian]: ...should we ship opt-out?
17:26:46 [Ian]: ...we don't love it as a concept; we need to hear clear demand from people who are going to use SPC.
17:27:02 [Ian]: ...we want to use authenticator level APIs on more platforms; we need to engage with Microsoft and Apple
17:27:51 [nicktr]: q?
17:27:57 [Ian]: ...there are other UX challenges, and "no matching credential / privacy" tension
17:28:05 [nicktr]: q+ later
17:28:10 [nicktr]: q-
17:28:13 [nicktr]: q-
17:28:17 [nicktr]: ack JeanLuc
17:28:37 [Ian]: JeanLuc: Regarding the platform, you said browser would invoke get list. Is there any reason why there is not a parameter to add rpid?
17:28:53 [Ian]: smcgruer_[EST]: We don't need the list credential API fully; it exists for conditional UI.
17:29:21 [Ian]: present+ Tomoya+Horiguchi
17:29:25 [Ian]: present- Tomoya+Horiguchi
17:29:28 [Ian]: present+ Tomoya_Horiguchi
17:29:49 [Ian]: smcgruer_[EST]: We are thinking about moving the API further into Android. We might be able to enable SPC in web views...if we bake it into Android.
17:29:56 [NakjoShishkov]: q+
17:29:57 [Ian]: present+ Jean-Yves_Rossi
17:30:17 [Ian]: smcgruer_[EST]: And similarly, if we push this into the OS we could enable SPC for Android Apps
17:30:22 [nicktr]: ack NakjoShishkov
17:30:41 [Ian]: Nakko: Great to hear porting to Android. If a browser can access the credentials, could other apps access the credentials?
17:30:50 [Ian]: smcgruer_[EST]: No; we have a list of trusted apps (browsers)
17:31:15 [Ian]: ...we probably could have it work for your own origin (e.g., if you are the app for bank.com) you probably could have the credentials for your own origin
17:31:26 [Ian]: ...but if we wanted to do this cross-origin, we'd need to build it into the OS
17:31:35 [Ian]: q?
17:31:40 [SameerT]: q+
17:31:54 [Ian]: Nakko: I am thinking about merchant app accessing credentials from the 3DS SDK
17:32:07 [Ian]: smcgruer_[EST]: Yep, we'd need to build into the underlying OS
17:32:27 [Ian]: ack SameerT
17:32:52 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
17:33:56 [nicktr]: q+ javad
17:34:02 [nicktr]: zakim, close the queue
17:34:02 [Zakim]: ok, nicktr, the speaker queue is closed
17:34:15 [Ian]: ack J
17:34:33 [Ian]: javad: What is the retention policy for user database?
17:34:37 [Ian]: smcgruer_[EST]: User can clear it
17:34:53 [Ian]: ...I don't think there's a retention policy. But the data we are storing is non-sensitive data (e.g., the public key)
17:35:17 [Ian]: Javad: If you put the data in the db, how do you sync for multi-device scenarios?
17:35:52 [Ian]: smcgruer_[EST]: That is what passkeys address. there are ongoing discussions about device public keys
17:36:06 [Ian]: q?
17:36:16 [Ian]: RRSAGENT, make minutes
17:36:16 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
17:46:26 [magda_sypula]: magda_sypula has joined #wpwg
18:04:43 [careyf]: careyf has joined #wpwg
18:09:04 [Sue]: Sue has joined #wpwg
18:11:47 [Ian]: Topic: FIS/Worldpay use cases
18:12:31 [Ian]: [Brant introduces himself]
18:12:56 [Ian]: Brant: Want to talk about payments use cases and also broader reach within this community
18:13:16 [Ian]: ...one goal is to re-introduce FIS to W3C community
18:13:50 [nicktr]: q?
18:13:53 [clinton]: clinton has joined #wpwg
18:14:22 [Ian]: Brant: FIS has a merchant processing channel, issuance channel, and user-facing wallet
18:15:22 [praveena]: praveena has joined #wpwg
18:15:24 [ChristianA]: ChristianA has joined #wpwg
18:15:41 [Ian]: ...represent 4000 financial institutions (some smaller, medium)
18:15:56 [Ian]: ...we have a consumer-facing wallet (GoCart)
18:16:19 [Ian]: ...we have a growing network of consumers using this wallet
18:16:32 [Ian]: ...branded GoCart, which is integrated into FIS merchant processing
18:16:43 [Ian]: ...we are also planning to expose to non-FIS acquirers
18:17:08 [nicktr]: q?
18:17:39 [MattC]: MattC has joined #wpwg
18:17:48 [Ian]: Brant: We hear a lot about three main use cases.
18:18:00 [Ian]: ...first I will call the post-pandemic reinvents
18:18:07 [Ian]: s/reinvents/reinventors/
18:18:38 [Ian]: ...these are shops that want to transition from shopfront to digital first
18:19:06 [Ian]: ...key to their strategy is about using their brand as their key strength for their digital strategy (e.g., expansion of subscription options)
18:19:12 [Ian]: present+ Marcos_Caceres
18:19:29 [nicktr]: q+ to ask about geographic coverage of these personas
18:19:34 [nicktr]: zakim, open the queue
18:19:34 [Zakim]: ok, nicktr, the speaker queue is open
18:19:35 [nicktr]: zakim, open the queue
18:19:35 [Zakim]: ok, nicktr, the speaker queue is open
18:19:38 [nicktr]: q+ to ask about geographic coverage of these personas
18:19:40 [Ian]: present+ Sami_Tikkala
18:19:50 [Ian]: ack Nick
18:19:50 [Zakim]: nicktr, you wanted to ask about geographic coverage of these personas
18:20:05 [Ian]: nicktr: Is this global or US-focused?
