14:50:08 RRSAgent has joined #wpwg 14:50:12 logging to https://www.w3.org/2023/01/19-wpwg-irc 14:50:16 Meeting: Web Payments Working Group 14:50:26 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230119 14:50:32 Scribe: Ian 14:50:40 regrets+ smcgruer 14:50:44 present+ Ian 14:51:04 I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian 14:58:43 benoit has joined #wpwg 14:58:53 apologues... I can't make the meeting today 14:58:59 Ok, thanks David 14:59:00 ... and can't spell :) 14:59:04 regrets+ David_Benoit 15:00:24 present+ Christian_Aabye 15:00:29 present+ Franck_Delache 15:00:32 present+ Nick_Burris 15:00:38 present+ Nick_Telford-Reed 15:00:49 Chair: NickTR 15:01:00 present+ Praveena_Subrahmanyam 15:01:07 present+ Rick_Byers 15:01:14 Anne has joined #wpwg 15:01:55 present+ Anne_Pouillard 15:02:01 present+ Steve_Cole 15:02:44 Gerhard has joined #wpwg 15:03:23 present+ Gerhard 15:03:46 Topic: Happy New Year 15:03:58 present+ Jean-Luc_di_Manno 15:04:01 NickTR: Welcome all! 15:04:05 JeanLuc has joined #WPWG 15:04:19 ...we traditionally take time at an early meeting to reflect and look ahead at plans 15:04:32 ...these are momentous times at W3C (governance transition) 15:04:33 AdrianHB_ has joined #wpwg 15:04:43 ...we can take comments on the transition 15:04:50 ...2022 was a successful year for the WB 15:05:07 ...we advanced PR API to Recommendation 15:05:15 present+ Rouslan_Solomakhin 15:05:34 present+ AdrianHB_ 15:05:35 ...very grateful for payments industry, implementers, and all who helped move this forward 15:06:00 ...we have also built a lot of momentum around SPC which is really turning heads, at least in the card payment community 15:06:13 ...3DS integration is big validation of the work 15:06:38 ...it's easy to lose track of time and think things aren't moving forward, so valuable to pause to look at these achievements 15:07:09 ...in 2023 we may see a slight "gear change": slow down on Payment Request (tweaks, bug fixes, etc.) 15:07:26 ...we can look at features for version 2 15:07:45 ...we can continue to debate "payments API" v "e-commerce API" 15:07:55 benoit_ has joined #wpwg 15:08:00 present+ Sameer_Tare 15:08:16 ...I also hope that we can get broader interest in non-card payment authentication with SPC 15:08:42 ...there are some initiatives that are gaining traction (e.g., open banking in North America) 15:09:00 ...and I expect clearer direction for open banking in Europe (e.g., focus on a single standard) 15:09:20 ...it would be great to foster experimentation in open banking with SPC 15:09:48 ...I would say that this is the first time in my career there is an opportunity for a unified authentication approach in payments 15:10:07 ...at the current time we have one (awesome! :)) implementation; we will need to work to get a second 15:10:38 ...as always, I think more experimentation around payment handlers would be valuable to create more competition and innovation; payment handlers are a valuable extension point 15:11:06 q? 15:11:21 NickTR: Logistical question in light of this -- whether we slow meeting cadence 15:11:41 present+ Suzie-Annezo_Sebire 15:11:45 present+ Manish_Garg 15:12:14 SuzieAS has joined #wpwg 15:12:31 present+ Gregoire_Leleux 15:12:44 NickTR: So thank you all and take a moment to appreciate your accomplishments from 2022. 15:13:04 q? 15:13:26 Gregoire has joined #WPWG 15:13:39 Rick: Thanks for that intro! On behalf of Google we share your optimism. 15:13:58 ...I think we are at a unique moment in the history of the Web to accomplish those things you mentioned 15:14:21 ...I think there are great opportunities to brainstorm about how to improve the web for payments 15:14:30 ...big opportunities; keep up the enthusiasm 15:14:32 +1 to in-person collaboration. Yay! 15:15:40 Topic: SPC V1 15:17:43 Horz review started 15:17:51 q? 15:18:02 Topic: SPC post-V1 15:18:20 -> https://www.w3.org/2022/11/10-wpwg-minutes.html#t02 Nov discussion 15:18:28 -> http://www.w3.org/2022/Talks/spc-entersekt-20221110.pdf Gerhard slides 15:19:22 q+ 15:19:27 Gerhard: There are some