IRC log of wpwg on 2023-01-19
Timestamps are in UTC.
- 14:50:08 [RRSAgent]
- RRSAgent has joined #wpwg
- 14:50:12 [RRSAgent]
- logging to https://www.w3.org/2023/01/19-wpwg-irc
- 14:50:16 [Ian]
- Meeting: Web Payments Working Group
- 14:50:26 [Ian]
- Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230119
- 14:50:32 [Ian]
- Scribe: Ian
- 14:50:40 [Ian]
- regrets+ smcgruer
- 14:50:44 [Ian]
- present+ Ian
- 14:51:04 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
- 14:58:43 [benoit]
- benoit has joined #wpwg
- 14:58:53 [benoit]
- apologues... I can't make the meeting today
- 14:58:59 [Ian]
- Ok, thanks David
- 14:59:00 [benoit]
- ... and can't spell :)
- 14:59:04 [Ian]
- regrets+ David_Benoit
- 15:00:24 [Ian]
- present+ Christian_Aabye
- 15:00:29 [Ian]
- present+ Franck_Delache
- 15:00:32 [Ian]
- present+ Nick_Burris
- 15:00:38 [Ian]
- present+ Nick_Telford-Reed
- 15:00:49 [Ian]
- Chair: NickTR
- 15:01:00 [Ian]
- present+ Praveena_Subrahmanyam
- 15:01:07 [Ian]
- present+ Rick_Byers
- 15:01:14 [Anne]
- Anne has joined #wpwg
- 15:01:55 [Ian]
- present+ Anne_Pouillard
- 15:02:01 [Ian]
- present+ Steve_Cole
- 15:02:44 [Gerhard]
- Gerhard has joined #wpwg
- 15:03:23 [Ian]
- present+ Gerhard
- 15:03:46 [Ian]
- Topic: Happy New Year
- 15:03:58 [Ian]
- present+ Jean-Luc_di_Manno
- 15:04:01 [Ian]
- NickTR: Welcome all!
- 15:04:05 [JeanLuc]
- JeanLuc has joined #WPWG
- 15:04:19 [Ian]
- ...we traditionally take time at an early meeting to reflect and look ahead at plans
- 15:04:32 [Ian]
- ...these are momentous times at W3C (governance transition)
- 15:04:33 [AdrianHB_]
- AdrianHB_ has joined #wpwg
- 15:04:43 [Ian]
- ...we can take comments on the transition
- 15:04:50 [Ian]
- ...2022 was a successful year for the WB
- 15:05:07 [Ian]
- ...we advanced PR API to Recommendation
- 15:05:15 [Ian]
- present+ Rouslan_Solomakhin
- 15:05:34 [AdrianHB_]
- present+ AdrianHB_
- 15:05:35 [Ian]
- ...very grateful for payments industry, implementers, and all who helped move this forward
- 15:06:00 [Ian]
- ...we have also built a lot of momentum around SPC which is really turning heads, at least in the card payment community
- 15:06:13 [Ian]
- ...3DS integration is big validation of the work
- 15:06:38 [Ian]
- ...it's easy to lose track of time and think things aren't moving forward, so valuable to pause to look at these achievements
- 15:07:09 [Ian]
- ...in 2023 we may see a slight "gear change": slow down on Payment Request (tweaks, bug fixes, etc.)
- 15:07:26 [Ian]
- ...we can look at features for version 2
- 15:07:45 [Ian]
- ...we can continue to debate "payments API" v "e-commerce API"
- 15:07:55 [benoit_]
- benoit_ has joined #wpwg
- 15:08:00 [Ian]
- present+ Sameer_Tare
- 15:08:16 [Ian]
- ...I also hope that we can get broader interest in non-card payment authentication with SPC
- 15:08:42 [Ian]
- ...there are some initiatives that are gaining traction (e.g., open banking in North America)
- 15:09:00 [Ian]
- ...and I expect clearer direction for open banking in Europe (e.g., focus on a single standard)
- 15:09:20 [Ian]
- ...it would be great to foster experimentation in open banking with SPC
- 15:09:48 [Ian]
- ...I would say that this is the first time in my career there is an opportunity for a unified authentication approach in payments
- 15:10:07 [Ian]
- ...at the current time we have one (awesome! :)) implementation; we will need to work to get a second
- 15:10:38 [Ian]
- ...as always, I think more experimentation around payment handlers would be valuable to create more competition and innovation; payment handlers are a valuable extension point
- 15:11:06 [Ian]
- q?