18:20:11 [Ian]: Brant: This one is particularly US-focused
18:20:11 [clinton]: q+
18:20:24 [Ian]: Brant: Most of our customers use multiple PSPs globally
18:20:42 [Ian]: ...I am mostly focused on US here.
18:21:03 [Ian]: ...Vantiv (our original brand here) was historically focused on big box retailers
18:21:06 [nicktr]: ack clinton
18:21:07 [Ian]: ack clinton
18:21:26 [Ian]: clinton: Regarding identification of shoppers, you said people wanted to identify their customers pre-authorization; how far in advance?
18:21:33 [D_fisher]: D_fisher has joined #wpwg
18:21:54 [Ian]: Brant: I mean "before the authorization request is submitted"; if the customer can identify the customer before that they can apply discounts, for example.
18:22:02 [Ian]: Clinton: These are shoppers that don't have accounts?
18:22:18 [Ian]: Brant: Right, they could be doing guest payments, or using alternative payments, etc.
18:22:31 [Ian]: ...loyalty is hard to reconcile after auth message.
18:22:32 [Ian]: q?
18:22:33 [nicktr]: q?
18:22:54 [Ian]: Brant: The second main use cases is focused on "seamless shopping experience"
18:23:20 [Ian]: ......they want personalized checkout experiences for their shoppers to avoid abandonment
18:23:26 [Ian]: ...these are not focused on their own brand
18:23:31 [Ian]: ...focused on UX
18:23:48 [Ian]: ...so optimizing for mobile browsers, increasing conversions through analytics, etc.
18:24:02 [Ian]: ...e.g., they have data on how latency leads to abandonment.
18:24:22 [Ian]: ...they are interested in things like "one-click" payments.
18:24:37 [Ian]: ...interested in whether they have seen the shopper previously to create a more consistent UX for the user
18:25:18 [Ian]: Brant: Third use cases is those seeking strong control over their checkout experience.
18:25:26 [Ian]: ...they don't want to look like everyone else.
18:25:43 [Ian]: ...they want full control and detailed control.
18:25:56 [Ian]: ...they are not as interested in standards since they want to distinguish themselves.
18:26:13 [Ian]: ...they know their shoppers better than anyone else.
18:26:30 [Ian]: ...many in this top 15 segment have co-branded cards as well
18:27:11 [nicktr]: q+ to ask if ebt cards are cobranded
18:27:14 [Ian]: ...they want some optionality to accept, e.g., government-supported (in the US: Snap) cards
18:27:29 [Ian]: ack Nick
18:27:29 [Zakim]: nicktr, you wanted to ask if ebt cards are cobranded
18:27:40 [Ian]: nicktr: Are EBT (snap) cards co-branded?
18:27:47 [takashi]: takashi has joined #WPWG
18:27:55 [Ian]: Brant: They are closed-loop pre-paid cards (e.g., issued by FIS or FISERV)
18:28:02 [Ian]: ...they are not co-branded
18:28:25 [Ian]: Nick: Are they EMV-style cards?
18:28:27 [Ian]: Brant: No
18:29:25 [Ian]: ...we started to want to enable EBT for COVID to enable more users to be able to shop without having to go into stores.
18:29:34 [Ian]: q?
18:29:54 [JeanLuc]: q+
18:30:17 [Ian]: nicktr: There is a connection here between underserved population and the mission of W3C
18:30:27 [Ian]: ack J
18:30:34 [nicktr]: ack JeanLuc
18:31:21 [Ian]: JeanLuc: to avoid "declines" is there space here to help merchant understand "declines" and help the merchant to try a second authorization request.
18:31:45 [Ian]: Brant: The one challenge we have is that we get back generic declines.
18:32:10 [nicktr]: q?
18:32:11 [Ian]: ...we are starting to look at potentially dozens of decline messages to find more cases.
18:32:31 [Ian]: Brant: Some key customer themes.
18:32:55 [clinton]: q+
18:32:55 [Ian]: 1) Merchants want to know who their customers are prior to authorization
18:33:08 [Ian]: 2) Data is not always available based on payment types or implementations
18:33:22 [Ian]: 3) Cart abandonment is a problem due to extra friction and payment problems.
18:33:34 [Ian]: ack cli
18:33:34 [nicktr]: ack clinton
18:33:58 [Ian]: clinton: Regarding using payment credentials as representation of shopper. Do you see merchants using PAR?
18:34:18 [Ian]: Brant: I think PAR can be effective. But it may not solve all use cases (especially if it only happens post-authorization).
18:34:45 [Ian]: ...PAN is useful today even if not the right thing for the future.
18:35:11 [Ian]: ...for risk mitigation not sure PAR is enough; we've seen up to 50 tokens associated with one PAR.
18:35:30 [Ian]: ...if you are a merchant, I'm not sure they have the same resources to do the sort of AI used for fraud mitigation.
18:35:40 [Ian]: ...I think if we could get PAR before authorization, it could help.
18:36:01 [Ian]: ...could help to get access to PAR outside of payments flow
18:36:12 [Ian]: ...the value is perhaps there, but implementations may need to be enhanced to get us there.
18:36:24 [Ian]: clinton: I don't know that PAR is part of SPC.
18:36:33 [Ian]: smcgruer_[EST]: No.
18:36:51 [Ian]: [Pause to revisit the origins of tokens and PARs]
18:38:20 [Ian]: q?
18:38:22 [Ian]: q+
18:40:39 [Ian]: ack me
18:41:00 [Ian]: Ian: Not sure this needs to be specified in SPC. I don't know whether 3DS field for SPC would allow use of PAR v. PAN
18:41:16 [Ian]: clinton: I am hearing value in getting the PAR into the ecosystem.
18:41:23 [Ian]: Brant: Yes, that's step one.
18:41:34 [Ian]: clinton: It's not consumer level; it's account level
18:41:44 [Ian]: q?