new topics to cover (e.g., PSD3) 15:19:34 ...open banking gaining traction 15:19:55 ...there will still be a desire for safe frictionless experiences where SCA not required 15:20:39 NickTR: Push payment fraud in the UK appears to be about the same size as card payments but with only 1% of the volume of payments 15:20:42 ...it's a huge problem 15:21:27 Gerhard: Transition between payments is important and friction is a big problem 15:22:05 ack nick 15:23:29 Gerhard: My theory why we are not yet seeing SPC with open banking is that we don't handle the "handover" 15:24:02 ...if we want to cater to more flows, how do we extend the consent piece? 15:24:19 ...we could go small (e.g., add more fields to transaction dialog) 15:24:29 ..or we could extend to more use cases 15:24:43 ...we had a number of use cases with a first consent to issue a credential 15:24:54 ...the initial friction allows lower friction subsequent payments 15:25:10 ...so there are other types of approval such as "recurring" or "subsequent low friction payments" 15:25:48 ...we could also look at implementing SPC on top of other auth mechanisms (e.g., roaming authenticators, but also non-biometric auth mechanisms) 15:26:14 ...or single-factor FIDO 15:26:27 ...these three buckets I've identified overlap. 15:27:07 [Slide 6 - grouping open issues into the three buckets] 15:27:28 I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian 15:28:10 [Note: Some of these use cases also identified by EMVCo (recurring, card on file registration)] 15:28:40 Gerhard: Another example if future-dated payments (where we might need to display the future date) 15:29:27 SameerT has joined #wpwg 15:30:01 Gerhard: Slide 7 - there are goals of allowing the user to say "trust this merchant" or "trust this device" 15:30:14 ..the browser could play an important role "trust this browser" 15:30:36 ...currently this is done with fingerprinting; there could be better ways to bring the browser into the mix 15:30:58 ...could be an SPC flag leading to some browser behavior on a given origin 15:31:48 ...in a push payment environment there are opportunities for fraud; e.g., bad spelling of a merchant. The browser could provide additional protections to help reduce spoofing 15:32:27 [Regarding handing over] 15:32:41 ...handing over to browser instead of app could offer a better UX in some cases 15:32:45 qq? 15:32:47 q? 15:33:06 Gerhard: Another field that could be interesting to display is "account selection" 15:33:33 ...in the SPC dialog 15:34:12 Nick: We have scars from those discussions 15:34:38 Gerhard: I agree that instrument selection in the dialog might be too far 15:34:47 Rick: +1 to minimize UX owned by the browser 15:34:55 ...due to complexity and challenge of inter 15:35:00 ..let's keep it essential 15:35:20 ...we still need to understand what will drive adoption of SPC 15:35:35 ...want to see more adoption before we invest in lots of new features 15:35:37 q+ 15:36:04 Gerhard: Use case scope may be impacting adoption 15:36:14 q? 15:37:06 present+ Doug_Fisher 15:37:34 Ian: I think it helps to look at use cases and figure out the sweet spot scope from both industry and browser implementer perspectives. 15:38:21 [More use cases: storage of token, recurring, future dated, standing orders, P2P) 15:39:15 Praveena: As a merchant trying to implement SPC is to make sure all the parties can work together (processes, contracts, etc.) 15:39:21 ...I will say that people are excited to see this 15:42:02 [Gerhard compares recurring payments data for 3DS and Open banking UK] 15:42:06 ...frequency, amount, end date 15:42:27 [International payments] 15:42:40 Gerhard: More fields are shown (IBAN, country, currency, exchange rates, ...) 15:42:59 ..may not be a big enough market for prioritizing at this time 15:43:13 [Bulk payments] 15:43:19 [Multi-auth payments] 15:43:39 Gerhard: In this case, multiple parties have to authenticate; this use case is not front of mind for me 15:43:50 [Additional forms of authentication] 15:44:06 Gerhard: There are opportunities like registering a card on file or indicating that the user trusts a merchant. 