- 15:11:21 [Ian]
- NickTR: Logistical question in light of this -- whether we slow meeting cadence
- 15:11:41 [Ian]
- present+ Suzie-Annezo_Sebire
- 15:11:45 [Ian]
- present+ Manish_Garg
- 15:12:14 [SuzieAS]
- SuzieAS has joined #wpwg
- 15:12:31 [Ian]
- present+ Gregoire_Leleux
- 15:12:44 [Ian]
- NickTR: So thank you all and take a moment to appreciate your accomplishments from 2022.
- 15:13:04 [nicktr]
- q?
- 15:13:26 [Gregoire]
- Gregoire has joined #WPWG
- 15:13:39 [Ian]
- Rick: Thanks for that intro! On behalf of Google we share your optimism.
- 15:13:58 [Ian]
- ...I think we are at a unique moment in the history of the Web to accomplish those things you mentioned
- 15:14:21 [Ian]
- ...I think there are great opportunities to brainstorm about how to improve the web for payments
- 15:14:30 [Ian]
- ...big opportunities; keep up the enthusiasm
- 15:14:32 [AdrianHB_]
- +1 to in-person collaboration. Yay!
- 15:15:40 [Ian]
- Topic: SPC V1
- 15:17:43 [Ian]
- Horz review started
- 15:17:51 [nicktr]
- q?
- 15:18:02 [Ian]
- Topic: SPC post-V1
- 15:18:20 [Ian]
- -> https://www.w3.org/2022/11/10-wpwg-minutes.html#t02 Nov discussion
- 15:18:28 [Ian]
- -> http://www.w3.org/2022/Talks/spc-entersekt-20221110.pdf Gerhard slides
- 15:19:22 [nicktr]
- q+
- 15:19:27 [Ian]
- Gerhard: There are some new topics to cover (e.g., PSD3)
- 15:19:34 [Ian]
- ...open banking gaining traction
- 15:19:55 [Ian]
- ...there will still be a desire for safe frictionless experiences where SCA not required
- 15:20:39 [Ian]
- NickTR: Push payment fraud in the UK appears to be about the same size as card payments but with only 1% of the volume of payments
- 15:20:42 [Ian]
- ...it's a huge problem
- 15:21:27 [Ian]
- Gerhard: Transition between payments is important and friction is a big problem
- 15:22:05 [nicktr]
- ack nick
- 15:23:29 [Ian]
- Gerhard: My theory why we are not yet seeing SPC with open banking is that we don't handle the "handover"
- 15:24:02 [Ian]
- ...if we want to cater to more flows, how do we extend the consent piece?
- 15:24:19 [Ian]
- ...we could go small (e.g., add more fields to transaction dialog)
- 15:24:29 [Ian]
- ..or we could extend to more use cases
- 15:24:43 [Ian]
- ...we had a number of use cases with a first consent to issue a credential
- 15:24:54 [Ian]
- ...the initial friction allows lower friction subsequent payments
- 15:25:10 [Ian]
- ...so there are other types of approval such as "recurring" or "subsequent low friction payments"
- 15:25:48 [Ian]
- ...we could also look at implementing SPC on top of other auth mechanisms (e.g., roaming authenticators, but also non-biometric auth mechanisms)
- 15:26:14 [Ian]
- ...or single-factor FIDO
- 15:26:27 [Ian]
- ...these three buckets I've identified overlap.