18:41:49 [nicktr]: q?
18:42:19 [Ian]: Brant: One use case I'd like to discuss that's creating some issues for our merchants is using tokens with auto-fill.
18:43:14 [nicktr]: q+ to ask about storage
18:44:13 [nicktr]: ack me
18:44:13 [Zakim]: nicktr, you wanted to ask about storage
18:45:45 [Ian]: Brant: There is clear value to tokens. I want to communicate feedback we are getting, and to discuss whether there are standardization opportunities here.
18:45:55 [Ian]: ...tension here is between security and UX
18:46:12 [Ian]: ....merchants lose ability to create customized experiences.
18:46:33 [Ian]: ...e.g., post-authorization analytics, chargebacks, etc.
18:46:45 [Ian]: ...they all rely today on representations of cards that don't work with tokens
18:46:59 [Ian]: ...and merchants concerned about losing debit routing abilities
18:47:23 [nicktr]: q+ to ask about autofill
18:47:25 [SameerT]: q+
18:47:31 [Ian]: ...merchants will resist some of the capabilities if they are unable to adapt
18:47:39 [Ian]: ack nick
18:47:41 [Zakim]: nicktr, you wanted to ask about autofill
18:48:01 [Ian]: nicktr: Is there a web standard for autofill?
18:48:02 [Ian]: (No)
18:48:08 [clinton]: q+
18:48:28 [Ian]: Devin: You can turn off autofill in HTML, but how it works is implementation dependent.
18:48:58 [Ian]: Brant: Our merchant community can take a scorched earth approach, but it degrades the shopping experience.
18:49:35 [Ian]: Devin: I would happily see autofill be standardized, but even better is when web sites do the right thing
18:49:39 [Ian]: smcgruer_[EST]: +1 to Devin.
18:49:57 [Ian]: ...there may be some more work over next few years to do more work on autofill.
18:50:15 [Ian]: ...but work is stymied by wrong use of html attributes
18:50:33 [ChristianA]: ChristianA has joined #wpwg
18:50:35 [Ian]: Devin: Although HTML has a decent level of semantic information, more would help.
18:50:47 [Ian]: ...but also don't want to large of a set of input types.
18:50:58 [Ian]: q?
18:51:01 [SameerT]: q-
18:51:09 [Ian]: ack clinton
18:51:10 [nicktr]: ack clinton
18:52:36 [Ian]: nick: My understanding is at least google and possibly apple are becoming token requestors.
18:52:47 [Ian]: ...they get back a token pan scoped to the device and the browser (I am speculating)
18:53:04 [Ian]: smcgruer_[EST]: I think it's browser-scoped, not device scoped
18:53:11 [Ian]: nicktr: You could get PAR on that token request
18:53:13 [Ian]: clinton: Yes
18:53:15 [Ian]: q?
18:53:17 [Fahad]: Fahad has joined #wpwg
18:53:46 [Ian]: q?
18:54:39 [Ian]: Brant: Also here would like to ask -- what can FIS/Worldpay do more to take an active role within W3C?
18:55:02 [nicktr]: q?
18:55:42 [Ian]: Ian: Does it make sense to work on an experiment to get pre-Auth PAR by working with browsers and TSPs?
18:55:46 [Ian]: Brant: Yes, that would be a good action.
18:57:51 [nicktr]: q?
18:58:08 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
19:54:59 [Hemnath]: Hemnath has joined #wpwg
19:59:21 [NakjoShishkov]: NakjoShishkov has joined #wpwg
20:02:08 [benoit]: benoit has joined #wpwg
20:02:28 [takashi_]: takashi_ has joined #WPWG
20:05:41 [SameerT]: SameerT has joined #wpwg
20:05:59 [Ian]: present+ Gerhard_Oosthuizen
20:06:13 [Ian]: Topic: Microsoft perspectives
20:06:23 [magda_sypula]: magda_sypula has joined #wpwg
20:06:23 [Fahad]: Fahad has joined #wpwg
20:07:06 [careyf]: careyf has joined #wpwg
20:07:38 [Ian]: Dean: I am part of the payments team at Microsoft. I was responsible for the authentication program in Europe
20:09:16 [Ian]: ...Microsoft is a global e-commerce merchant
20:09:29 [Ian]: ...do sales with credit cards, alternative payments, etc.
20:09:35 [Ian]: ...lots of countries and currencies
20:09:38 [Ian]: ...both business and consumers
20:09:43 [Ian]: ...both one-time sales and recurring
20:09:50 [Ian]: ...digital goods and physical goods
20:10:23 [Ian]: ...we implemented 3dS v2 back in 2019
20:10:27 [ChristianA]: ChristianA has joined #wpwg
20:10:56 [Ian]: ...we have not built support for exemption flagging or soft decline.
20:11:24 [Ian]: [On SCA]
20:11:41 [Ian]: Dean: The frictionless option in 3DS makes a big difference in the UX and business result.
20:12:00 [Ian]: ...the take away in terms of impact is that we've seen a net negative impact at Microsoft
20:12:23 [Ian]: ...because SCA performance is poor. Challenge rates are high; authentication success rates are low
20:13:31 [MattC]: MattC has joined #wpwg
20:13:38 [Ian]: ...the ecosystem was not ready, in our view, to leverage the flexibility allowed by EU rules
20:13:56 [Ian]: [Data on Microsoft authentication]
20:14:43 [Ian]: Dean: We have distinct implementations of 3DS for our web-based scenarios (where a user is visiting an MS storefront from a browser) and MS Console (where we have an SDK)
20:14:55 [nicktr]: Q?
20:15:34 [Ian]: Dean: Especially early on we saw a big difference in performance on Consoles (75% success rate) and Web (67% success rate).
