IRC log of wpwg on 2023-01-19

Timestamps are in UTC.

14:50:08 [RRSAgent]
RRSAgent has joined #wpwg
14:50:12 [RRSAgent]
logging to https://www.w3.org/2023/01/19-wpwg-irc
14:50:16 [Ian]
Meeting: Web Payments Working Group
14:50:26 [Ian]
Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230119
14:50:32 [Ian]
Scribe: Ian
14:50:40 [Ian]
regrets+ smcgruer
14:50:44 [Ian]
present+ Ian
14:51:04 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
14:58:43 [benoit]
benoit has joined #wpwg
14:58:53 [benoit]
apologues... I can't make the meeting today
14:58:59 [Ian]
Ok, thanks David
14:59:00 [benoit]
... and can't spell :)
14:59:04 [Ian]
regrets+ David_Benoit
15:00:24 [Ian]
present+ Christian_Aabye
15:00:29 [Ian]
present+ Franck_Delache
15:00:32 [Ian]
present+ Nick_Burris
15:00:38 [Ian]
present+ Nick_Telford-Reed
15:00:49 [Ian]
Chair: NickTR
15:01:00 [Ian]
present+ Praveena_Subrahmanyam
15:01:07 [Ian]
present+ Rick_Byers
15:01:14 [Anne]
Anne has joined #wpwg
15:01:55 [Ian]
present+ Anne_Pouillard
15:02:01 [Ian]
present+ Steve_Cole
15:02:44 [Gerhard]
Gerhard has joined #wpwg
15:03:23 [Ian]
present+ Gerhard
15:03:46 [Ian]
Topic: Happy New Year
15:03:58 [Ian]
present+ Jean-Luc_di_Manno
15:04:01 [Ian]
NickTR: Welcome all!
15:04:05 [JeanLuc]
JeanLuc has joined #WPWG
15:04:19 [Ian]
...we traditionally take time at an early meeting to reflect and look ahead at plans
15:04:32 [Ian]
...these are momentous times at W3C (governance transition)
15:04:33 [AdrianHB_]
AdrianHB_ has joined #wpwg
15:04:43 [Ian]
...we can take comments on the transition
15:04:50 [Ian]
...2022 was a successful year for the WB
15:05:07 [Ian]
...we advanced PR API to Recommendation
15:05:15 [Ian]
present+ Rouslan_Solomakhin
15:05:34 [AdrianHB_]
present+ AdrianHB_
15:05:35 [Ian]
...very grateful for payments industry, implementers, and all who helped move this forward
15:06:00 [Ian]
...we have also built a lot of momentum around SPC which is really turning heads, at least in the card payment community
15:06:13 [Ian]
...3DS integration is big validation of the work
15:06:38 [Ian]
...it's easy to lose track of time and think things aren't moving forward, so valuable to pause to look at these achievements
15:07:09 [Ian]
...in 2023 we may see a slight "gear change": slow down on Payment Request (tweaks, bug fixes, etc.)
15:07:26 [Ian]
...we can look at features for version 2
15:07:45 [Ian]
...we can continue to debate "payments API" v "e-commerce API"
15:07:55 [benoit_]
benoit_ has joined #wpwg
15:08:00 [Ian]
present+ Sameer_Tare
15:08:16 [Ian]
...I also hope that we can get broader interest in non-card payment authentication with SPC
15:08:42 [Ian]
...there are some initiatives that are gaining traction (e.g., open banking in North America)
15:09:00 [Ian]
...and I expect clearer direction for open banking in Europe (e.g., focus on a single standard)
15:09:20 [Ian]
...it would be great to foster experimentation in open banking with SPC
15:09:48 [Ian]
...I would say that this is the first time in my career there is an opportunity for a unified authentication approach in payments
15:10:07 [Ian]
...at the current time we have one (awesome! :)) implementation; we will need to work to get a second
15:10:38 [Ian]
...as always, I think more experimentation around payment handlers would be valuable to create more competition and innovation; payment handlers are a valuable extension point
15:11:06 [Ian]
q?
15:11:21 [Ian]
NickTR: Logistical question in light of this -- whether we slow meeting cadence
15:11:41 [Ian]
present+ Suzie-Annezo_Sebire
15:11:45 [Ian]
present+ Manish_Garg
15:12:14 [SuzieAS]
SuzieAS has joined #wpwg
15:12:31 [Ian]
present+ Gregoire_Leleux
15:12:44 [Ian]
NickTR: So thank you all and take a moment to appreciate your accomplishments from 2022.
15:13:04 [nicktr]
q?
15:13:26 [Gregoire]
Gregoire has joined #WPWG
15:13:39 [Ian]
Rick: Thanks for that intro! On behalf of Google we share your optimism.
15:13:58 [Ian]
...I think we are at a unique moment in the history of the Web to accomplish those things you mentioned
15:14:21 [Ian]
...I think there are great opportunities to brainstorm about how to improve the web for payments
15:14:30 [Ian]
...big opportunities; keep up the enthusiasm
15:14:32 [AdrianHB_]
+1 to in-person collaboration. Yay!