15:44:21 ...regarding additional forms of authentication: 15:44:29 - possession only (not EU SCA) 15:44:55 ...OTP technically is not a possession factor, but it's used as one. We could consider a browser capability with a binary response "Yes; trusted" 15:45:25 ...in this case, merchant could still opt for higher security flows 15:45:37 ...but I think there are some low friction opportunities that don't rely on FIDO under the hood 15:45:43 q+ 15:46:12 Gerhard: Might be some ways for user to express frictionless conditions like "No friction for 3 weeks" or "No friction for payments under amount X" 15:47:21 Ian: Who consumes the trust signal? 15:47:36 Gerhard: The bank. The user sets a flag; the flag value is signed in SPC data. 15:47:46 ..and that input could go to issuer e.g., to not challenge 15:48:01 NickTR: There are credit card flows that support that today 15:48:09 ...you don't get 3DS challenges for trusted merchants 15:48:25 ...this type of exemption is called out in PSD2 15:48:26 q? 15:48:27 ack me 15:48:34 q? 15:48:50 q? 15:48:53 Gerhard: Anyone want to weigh in regarding use cases / prioritization? 15:49:25 as per EBA an app installed on a device (a browser) is not considered as reliable as a "possession" element - https://www.eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2 15:49:46 Gerhard: The EBA is quite strict 15:50:01 ...they require 2FA; but there are other markets than EU 15:50:41 Topic: Payment Handler API 15:51:01 Rouslan: We removed shipping info from payment handlers 15:51:03 https://github.com/w3c/payment-handler/pull/406 15:51:25 Rouslan: In Payment Request 1.0 we removed shipping information following privacy review 15:51:44 ...PR API 1.0 went to rec without address support. 15:52:00 ...we adjusted the payment handler API at the same time 15:52:30 ...in payment handler API, address support is provided by the payment handler (not the browser) 15:53:24 ...Chrome users of PR API still want shipping addresses. 15:53:48 ...we don't think we can remove the feature from the implementation, and we want the specs to align with implementations 15:53:56 ...Apple's implementation also uses addresses 15:54:17 ...implementations are thus aligned and so we need to work again in the W3C community to find a good way to bring the features back in the API 15:54:31 ...we also want to update the payment handler API to match the PR API 15:54:58 ...this is a heads-up to the WG that we've restored addresses (cf pull request 406, which reversed previous removal) 15:55:24 ...meanwhile we have been aligning payment handlers with the privacy sandbox 15:56:06 ...we want to ensure payment handlers are not used to track users 15:56:14 ...e.g., we are removing very soon "payment instruments" 15:56:33 ...it will no longer be possible to silently install a payment handler in the user's browser 15:56:39 ...this feature is not being used, by the way 15:56:46 ..what's being used everywhere is "just in time installation" 15:56:55 ...so we are updating the spec to talk about JIT installation 15:57:11 https://github.com/w3c/payment-handler/pull/407 15:57:35 ...we also plan to remove payment instruments API surface 15:57:50 ..so the only way to install a payment handler henceforth will be for a merchant to request API with that app for the first time. 15:58:14 Ian: Can you install a payment app on the bank site? 15:58:23 Rouslan: Yes, but via a "mock payment" (just in time) 15:59:34 Topic: TPAC 2023 15:59:40 https://lists.w3.org/Archives/Public/public-payments-wg/2023Jan/0001.html 15:59:59 Topic: Next meeting 16:00:01 2 February 16:00:29 RRSAGENT, make minutes 16:00:30 I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian 16:01:04 RRSAGENT, set logs public 16:17:53 zakim, bye 16:17:53 leaving. As of this point the attendees have been Ian, Christian_Aabye, Franck_Delache, Nick_Burris, Nick_Telford-Reed, Praveena_Subrahmanyam, Rick_Byers, Anne_Pouillard, 16:17:53 Zakim has left #wpwg 16:17:55 rrsagent, bye 16:17:55 I see no action items