20:16:13 [nicktr]: q+
20:16:16 [Ian]: ....performance in the UK was much better than the average.
20:16:22 [careyf]: q+
20:16:36 [Ian]: ...so the 3DS experience differs depending on the issuer community in a given country
20:16:46 [Ian]: ...the numbers I'm showing are a "first attempt"
20:16:54 [nicktr]: q-
20:16:59 [Ian]: ...In EU or UK, 1/4 fails on the Web first time
20:17:37 [Ian]: ...when first attempt fails, users may retry or switch to a new payment method. Success rate does tend to improve with 2nd attempt.
20:18:03 [Ian]: ack careyf
20:18:19 [Ian]: careyf: Did you only implement the additional step-up in the UK and EU?
20:19:03 [Ian]: Dean: We've tested in some other markets (e.g., Mexico)
20:19:08 [Ian]: ...we do 3DS v1 in India
20:19:29 [Ian]: ...but Europe with some experimentation in Australia and Mexico
20:19:35 [benoit]: +q
20:19:38 [Ian]: ...the reasons we are looking at 3DS in the other markets vary
20:20:02 [Ian]: ...in Brazil, if you enable 3DS you can accept debit cards online
20:20:25 [Fahad]: q+
20:20:42 [Ian]: ...in Mexico, we are unable to challenge or re-present chargebacks. Authenticated transactions give us a way to deal with that unusual situation.
20:20:44 [Ian]: ack benoit
20:20:47 [nicktr]: ack benoit
20:21:01 [Ian]: benoit: In markets like India and Australia, do you have comparisons with other methods (e.g., UPI)
20:21:09 [Ian]: ...is the issue the buyer or the method?
20:21:46 [Ian]: Dean: What we do in Australia is we randomly enable authentication for a small percentage of transactions (e.g., 5%)
20:22:07 [Ian]: ...in a legitimate experiments, people could compare results with/without authentication.
20:22:19 [Ian]: ...however, in India we have not implemented UPI and don't therefore have a comparison.
20:22:38 [Ian]: ...what we did in Europe (which allowed us to draw conclusions) is compare historical trends for cards with PayPal.
20:23:19 [Gerhard]: Gerhard has joined #wpwg
20:23:28 [Ian]: ...we lost 2-4% in conversions with SCA
20:23:36 [Ian]: ...that's settled down a bit since the initial measurements.
20:24:03 [Ian]: Fahad: 2-4% at authentication step (rather than authorization)?
20:24:06 [Ian]: Dean: Yes.
20:24:16 [Ian]: Fahad: Do you have any significant changes in authorization?
20:24:36 [Ian]: Dean: With transactions that have been successfully authenticated, the authorization rates go up, which is great.
20:24:46 [Ian]: ...but that has to be balanced against abandonment when authentication fails.
20:24:53 [nicktr]: q?
20:24:55 [Ian]: ...when looking at both of those, SCA was a net negative for us.
20:24:57 [nicktr]: ack
20:25:01 [nicktr]: q?
20:25:04 [Ian]: ack Fahad
20:25:22 [Ian]: Dean: When I talk about authentication success rates being too low, let's look at the components.
20:26:16 [Ian]: ...Authentication Abandonment Rate (which I'll talk about in a moment) is measured in terms of 3DS protocol messages
20:26:44 [Ian]: ...we see 12% abandonment on the Web (for EU + UK)
20:26:48 [Gerhard]: q+
20:27:06 [Ian]: ...we see high challenge rates as well: 68% of transactions on Web (EU + UK)
20:27:28 [Ian]: ...in the UK, the banks keep the challenge rates relatively low (28%) compared to the rest of Europe.
20:27:48 [nicktr]: s/(EU + UK)/(EU ex UK)/
20:27:54 [magda_sypula]: q+ Why UK so low on Abandonment? What was different?
20:28:03 [nicktr]: q?
20:28:03 [magda_sypula]: q+
20:28:24 [Ian]: ack Gerhard
20:29:13 [Ian]: Gerhard: SCA is two factor. Many other markets have single factor auth. Do you see differences in abandonment rates between single factor and 2-factor on the challenge itself?
20:29:44 [Ian]: Dean: I don't have any data to share, but I could speculate that there is more success when less friction.
20:30:01 [Ian]: ...this is also part of why you get such a difference for SCA over 3DS
20:30:35 [Ian]: ...different banks use different authentication methods (e.g., banking app opens on user phone; the user just pushes a button to say yes)
20:30:58 [Ian]: ...some banks invested in good authentication experience; others did not
20:31:22 [nicktr]: Q?
20:31:28 [Ian]: ...one-time passcodes or security questions tend to lead to more failure.
20:31:49 [Ian]: ....as merchants, it's the variability in issuer UX that can be frustrating.
20:31:51 [Ian]: ack Mag
20:32:03 [Ian]: magda_sypula: Why is the UK doing better (it seems)?
20:32:23 [Ian]: Dean: The main difference is the third column. In the UK, the majority of authentication requests will be approved or declined using the frictionless flow.
20:32:34 [smcgruer_[EST]]: q?
20:32:43 [Ian]: ...the customer is not stepped up for a challenge. It's the lower challenge rates that drives greater authentication success.
20:33:04 [smcgruer_[EST]]: q+ to ask if the lower challenge rate is due to SCA exemptions, or better risk analysis, or ...
20:33:12 [Ian]: ...if you are a bank with a risk system and you have an incoming authentication request, there's going to be a small set of transactions likely to be fraudulent, so you just say no.
20:33:24 [Ian]: ...and others you are obviously confident to accept
20:33:38 [Ian]: ...so it's the small band in the middle where the bank is not sure where the step-up challenge should occur.
20:33:56 [Ian]: ...the UI systems have optimized their risk systems to behave this way.