15:15:40 [Ian]
Topic: SPC V1
15:17:43 [Ian]
Horz review started
15:17:51 [nicktr]
q?
15:18:02 [Ian]
Topic: SPC post-V1
15:18:20 [Ian]
-> https://www.w3.org/2022/11/10-wpwg-minutes.html#t02 Nov discussion
15:18:28 [Ian]
-> http://www.w3.org/2022/Talks/spc-entersekt-20221110.pdf Gerhard slides
15:19:22 [nicktr]
q+
15:19:27 [Ian]
Gerhard: There are some new topics to cover (e.g., PSD3)
15:19:34 [Ian]
...open banking gaining traction
15:19:55 [Ian]
...there will still be a desire for safe frictionless experiences where SCA not required
15:20:39 [Ian]
NickTR: Push payment fraud in the UK appears to be about the same size as card payments but with only 1% of the volume of payments
15:20:42 [Ian]
...it's a huge problem
15:21:27 [Ian]
Gerhard: Transition between payments is important and friction is a big problem
15:22:05 [nicktr]
ack nick
15:23:29 [Ian]
Gerhard: My theory why we are not yet seeing SPC with open banking is that we don't handle the "handover"
15:24:02 [Ian]
...if we want to cater to more flows, how do we extend the consent piece?
15:24:19 [Ian]
...we could go small (e.g., add more fields to transaction dialog)
15:24:29 [Ian]
..or we could extend to more use cases
15:24:43 [Ian]
...we had a number of use cases with a first consent to issue a credential
15:24:54 [Ian]
...the initial friction allows lower friction subsequent payments
15:25:10 [Ian]
...so there are other types of approval such as "recurring" or "subsequent low friction payments"
15:25:48 [Ian]
...we could also look at implementing SPC on top of other auth mechanisms (e.g., roaming authenticators, but also non-biometric auth mechanisms)
15:26:14 [Ian]
...or single-factor FIDO
15:26:27 [Ian]
...these three buckets I've identified overlap.
15:27:07 [Ian]
[Slide 6 - grouping open issues into the three buckets]
15:27:28 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
15:28:10 [Ian]
[Note: Some of these use cases also identified by EMVCo (recurring, card on file registration)]
15:28:40 [Ian]
Gerhard: Another example if future-dated payments (where we might need to display the future date)
15:29:27 [SameerT]
SameerT has joined #wpwg
15:30:01 [Ian]
Gerhard: Slide 7 - there are goals of allowing the user to say "trust this merchant" or "trust this device"
15:30:14 [Ian]
..the browser could play an important role "trust this browser"
15:30:36 [Ian]
...currently this is done with fingerprinting; there could be better ways to bring the browser into the mix
15:30:58 [Ian]
...could be an SPC flag leading to some browser behavior on a given origin
15:31:48 [Ian]
...in a push payment environment there are opportunities for fraud; e.g., bad spelling of a merchant. The browser could provide additional protections to help reduce spoofing
15:32:27 [Ian]
[Regarding handing over]
15:32:41 [Ian]
...handing over to browser instead of app could offer a better UX in some cases
15:32:45 [Ian]
qq?
15:32:47 [Ian]
q?
15:33:06 [Ian]
Gerhard: Another field that could be interesting to display is "account selection"
15:33:33 [Ian]
...in the SPC dialog
15:34:12 [Ian]
Nick: We have scars from those discussions
15:34:38 [Ian]
Gerhard: I agree that instrument selection in the dialog might be too far
15:34:47 [Ian]
Rick: +1 to minimize UX owned by the browser
15:34:55 [Ian]
...due to complexity and challenge of inter
15:35:00 [Ian]
..let's keep it essential
15:35:20 [Ian]
...we still need to understand what will drive adoption of SPC
15:35:35 [Ian]
...want to see more adoption before we invest in lots of new features
15:35:37 [Ian]
q+
15:36:04 [Ian]
Gerhard: Use case scope may be impacting adoption
15:36:14 [Ian]
q?
15:37:06 [Ian]
present+ Doug_Fisher
15:37:34 [Ian]
Ian: I think it helps to look at use cases and figure out the sweet spot scope from both industry and browser implementer perspectives.
15:38:21 [Ian]
[More use cases: storage of token, recurring, future dated, standing orders, P2P)
15:39:15 [Ian]
Praveena: As a merchant trying to implement SPC is to make sure all the parties can work together (processes, contracts, etc.)
15:39:21 [Ian]
...I will say that people are excited to see this
15:42:02 [Ian]
[Gerhard compares recurring payments data for 3DS and Open banking UK]
15:42:06 [Ian]
...frequency, amount, end date
15:42:27 [Ian]
[International payments]
15:42:40 [Ian]
Gerhard: More fields are shown (IBAN, country, currency, exchange rates, ...)