- 15:27:07 [Ian]
- [Slide 6 - grouping open issues into the three buckets]
- 15:27:28 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
- 15:28:10 [Ian]
- [Note: Some of these use cases also identified by EMVCo (recurring, card on file registration)]
- 15:28:40 [Ian]
- Gerhard: Another example if future-dated payments (where we might need to display the future date)
- 15:29:27 [SameerT]
- SameerT has joined #wpwg
- 15:30:01 [Ian]
- Gerhard: Slide 7 - there are goals of allowing the user to say "trust this merchant" or "trust this device"
- 15:30:14 [Ian]
- ..the browser could play an important role "trust this browser"
- 15:30:36 [Ian]
- ...currently this is done with fingerprinting; there could be better ways to bring the browser into the mix
- 15:30:58 [Ian]
- ...could be an SPC flag leading to some browser behavior on a given origin
- 15:31:48 [Ian]
- ...in a push payment environment there are opportunities for fraud; e.g., bad spelling of a merchant. The browser could provide additional protections to help reduce spoofing
- 15:32:27 [Ian]
- [Regarding handing over]
- 15:32:41 [Ian]
- ...handing over to browser instead of app could offer a better UX in some cases
- 15:32:45 [Ian]
- qq?
- 15:32:47 [Ian]
- q?
- 15:33:06 [Ian]
- Gerhard: Another field that could be interesting to display is "account selection"
- 15:33:33 [Ian]
- ...in the SPC dialog
- 15:34:12 [Ian]
- Nick: We have scars from those discussions
- 15:34:38 [Ian]
- Gerhard: I agree that instrument selection in the dialog might be too far
- 15:34:47 [Ian]
- Rick: +1 to minimize UX owned by the browser
- 15:34:55 [Ian]
- ...due to complexity and challenge of inter
- 15:35:00 [Ian]
- ..let's keep it essential
- 15:35:20 [Ian]
- ...we still need to understand what will drive adoption of SPC
- 15:35:35 [Ian]
- ...want to see more adoption before we invest in lots of new features
- 15:35:37 [Ian]
- q+
- 15:36:04 [Ian]
- Gerhard: Use case scope may be impacting adoption
- 15:36:14 [Ian]
- q?
- 15:37:06 [Ian]
- present+ Doug_Fisher
- 15:37:34 [Ian]
- Ian: I think it helps to look at use cases and figure out the sweet spot scope from both industry and browser implementer perspectives.
- 15:38:21 [Ian]
- [More use cases: storage of token, recurring, future dated, standing orders, P2P)
- 15:39:15 [Ian]
- Praveena: As a merchant trying to implement SPC is to make sure all the parties can work together (processes, contracts, etc.)
- 15:39:21 [Ian]
- ...I will say that people are excited to see this
- 15:42:02 [Ian]
- [Gerhard compares recurring payments data for 3DS and Open banking UK]
- 15:42:06 [Ian]
- ...frequency, amount, end date
- 15:42:27 [Ian]
- [International payments]
- 15:42:40 [Ian]
- Gerhard: More fields are shown (IBAN, country, currency, exchange rates, ...)
- 15:42:59 [Ian]
- ..may not be a big enough market for prioritizing at this time
- 15:43:13 [Ian]
- [Bulk payments]
- 15:43:19 [Ian]
- [Multi-auth payments]
- 15:43:39 [Ian]
- Gerhard: In this case, multiple parties have to authenticate; this use case is not front of mind for me
- 15:43:50 [Ian]
- [Additional forms of authentication]
- 15:44:06 [Ian]
- Gerhard: There are opportunities like registering a card on file or indicating that the user trusts a merchant.
- 15:44:21 [Ian]
- ...regarding additional forms of authentication:
- 15:44:29 [Ian]
- - possession only (not EU SCA)
- 15:44:55 [Ian]
- ...OTP technically is not a possession factor, but it's used as one. We could consider a browser capability with a binary response "Yes; trusted"
- 15:45:25 [Ian]
- ...in this case, merchant could still opt for higher security flows
- 15:45:37 [Ian]
- ...but I think there are some low friction opportunities that don't rely on FIDO under the hood
- 15:45:43 [Ian]
- q+
- 15:46:12 [Ian]
- Gerhard: Might be some ways for user to express frictionless conditions like "No friction for 3 weeks" or "No friction for payments under amount X"
- 15:47:21 [Ian]
- Ian: Who consumes the trust signal?
- 15:47:36 [Ian]
- Gerhard: The bank. The user sets a flag; the flag value is signed in SPC data.
- 15:47:46 [Ian]
- ..and that input could go to issuer e.g., to not challenge
- 15:48:01 [Ian]
- NickTR: There are credit card flows that support that today
- 15:48:09 [Ian]
- ...you don't get 3DS challenges for trusted merchants
- 15:48:25 [Ian]
- ...this type of exemption is called out in PSD2
- 15:48:26 [Ian]
- q?