20:33:58 [Ian]: ack smcgruer_[EST]
20:33:58 [Zakim]: smcgruer_[EST], you wanted to ask if the lower challenge rate is due to SCA exemptions, or better risk analysis, or ...
20:34:00 [Fahad]: Q+
20:34:05 [nicktr]: ack smcgruer_[EST]
20:34:20 [Ian]: smcgruer_[EST]: Is the lower challenge rate in the UK because they ask for exemption more frequently?
20:34:32 [Ian]: ...or are purchase patterns different?
20:34:45 [Ian]: Dean: The banks in the UK took a different view of their obligations under PSD2
20:35:17 [Ian]: ...supported by the FCA in the UK (the regulatory body for banks in the UK) they were given permission to take an approach where they could take a more "commonsense" approach to step-up.
20:35:59 [Ian]: ...we spoke with other banks and card networks in 2020, 2021; what we found is that banks in other countries (guided by their regulatory bodies) would take a more black and white approach to PSD2.
20:36:28 [Ian]: ...the UK banks were more willing to grant exemptions from the issuer side.
20:36:34 [Ian]: ...the TRA exemption
20:36:51 [nicktr]: q?
20:37:00 [nicktr]: ack Fahad
20:37:20 [Ian]: Fahad: @@
20:38:01 [Ian]: Fahad: For transactions where the issuer requested a challenge, how did countries compare?
20:38:39 [Ian]: Fahad: For the 16% where challenge was requested, how was completion?
20:39:04 [Ian]: Dean: Great question. In my scorecard, cf "CSR" (challenge success rate)
20:39:29 [smcgruer_[EST]]: q?
20:39:37 [Ian]: ...a challenge in the UK success rate about same as for France. So the difference in "rate" is due to UK doing fewer challenges.
20:40:43 [Ian]: [Strategies to mitigate PSD2 impact]
20:40:50 [nicktr]: q+ to fly the flag for SPC
20:40:50 [Ian]: Dean: I am often asked "so what can we do?"
20:41:05 [Ian]: Dean: We should avoid authentication whenever we can.
20:41:29 [Ian]: ...some transaction types are out of scope (e.g., subscriptions)
20:41:39 [Ian]: ...customer-not-present transactions
20:42:33 [Ian]: ...another strategy that emerged was to attempt authorization first with exemption flagging in the authorization message, and only if authorization declined by the issuer who explicitly asks for authentication, doing authentication.
20:42:45 [Ian]: ...moving customers to alternative payment methods is another way to get around the SCA requirement.
20:43:03 [Ian]: ...we saw an increase in PayPal volume as a result of PSD2 for example.
20:43:08 [clinton]: clinton has joined #wpwg
20:43:13 [Ian]: Dean: The second big strategy is to avoid the challenge.
20:43:33 [Ian]: ...merchants can share additional data during authentication (cf the long list of 3DS fields)
20:43:44 [SameerT]: q+
20:43:47 [Ian]: ...you can also do exemption flagging in the authentication request itself
20:44:23 [Ian]: ...PSD2 also has a "trusted beneficiary" option where customer can opt out of future challenges.
20:44:24 [Sue]: Sue has joined #wpwg
20:44:35 [Ian]: ....e.g., Amazon was interested in that to preserve one-click experience.
20:44:54 [Ian]: ...trusted listing is a good example of a provision under PSD2 that is not widely implemented in the ecosystem.
20:45:09 [Ian]: ...very few issuers implement trusted listing.
20:45:37 [Ian]: Dean: If you can't avoid the challenge, then look to improve challenge outcomes. Delegated authentication fits in well here.
20:46:01 [Ian]: ...as a merchant we've seen that different banks have very different authentication methods. It's the inconsistency that drives a lot of the poor performance I've mentioned here.
20:46:21 [Ian]: ...handing over a piece of the checkout to the issuer is something that merchants hate.
20:47:21 [Ian]: Dean: The final big strategy is to attempt authorization EVEN IF authentication fails.
20:47:35 [Ian]: ...people ask "Don't you think those are fraudsters?"
20:47:51 [Ian]: ...and the answer is "mostly no; it's mostly just customers not getting through authentication."
20:47:51 [nicktr]: q?
20:48:10 [Ian]: Dean: So we've got something called SafetyNet to preserve conversion rates.
20:48:41 [Ian]: ...outside of Europe (except for India) you don't have SCA requirements driven by regulation.
20:49:02 [Ian]: ...so as a merchant, we have an opportunity to be a lot smarter on how we do SCA and do it much more in-line with when we think there is risk of fraud.
20:49:08 [Rose__]: Rose__ has joined #wpwg
20:49:13 [Gerhard]: q+
20:49:14 [Ian]: ...PSD2 has a more heavy-handed approach.
20:50:05 [nicktr]: q- nicktr later
20:50:12 [Ian]: SameerT: This was very helpful. One question I have in terms of data being shared with issuers. Do you see much difference between what data is shared in the UK v other markets?
20:50:13 [nicktr]: q+
20:50:18 [JeanLuc]: q+
20:50:33 [Ian]: Dean: We share the exact data in UK and EU markets.
20:50:43 [Ian]: s/exact/exact same/
20:51:17 [Ian]: Dean: There are different risk systems for authentication v. authorization. The ACS risk models (for authentication) are not as mature as the card network models (for authorization)
20:51:56 [Ian]: SameerT: This data is very helpful; we are trying to define a roadmap for 3DS to ensure that risk models get enough data to avoid challenges.
20:52:15 [Ian]: ...cf other conversations at W3C about data collection from the browser.
20:52:34 [nicktr]: ack SameerT
20:52:42 [nicktr]: ack Gerhard
20:53:44 [Ian]: Gerhard: Would SPC be interesting (e.g., because merchant controls UX and issuer can validate assertion)?
