W3C

Web Payments Working Group

20 July 2023

Attendees

Present
Amine Khalfaoui (Worldline), Anne Pouillard (Worldline), Bastien Latge (EMVCo), David Benoit, Doug Fisher (Visa), Fahad Saleem (Mastercard), Franck Delache (Shopify), Gustavo Kok (Netflix), Holger Kunkat (Mastercard), Ian Jacobs (W3C), Jean-Luc di Manno (FIME), Jean-Michel Girard (Worldline), Jeff Owenson (Discover), Nick Telford-Reed, Praveena Subrahmanyam (Airbnb), Rolf Lindemann (Nok Nok Labs), Rouslan Solomakhin (Google), Ryan Watkins (Mastercard), Sameer Tare (Mastercard), Stephen McGruer (Google), Steve Cole (MAG), Sue Koomen (American Express), Suzie Annezo-Sébire (FIME), Tomasz Blachowicz (Mastercard), Tony England (Visa), Jinho Bang
Regrets
-
Chair
-
Scribe
Ian, nicktr

Meeting minutes

WPWG Charter update

ian: this week we started to form a council to deal with the formal objection
… we hope that it will come to a swift conclusion
… in the meantime, Apple rejoined the working group yesterday
… That's very exciting and we hope that they will be involved at TPAC in September
… We currently have 17 registered in person for TPAC
… WPSIG is a little lower
… My guess is we might hit 30 participants in person for WPWG

SPC Interop Roadmap

Ian's Roadmap for SPC Interoperability

ian: a few weeks ago, @smcgruer gave a great presentation on some of the dependencies upon which SPC relies
… I used that information to create a "roadmap for SPC interoperability"
… the purpose is as a starting point for closing the gaps
… it doesn't go as far as 3DS or SRC, but is concentrated on making SPC work in browser
… it goes left to right - starting with payment request
… which is "red" for Firefox, though we understand it was developed but never shipped

ian: webauthn level 2 is green across the board

ian: then there's SPC - red on iOS and Safari on MACOS

ian: I listed the conditional UI capability as a signal that credential listing API may be coming
… credential listing API has encouraging signs too
… discoverable credentials is mostly green with upcoming API for MACOS that Chrome plans to use

smcgruer_[EST]: for clarification, this is for platform authenticators

Ian: I will add Hybrid to last column header

smcgruer_[EST]: today on android, when you use a platform authentication, there's a bit which is a third-party payment bit
… that's saved with the credential
… you can interrogate whether that third-party payment bit is set via credential list API

ian: the next column is a desired-implementation. If you are the relying party, you should be able to use a vanilla webauthn credential for payment

smcgruer_[EST]: in 1P context

ian: do you have any data to share, @smcgruer_[EST]

smcgruer_[EST]: I don't know if people are doing this. Stripe might have been doing this but also had the payment bit set

ian: finally we have said we would like to use roaming authenticators but this requires us fix a bunch of UX issues
… We asked the Webauthn working group if there were any updates on roaming updates

Rolf: I think the flag we requested is being merged

ian: I meant roaming authenticators

smcgruer_[EST]: I think Christiaan Brand had some ideas about caching
… I don't believe anyone is working on this

Rolf: There will be an API for browsers to query the authenticators available on their platform but it's very early

ian: is anything missing from this chart?

ian: and what shall we do about the red crosses? We will consider this in detail at TPAC

TPAC agenda

Draft agenda for TPAC

ian: we have started the agenda building

ian: we would love to hear from participants - presentations or demos

ian: we believe we will see a presentation from Netcetera
… we have reached out to Stripe and we still hope to hear from them at TPAC
… we would love to hear from the group

ian: we would also love to hear from 3DS colleagues - demos, implementation, deployment information

ian: gerard will be presenting on SPC in a credential issuing perspective

ian: we can review the issues list
… there are a number of UX issues in particular that have been in stasis for some time

ian: with Apple back in the group, it would be good to talk about next steps for payment request
… in particular with regard to addresses

ian: we may also want to talk about passkeys
… and we have reached out to get updates on PSD3

Ian: UK Finance on push payment fraud?

NickTR: APP (authorized push payment) is where you log in to transfer money. Even though smaller than cards in volume (by factor of 100), level of fraud is same (hence collossal)

<Rolf> regarding WebAuthn: not an API for querying available authenticators, but client capabilities (e.g., hybrid transport, client-pin entry, ...)

ian: we also hope to hear some merchant perspectives

ian: Berlin Group are not available for TPAC but we are looking to schedule a meeting with them on 30th October at 3pm UTC (for early diary awareness)
… I will remind the group nearer the time
… and they have indicated that they are getting closer to dynamic linking features

ian: also for info, at our next meeting, the Chrome team will present on autofill in a 3P context via iframes with a guest attendee from PCI

NickTR: We welcome your presentations!
… handful of bullets suffices
… whether new or old topics

Next meeting

3 August

Minutes manually created (not a transcript), formatted by scribe.perl version 210 (Wed Jan 11 19:21:32 2023 UTC).