- 15:48:27 [Ian]
- ack me
- 15:48:34 [nicktr]
- q?
- 15:48:50 [nicktr]
- q?
- 15:48:53 [Ian]
- Gerhard: Anyone want to weigh in regarding use cases / prioritization?
- 15:49:25 [JeanLuc]
- as per EBA an app installed on a device (a browser) is not considered as reliable as a "possession" element - https://www.eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2
- 15:49:46 [Ian]
- Gerhard: The EBA is quite strict
- 15:50:01 [Ian]
- ...they require 2FA; but there are other markets than EU
- 15:50:41 [Ian]
- Topic: Payment Handler API
- 15:51:01 [Ian]
- Rouslan: We removed shipping info from payment handlers
- 15:51:03 [Ian]
- https://github.com/w3c/payment-handler/pull/406
- 15:51:25 [Ian]
- Rouslan: In Payment Request 1.0 we removed shipping information following privacy review
- 15:51:44 [Ian]
- ...PR API 1.0 went to rec without address support.
- 15:52:00 [Ian]
- ...we adjusted the payment handler API at the same time
- 15:52:30 [Ian]
- ...in payment handler API, address support is provided by the payment handler (not the browser)
- 15:53:24 [Ian]
- ...Chrome users of PR API still want shipping addresses.
- 15:53:48 [Ian]
- ...we don't think we can remove the feature from the implementation, and we want the specs to align with implementations
- 15:53:56 [Ian]
- ...Apple's implementation also uses addresses
- 15:54:17 [Ian]
- ...implementations are thus aligned and so we need to work again in the W3C community to find a good way to bring the features back in the API
- 15:54:31 [Ian]
- ...we also want to update the payment handler API to match the PR API
- 15:54:58 [Ian]
- ...this is a heads-up to the WG that we've restored addresses (cf pull request 406, which reversed previous removal)
- 15:55:24 [Ian]
- ...meanwhile we have been aligning payment handlers with the privacy sandbox
- 15:56:06 [Ian]
- ...we want to ensure payment handlers are not used to track users
- 15:56:14 [Ian]
- ...e.g., we are removing very soon "payment instruments"
- 15:56:33 [Ian]
- ...it will no longer be possible to silently install a payment handler in the user's browser
- 15:56:39 [Ian]
- ...this feature is not being used, by the way
- 15:56:46 [Ian]
- ..what's being used everywhere is "just in time installation"
- 15:56:55 [Ian]
- ...so we are updating the spec to talk about JIT installation
- 15:57:11 [Ian]
- https://github.com/w3c/payment-handler/pull/407
- 15:57:35 [Ian]
- ...we also plan to remove payment instruments API surface
- 15:57:50 [Ian]
- ..so the only way to install a payment handler henceforth will be for a merchant to request API with that app for the first time.
- 15:58:14 [Ian]
- Ian: Can you install a payment app on the bank site?
- 15:58:23 [Ian]
- Rouslan: Yes, but via a "mock payment" (just in time)
- 15:59:34 [Ian]
- Topic: TPAC 2023
- 15:59:40 [Ian]
- https://lists.w3.org/Archives/Public/public-payments-wg/2023Jan/0001.html
- 15:59:59 [Ian]
- Topic: Next meeting
- 16:00:01 [Ian]
- 2 February
- 16:00:29 [Ian]
- RRSAGENT, make minutes
- 16:00:30 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/01/19-wpwg-minutes.html Ian
- 16:01:04 [Ian]
- RRSAGENT, set logs public
- 16:17:53 [Ian]
- zakim, bye
- 16:17:53 [Zakim]
- leaving. As of this point the attendees have been Ian, Christian_Aabye, Franck_Delache, Nick_Burris, Nick_Telford-Reed, Praveena_Subrahmanyam, Rick_Byers, Anne_Pouillard,
- 16:17:53 [Zakim]
- Zakim has left #wpwg
- 16:17:55 [Ian]
- rrsagent, bye
- 16:17:55 [RRSAgent]
- I see no action items