20:53:58 [Ian]: Dean: This is a super interesting idea and something that I'm still learning about.
20:54:40 [Ian]: ...the idea is appealing. If we have an approach that can tackle either the fact that, today, customers have a poor experience with their bank, that would be great.
20:54:49 [Ian]: ...and if we have a way to lower the challenge rate, that would be great.
20:55:27 [Ian]: ...so we want both better experience for customer and lower challenge rates.
20:56:24 [Ian]: Gerhard: I perceive a difference in which authentication mechanisms are used between Web and native apps.
20:56:38 [Ian]: ...do you think issuers are concerned about that?
20:57:00 [nicktr]: q+ nicktr later
20:57:06 [nicktr]: q- later
20:57:19 [Ian]: Dean: It is an important consideration. You have merchants that are fully app-based (e.g., Uber) and so, from an issuer perspective they are going to need to support both.
20:57:44 [Ian]: ...if we are asking issuers to support a standard and that standard only targets web but not native, it lowers the ROI of that solution investment.
20:57:52 [Ian]: q?
20:58:00 [Ian]: queue== JeanLuc, nicktr
20:58:20 [nicktr]: zakim, close the queue
20:58:20 [Zakim]: ok, nicktr, the speaker queue is closed
20:58:32 [Ian]: Dean: App experience can be the best experience (app-to-app). The SDK flow can't be ignored.
20:58:32 [Ian]: ack JEan
20:59:20 [Ian]: JeanLuc: Regarding "avoid authentication". Regarding MIT/MOTO out-of-scope transactions...this is being re-evaluated and it may be complicated in the future.
20:59:46 [Ian]: ...for "authorization first with exemption flagging" ... we've started to see some penalties from issuers in the fact of soft declines.
21:00:09 [Ian]: ...you observe that some merchants are reluctant to share info through 3DS due to sensitive data.
21:01:33 [Ian]: Dean: the way I think about your comment...a merchant can't have it both ways. We can't complain about an issuer doing a high challenge rate if we are not giving the issuer information necessary to make a frictionless decision.
21:01:52 [Ian]: ...we would ask the issuer community to make it clear to merchants what the important fields are for issuer risk systems
21:02:03 [Ian]: q?
21:02:09 [Bastien]: Bastien has joined #WPWG
21:02:21 [Bastien]: q+
21:02:40 [Ian]: JeanLuc: Maybe requirements in 3DS change based on availability or lack of other fields.
21:03:09 [Ian]: Dean: I don't think that EMVCo as a standards body would likely be that perspective. I anticipate it would be more from the card networks providing guidance on how to get good authentication performance.
21:03:10 [Ian]: q?
21:03:49 [Ian]: Bastien: As much as I love the conversation here, there's plenty of space for providing feedback directly to EMVCo.
21:05:02 [Ian]: NickTR: We'd love for you to implement SPC!
21:05:25 [Ian]: ...thanks again for the great presentation
21:05:32 [Ian]: Topic: EMVCo on SPC / Demo
21:06:08 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
21:06:28 [Ian]: Doug: We're going to provide some EMVCo feedback on SPC.
21:06:43 [Ian]: ...feedback is mostly about how to handle some new category of transactions (e.g., subscriptions)
21:07:08 [Ian]: ...there's a lot of focus (e.g., in EU) on increasing the transparency of payment authentication when it involves asking users to enter a recurring transaction.
21:07:18 [Ian]: ...users may not always be aware of what they are being asked to consent to
21:07:55 [Ian]: -> http://www.w3.org/2022/Talks/emvco-tpac-2022.pptx EMVCo slides
21:08:40 [Ian]: Doug: In the transaction dialog we'd like to see more branding (so user understands context), an explanatory note, a larger icon.
21:08:51 [Ian]: ...we also want to extend SPC to handle non-payment use cases.
21:09:58 [clinton]: clinton has joined #wpwg
21:10:39 [Ian]: [Doug lists some use cases]
21:10:56 [Ian]: Doug: Different parameters that can be set independently:
21:11:01 [Ian]: * Amount (which may vary)
21:11:06 [Ian]: * Frequency
21:12:12 [Ian]: Doug: We'd like to be able to use SPC when recurring transactions occur; we see that segment growing
21:12:45 [nicktr]: q?
21:12:48 [Ian]: ...another use case: I order 10 pieces of clothing and have one month to return some of them and I'm only billed for those I keep
21:12:50 [nicktr]: q-
21:13:10 [Ian]: Doug: Another use case is variable amount/variable frequency (e.g., travel card)
21:13:19 [Ian]: q+
21:13:28 [nicktr]: zakim, open the queue
21:13:28 [Zakim]: ok, nicktr, the speaker queue is open
21:13:31 [smcgruer_[EST]]: q?
21:14:17 [Ian]: Ian: Could you create an enumeration rather than arbitrary text?
21:14:33 [Ian]: Doug: That's really hard given use cases as well as other nuances like language differences.
21:14:49 [Ian]: ...in the 2.3.1 specification we have added a freeform text field to support this use case.
21:15:03 [nicktr]: q+
21:15:38 [Ian]: ack Ni
21:15:58 [Ian]: nicktr: How commonly is 3DS2 being used to authenticate these recurring transaction use cases?
21:16:20 [Gerhard]: q+
21:16:38 [Gerhard]: Comment: Open Banking specs and EMV QR has 'codified' some of this variability. Could we perhaps use that?
21:16:59 [Ian]: Nick: Is this a rarely used bit of the spec? I'm not aware of many acquirers or issuers who would use this commonly.
21:17:37 [Ian]: ...is this commonly done today or emerging?
21:17:52 [Ian]: q?