15:42:59 [Ian]
..may not be a big enough market for prioritizing at this time
15:43:13 [Ian]
[Bulk payments]
15:43:19 [Ian]
[Multi-auth payments]
15:43:39 [Ian]
Gerhard: In this case, multiple parties have to authenticate; this use case is not front of mind for me
15:43:50 [Ian]
[Additional forms of authentication]
15:44:06 [Ian]
Gerhard: There are opportunities like registering a card on file or indicating that the user trusts a merchant.
15:44:21 [Ian]
...regarding additional forms of authentication:
15:44:29 [Ian]
- possession only (not EU SCA)
15:44:55 [Ian]
...OTP technically is not a possession factor, but it's used as one. We could consider a browser capability with a binary response "Yes; trusted"
15:45:25 [Ian]
...in this case, merchant could still opt for higher security flows
15:45:37 [Ian]
...but I think there are some low friction opportunities that don't rely on FIDO under the hood
15:45:43 [Ian]
q+
15:46:12 [Ian]
Gerhard: Might be some ways for user to express frictionless conditions like "No friction for 3 weeks" or "No friction for payments under amount X"
15:47:21 [Ian]
Ian: Who consumes the trust signal?
15:47:36 [Ian]
Gerhard: The bank. The user sets a flag; the flag value is signed in SPC data.
15:47:46 [Ian]
..and that input could go to issuer e.g., to not challenge
15:48:01 [Ian]
NickTR: There are credit card flows that support that today
15:48:09 [Ian]
...you don't get 3DS challenges for trusted merchants
15:48:25 [Ian]
...this type of exemption is called out in PSD2
15:48:26 [Ian]
q?
15:48:27 [Ian]
ack me
15:48:34 [nicktr]
q?
15:48:50 [nicktr]
q?
15:48:53 [Ian]
Gerhard: Anyone want to weigh in regarding use cases / prioritization?
15:49:25 [JeanLuc]
as per EBA an app installed on a device (a browser) is not considered as reliable as a "possession" element - https://www.eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2
15:49:46 [Ian]
Gerhard: The EBA is quite strict
15:50:01 [Ian]
...they require 2FA; but there are other markets than EU
15:50:41 [Ian]
Topic: Payment Handler API
15:51:01 [Ian]
Rouslan: We removed shipping info from payment handlers
15:51:03 [Ian]
https://github.com/w3c/payment-handler/pull/406
15:51:25 [Ian]
Rouslan: In Payment Request 1.0 we removed shipping information following privacy review
15:51:44 [Ian]
...PR API 1.0 went to rec without address support.
15:52:00 [Ian]
...we adjusted the payment handler API at the same time
15:52:30 [Ian]
...in payment handler API, address support is provided by the payment handler (not the browser)
15:53:24 [Ian]
...Chrome users of PR API still want shipping addresses.
15:53:48 [Ian]
...we don't think we can remove the feature from the implementation, and we want the specs to align with implementations
15:53:56 [Ian]
...Apple's implementation also uses addresses
15:54:17 [Ian]
...implementations are thus aligned and so we need to work again in the W3C community to find a good way to bring the features back in the API
15:54:31 [Ian]
...we also want to update the payment handler API to match the PR API
15:54:58 [Ian]
...this is a heads-up to the WG that we've restored addresses (cf pull request 406, which reversed previous removal)
15:55:24 [Ian]
...meanwhile we have been aligning payment handlers with the privacy sandbox
15:56:06 [Ian]
...we want to ensure payment handlers are not used to track users
15:56:14 [Ian]
...e.g., we are removing very soon "payment instruments"
15:56:33 [Ian]
...it will no longer be possible to silently install a payment handler in the user's browser
15:56:39 [Ian]
...this feature is not being used, by the way
15:56:46 [Ian]
..what's being used everywhere is "just in time installation"
15:56:55 [Ian]
...so we are updating the spec to talk about JIT installation
15:57:11 [Ian]
https://github.com/w3c/payment-handler/pull/407
15:57:35 [Ian]
...we also plan to remove payment instruments API surface
15:57:50 [Ian]
..so the only way to install a payment handler henceforth will be for a merchant to request API with that app for the first time.
15:58:14 [Ian]
Ian: Can you install a payment app on the bank site?
15:58:23 [Ian]
Rouslan: Yes, but via a "mock payment" (just in time)
15:59:34 [Ian]
Topic: TPAC 2023
15:59:40 [Ian]
https://lists.w3.org/Archives/Public/public-payments-wg/2023Jan/0001.html
15:59:59 [Ian]
Topic: Next meeting
16:00:01 [Ian]
2 February
16:00:29 [Ian]
RRSAGENT, make minutes
16:00:30 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
16:01:04 [Ian]
RRSAGENT, set logs public
16:17:53 [Ian]
zakim, bye
16:17:53 [Zakim]
leaving. As of this point the attendees have been Ian, Christian_Aabye, Franck_Delache, Nick_Burris, Nick_Telford-Reed, Praveena_Subrahmanyam, Rick_Byers, Anne_Pouillard,
16:17:53 [Zakim]
Zakim has left #wpwg
16:17:55 [Ian]
rrsagent, bye
16:17:55 [RRSAgent]
I see no action items