21:18:06 [Ian]: ack Gerhard
21:18:37 [ChristianA]: q+
21:18:42 [Ian]: Gerhard: We look at open banking specs and they have a number of parameters around recurrence (as Ian was hinting). And the EMVCo QR spec has some parameters as well.
21:18:45 [smcgruer_[EST]]: q+
21:19:07 [Ian]: Gerhard: I can see this working well for a subscription service.
21:19:13 [Ian]: ...or "would you like to trust this merchant?"
21:19:24 [Ian]: or "Would you like to have your card stored on file with this merchant?"
21:19:48 [Ian]: ...but I would be worried about very open consents ("any amount, any merchant", etc)
21:20:01 [Ian]: ack ChristianA
21:20:14 [Ian]: ChristianA: In the EU they've said "it happens a lot, but it doesn't happen in the right way"
21:20:50 [Rose__]: q+
21:20:53 [Ian]: ...so European Union came to us to find solutions
21:21:09 [Ian]: ack smcgruer_[EST]
21:21:11 [SameerT]: q+
21:21:34 [Ian]: smcgruer_[EST]: I think it is a very unlikely world where we will put arbitrary text in a secure dialog.
21:21:41 [Ian]: ...but I'm excited to hear the appetite for this.
21:22:07 [Ian]: ...if we can codify this in any way to hit 80% of use cases, that's much more palatable.
21:22:30 [Gerhard]: q+
21:22:37 [Ian]: q+ to talk about consent functionality in WebAuthn
21:22:40 [Ian]: ack Rose__
21:23:09 [smcgruer_[EST]]: q?
21:23:16 [Ian]: Rose__: Regarding use cases and commonality; this does arise. Prices changing based on tax computations is another use case.
21:23:20 [Ian]: ack SameerT
21:23:35 [Ian]: SameerT: Could we define a set of use cases, e.g., "Travel", "Subscription"
21:23:56 [Laka]: Laka has joined #wpwg
21:24:09 [Ian]: smcgruer_[EST]: Our UX people will want to write the actual text.
21:24:28 [Ian]: ...regarding translation, the Web site and your Chrome UX may not be in the same language.
21:25:28 [nicktr]: ack Gerhard
21:25:30 [Ian]: present+ Xu_Lin
21:25:44 [Ian]: Gerhard: I think there are three categories of use case:
21:25:46 [Ian]: 1) ID & V
21:25:52 [Ian]: 2) Payments
21:26:04 [Ian]: 3) Consent about other data
21:26:38 [Ian]: ack me
21:26:38 [Zakim]: Ian, you wanted to talk about consent functionality in WebAuthn
21:27:52 [Ian]: Ian: I will add "sign what you see" to tomorrow's joint meeting
21:28:27 [nicktr]: q?
21:28:32 [Ian]: [Non-payment transactions]
21:28:40 [Ian]: Doug: What happens if we pass a "0" amount?
21:29:34 [Ian]: (We confirm payment request would allow this.)
21:30:03 [Ian]: Doug: We'd like to allow authentication for future payments. It would be good to suppress the 0 amount in this case.
21:30:27 [Ian]: smcgruer_[EST]: This gets to the point of "scope of SPC"; we've gotten support from the WebAuthn approach for our limited payments use case.
21:30:49 [Ian]: ...I'm not sure whether right vehicle is SPC or something else; we need to coordinate with the WebAuthn folks.
21:31:50 [Ian]: [Branding]
21:32:03 [Ian]: Doug: We think we need more branding so that people understand to whom they are authenticating.
21:32:19 [smcgruer_[EST]]: q?
21:32:25 [Ian]: ....to the extent that there could be consistency in branding between the transaction dialog and the 3DS dialog, that would be helpful
21:32:48 [Ian]: smcgruer_[EST]: These are valid observations. There is certainly one verifiable bit of information (RPID) but that's not branded.
21:33:28 [Ian]: Ian: Does it help that images can be validated?
21:33:38 [Ian]: smcgruer_[EST]: No; the RP could be malicious.
21:34:11 [smcgruer_[EST]]: q?
21:34:31 [Gerhard]: q+
21:35:13 [Ian]: q+ to be sure we are tracking the issues
21:36:05 [nicktr]: ack Gerhard
21:36:20 [Ian]: Gerhard: Are there niche industry use cases that are relevant here (e.g., travel, hospitality)
21:36:33 [Ian]: ...I recall extensions for travel and hospitality
21:37:09 [Ian]: SameerT: I don't think those extensions are relevant here.
21:37:15 [erhardbrand]: erhardbrand has joined #wpwg
21:37:48 [nicktr]: ack Ian
21:37:48 [Zakim]: Ian, you wanted to be sure we are tracking the issues
21:37:50 [Ian]: https://github.com/w3c/secure-payment-confirmation/issues
21:39:53 [Ian]: [We validate that all the issues raised today are in the SPC issues list]
21:39:58 [Ian]: [Demo]
21:47:00 [Ian]: [Demo where there's a timeout in the transaction dialog]
21:49:20 [SameerT]: q+
21:49:21 [nicktr]: q?
21:49:23 [Gerhard]: Dropping off as nearly midnight on my side. Enjoy the rest of the sessions! And thank you to all the presenters.
21:49:33 [Ian]: SameerT: Can you run through the merchant-initiated flow?
21:50:03 [Ian]: SameerT: Does clicking "Confirm purchase" constitute a user activation?
21:50:21 [Ian]: smcgruer_[EST]: If SPC is called from merchant domain, then it suffices.
21:50:46 [Ian]: ...if you were looking at the case where there's an iframe, if you have an issuer button in that case, that would constitute the user activation.
21:50:57 [Ian]: SameerT: What about where adyen takes you to their own domain?
21:51:42 [Ian]: smcgruer_[EST]: You have two options. Suppose Adyen opens an iframe in the airbnb domain. There's a way to delegate the user activation from airbnb to adyen. If this is not done, then Adyen would need to have their own user interaction.
21:52:02 [Ian]: ...I think that's how they are doing it these days. It does allow the PSP to offer alternative authentication approaches as well.
21:52:31 [nicktr]: q?
21:52:34 [nicktr]: ack smcgruer_[EST]
21:52:40 [nicktr]: ack SameerT
21:52:51 [Ian]: SameerT: In 3DS we do well merchants what they need to do; might need to say more to them about user activation.
21:53:03 [praveena]: q?
21:53:33 [Ian]: smcgruer_[EST]: An advisory note might be useful. But in the case of issuer initiation, you probably don't want to recommend that the merchant delegate a user activation to the issuer.
21:53:57 [nicktr]: q?
21:54:06 [Ian]: SameerT: The merchant doesn't yet know whether the issuer is prepared to do SPC. So the merchant (which does know it wants to do SPC) may need to do the user activation even if it ends up not being used.
21:57:37 [Ian]: smcgruer_[EST]: The only reason SPC requires a user gesture is that payment request requires it. But WebAuthn.get() does not require a user activation.
21:57:50 [Ian]: ...but I can see a world where people don't require a user activation
21:58:04 [Ian]: q?
21:58:08 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
22:29:59 [ChristianA]: ChristianA has joined #wpwg
22:30:13 [Rose]: Rose has joined #wpwg
22:34:34 [Ian]: Topic: SPC getting to CR
22:34:48 [Ian]: -> https://github.com/w3c/secure-payment-confirmation/wiki/SPC-Candidate-Recommendation-Vision Vision
22:35:03 [careyf]: careyf has joined #wpwg
22:35:08 [Hemnath]: Hemnath has joined #wpwg
22:35:20 [takashi]: takashi has joined #WPWG
22:37:19 [smcgruer_[EST]]: https://github.com/WebKit/standards-positions/issues/30
22:40:19 [nicktr]: q?
22:40:42 [smcgruer_[EST]]: https://wpt.fyi/results/secure-payment-confirmation?label=experimental&label=master&aligned
22:41:41 [Ian]: https://github.com/w3c/secure-payment-confirmation/wiki/SPC-Candidate-Recommendation-Vision
22:42:05 [smcgruer_[EST]]: https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+-label%3A%22after-v1%22
22:42:15 [smcgruer_[EST]]: https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+label%3A%22after-v1%22+
22:43:00 [Ian]: Ian: It would be great to get feedback from Apple on the standards position, and if there are a small number of suggestions, I expect the WG would like to get them done in V1
22:43:08 [Ian]: [Nick does a review of the W3C process states]
22:45:58 [smcgruer_[EST]]: q?
22:46:52 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian
22:47:15 [nicktr]: q?
22:47:29 [nicktr]: scribenick: nicktr
22:47:43 [nicktr]: ian reviews future SPC requirements
22:47:49 [nicktr]: https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+-label%3A%22after-v1%22
22:49:00 [nicktr]: ian: https://github.com/w3c/secure-payment-confirmation/issues/205 is about given the browser extra information about how to internationalise things like merchant name
22:49:56 [Ian]: Web3 means many things to many people. Some see Web3 as a collection of existing technology that is used to scam many newcomers of their wallet contents. Others see this as a means to a future state where the world's transactions are made on a distributed ledger or blockchain. In this session, we will be exploring what Web3 means to those building in the space and where the intersection of Internet standards might occur, if at all. Think of this as an expl
22:49:56 [Ian]: oratory conversation with participants in the field and those that are curious about the future of this technology.
22:49:56 [Ian]: Web3 means many things to many people. Some see Web3 as a collection of existing technology that is used to scam many newcomers of their wallet contents. Others see this as a means to a future state where the world's transactions are made on a distributed ledger or blockchain. In this session, we will be exploring what Web3 means to those building in the space and where the intersection of Internet standards might occur, if at all. Think of this as an expl
22:50:00 [Ian]: oratory conversation with participants in the field and those that are curious about the future of this technology.
22:50:05 [Ian]: https://github.com/w3c/secure-payment-confirmation/issues/197
22:52:06 [Ian]: ACTION: smcgruer_[EST] to get info on priority of more icons in transaction dialog from design team
22:53:35 [nicktr]: ian: issue 187 is about providing clarity about the relationships between the various parties in an SPC authentication
22:54:41 [nicktr]: ian: 186 is non-payment use cases including "zero value" authentication
22:56:13 [nicktr]: ...so it would be good to understand what we need to display
22:57:00 [nicktr]: doug: this steps us into the use case for where the initial payment is zero but the recurring payment is non-zero
22:57:31 [Ian]: https://github.com/w3c/secure-payment-confirmation/issues/186
22:57:40 [nicktr]: sameerT: adding a card to a wallet is another good example of this
22:58:29 [nicktr]: smcgruer_[EST]: could you do this with your own UI and webauthn?
22:58:39 [nicktr]: SameerT: yes
23:00:05 [nicktr]: smcgruer_[EST]: SPC enrolment is the same as webauthn - the only difference is the extra payment bit that gets set
23:00:17 [nicktr]: ...so my challenge would be that webauthn should be used
23:00:58 [nicktr]: clinton: which credential are we talking about?
23:01:19 [nicktr]: ..the SPC component is just about giving the merchant additional reassurance
23:02:18 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html nicktr
23:03:00 [Ian]: smcgruer_[EST] use case: re-prove your identity when adding an existing credential to a wallet; is there value with user consent that they added a card?
23:03:37 [Ian]: ACTION: Sameer to work with the 3DS WG to write down in more detail the "non-payment transaction" use case.
23:05:43 [Ian]: [ADJOURNED]
23:05:48 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian