14:57:41 RRSAgent has joined #wpwg 14:57:45 logging to https://www.w3.org/2024/02/15-wpwg-irc 14:57:46 Meeting: Web Payments Working Group 14:57:51 Chair: Praveena 14:57:53 Scribe: Ian 14:58:00 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240215 14:58:04 Regrets+ NickTR 14:58:06 present+ 14:58:54 present+ Jean_Luc_Di_Manno 14:58:59 Kenneth_Diaz has joined #wpwg 14:58:59 present+ Kenneth_Diaz 14:59:20 present+ Melissa_Sebastian 14:59:39 present+ Anne_Pouillard 15:00:07 Anne has joined #wpwg 15:00:40 present+ Gerhard_Oosthuizen 15:00:43 present+ Nick_Burris 15:00:49 present+ Stephen_McGruer 15:00:57 present+ David_Benoit 15:02:02 present+ Praveena_ Subrahmanyam 15:02:07 present+ Bastien_Latge 15:02:11 present+ Tony_England 15:02:14 present+ Steve_Cole 15:02:24 present+ Jeff_Owenson 15:02:29 Gerhard has joined #wpwg 15:02:36 present+ 15:02:37 Bastien has joined #WPWG 15:02:39 present+ Grégoire_Leleux 15:02:41 present+ 15:03:10 present+ Tomasz_Blachowicz 15:04:16 Topic: SPC user journey improvements 15:06:20 -> https://www.w3.org/2024/Talks/chrome-20240215.pdf Stephen McGruer slides 15:06:55 smcgruer_[EST]: Thanks to our designer David! This is draft, we hope to understand underlying needs through this exercise. 15:07:00 praveenas has joined #wpwg 15:07:10 dougf has joined #wpwg 15:07:15 present+ Juliana_Cafik 15:07:19 present+ Michael_Horne 15:07:25 present+ Rolf_Lindemann 15:07:28 present+ Doug_Fisher 15:07:34 present+ Rouslan_Solomakhin 15:07:47 I have made the request to generate https://www.w3.org/2024/02/15-wpwg-minutes.html Ian 15:07:52 I'm logging. I don't understand 'sets logs public', Ian. Try /msg RRSAgent help 15:08:36 [Stephen walks through slides] 15:09:07 present+ Fahad_Saleem 15:09:29 present+ Nako_Siskov 15:10:18 Stephen: In the slide we refer to "issuer"; is that too card-specific? Is there are more general term we could use? 15:11:10 ...we have not yet figured out a way to put the RP origin in the dialog. The concern is that it might not make sense to the user. 15:11:20 ...in many cases the RP origins are opaque. 15:11:52 ...and sometimes the service is provided by an entity who is not the bank, for example. 15:13:42 Tomasz: Thanks for sharing this. Definitely an improvement. 15:13:57 ...good that there is a change in the language. I have doubts about whether the end user will understand who the issuer is. 15:14:16 ...I think "Issuer" is not the write term (and many not translate well into other languages) 15:14:20 q+ 15:14:33 ...in terms of showing the RP origin, the chances the user will understand are even slimmer. 15:14:47 ...but maybe a domain name can go into the sentence. 15:15:18 ...I agree that "credentials verified" is not the best term. Perhaps "Authentication completed" 15:15:49 ack G 15:16:06 present+ Sameer_Tare 15:16:32 q+ 15:17:17 Gerhard: Context would be valuable. Could we have a display context. LIke "This is a card payment" or "This is a bank payment." 15:17:41 "This is an open banking payment" 15:17:45 This might help us solve the generic problem. 15:18:14 Stephen: I'm not opposed to having context information provided (in a controlled fashion). 15:18:32 Tony has joined #wpwg 15:18:38 ? 15:18:44 q+ Tony 15:18:51 q+ Fahad 15:19:15 ack doug 15:19:22 dougf: +1 to the direction of the new design 15:19:54 ...in terms of important additions, one of the things that we've found in our pilot is people not being clear who is authenticating them. 15:20:10 ..it will need more discussion how to communicate who is authenticate. 15:20:50 IJ: Is it a deeper challenge understanding what's going on? 15:21:22 dougf: The question is when you create a credential, with what entity and how it will be used. Can the user understand why an entity is able to do an authentication. Understanding the process is difficult. 15:21:43 ..in our pilot we found perhaps an equal split between people thinking its the issuer or merchant or browser. 15:21:53 ...the browser could help, even if we don't know how exactly yet. 15:22:09 ..the successful authentication message is MOST important at credential creation time. 15:22:43 ...during authentication the success was clear to people; so we found more need at creation time. 15:22:49 ack To 15:23:28 Tony: Is there an opportunity to pull in a single icon (e.g., bank + network together). 15:23:41 ..the customer might recognize particular imagery. 15:24:02 smcgruer_[EST]: The card icon is up to the caller. It's a good note to us that this string might be long. 15:24:20 q+ Tomasz 15:25:08 smcgruer_[EST]: It interests me that there might be 2 icons combined to 1. 15:25:13 Tony: That's the case in the token space. 15:25:41 ...from a customer experience perspective they just want to know they are using the correct product. 15:25:56 q+ Juliana 15:25:58 ack Fa 15:26:14 Fahad: Are these icon fields (going to be) optional? 15:26:25 smcgruer_[EST]: This is an open question. What do we need to add to make this work? 15:26:43 ..Gerhard's proposal is to provide a "context". We were thinking that kind of bundle. 15:26:51 ...but there are combinatorial complexity issues. 15:27:20 Fahad: The new UX makes a lot of sense for a 3DS flow. 15:27:39 ..but in Tony's use case (which is also pertinent), we could skip issuer and have a composite icon 15:28:01 smcgruer_[EST]: That scenario should be easy to support. 15:28:15 ...I'd love to see if people have example UIs of other payment flows. What are people showing users today? 15:28:45 Ian: Check out OpenBanking UK 15:29:00 Gerhard: Also Brazil open banking has UX guidance 15:29:12 ack To 15:29:57 tomasz: It would be good for the RP to indicate who is doing the authentication. 15:30:14 ...the sentence in the UX could say "citibank has requested to authenticate you to confirm your purchase." 15:30:20 ..this is the valuable context. 15:30:31 ...this could be done generically (not just 3DS) 15:30:45 ..eg., the cardholder could be authenticating to the merchant (or their service) 15:30:51 ...so "Store.com wants to authenticate you" 15:31:15 smcgruer_[EST]: We are open an interested in putting the origin of the RP. That is the more trusted string." 15:31:37 question: Could the Common Name of the URL in the HTTPS certificate be used? 15:32:02 smcgruer_[EST]: The credential is exactly for the RPID. 15:32:08 q+ 15:33:14 ack Juliana 15:33:32 Juliana: There are guidelines for 3DS with clear language definitions and so on 15:33:45 ..that consumers are familiar with, and the closer we stick to that, the better. 15:34:00 ..that would include difference between authentication and authorization. 15:34:10 ack me 15:36:14 smcgruer_[EST]: We rely on origin because other strings might be lies. 15:36:46 Ian: Maybe show both: the string and the origin 15:37:04 q? 15:38:00 [Moving on to the fallback screen] 15:38:16 smcgruer_[EST]: Reminder - this screen is important for privacy protection. 15:38:22 ...but nobody likes this screen. 15:39:14 smcgruer_[EST]: Ian presented some ideas a few months ago. We run with that here -- when no credentials are found, the dialog looks the same. And "Continue" sends a signal to the caller that further authentication is required. 15:39:21 q+ 15:40:00 Gerhard: Yes, I agree. :) 15:40:18 Gerhard: The button intention could be "Verify" rather than "Continue" 15:40:35 ...in my slides (for next meeting) I propose some additional language 15:40:49 ack G 15:41:10 smcgruer_[EST]: Also in this proposal there are three signals through the API (instead of 2 signals in the current approach). 15:41:26 The signals are: (1) continue with FIDO (2) cancel (2) try another way 15:42:41 smcgruer_[EST]: we are also looking at an idea where, if you choose to authenticate another way, what should happen with the SPC dialog? Should it say "Verifying" and stick around, for example? 15:43:13 ..this is an interesting idea for me, but I think this will be challenging if 3DS is happening in an iframe and therefore appears behind the SPC dialog 15:43:39 smcgruer_[EST]: I like this idea but it may not work and it may be preferable for the browser to "just get out of the way" 15:43:53 smcgruer_[EST]: We have some questions (in the deck). 15:44:12 q+ 15:44:13 * "Store" field. Is it always a store? Is "merchant" more common? should there be an enumeration? 15:44:33 smcgruer_[EST]: Regarding the needs for icons to be larger. Is this a regulatory requirement? is this for "glanceability"? 15:44:51 +q 15:44:58 smcgruer_[EST]: We don't want to tie too closely to card payments. I like Gerhard's idea of providing context 15:45:01 q? 15:45:09 ack Gerhard 15:45:26 Gerhard: Is Netflix a merchant? Is a gym a merchant? There is no universal way. 15:45:39 ...some systems say "pay" "charge" "subscribe" 15:45:41 ..enumeration might help 15:45:48 ..merchant might like to choose how they would like to be called. 15:46:06 ...regarding "icons" they are not really icons, they are "visual representations of cards" 15:46:14 ..for recognizability. 15:46:19 q? 15:46:53 smcgruer_[EST]: Autofill has customized card art and we've seen users appreciate the detailed identification of cards. SPC should support that level of detail. 15:47:10 ...we are more interested in the size and positioning of card beyond the card art 15:47:13 ack dougf 15:47:39 dougf: The card art increases trust. Fraudsters are not perceived to have that kind of information. It needs also to be large enough for accessibility reasons. 15:47:41 q? 15:47:58 IJ: What about hover or click to enlarge? 15:48:06 smcgruer_[EST]: That idea was not well-received. 15:48:28 q? 15:48:41 Bastien has joined #WPWG 15:49:01 smcgruer_[EST]: I agree for custom card art. I'm mostly focused on custom bank / network logo. 15:49:41 tomsasz: The reason for the issuer logo (in 3DS land) is to let the user identify the card issuer. This helps identify which card. 15:50:04 I have made the request to generate https://www.w3.org/2024/02/15-wpwg-minutes.html Ian 15:50:34 q+ 15:50:56 tomasz: It's valuable to bring SPC closer to 3DS screen (for 3DS flows) 15:51:09 dougf: We don't have a specific UI for credential creation; we might potentially want good practices. 15:51:26 ..but when there is continuity of experience, there's greater association in terms of who is authenticating. 15:51:32 ack dougf 15:51:50 smcgruer_[EST]: Maybe creation screen could add confidence if done right. 15:54:15 q+ 15:55:04 TallTed has joined #wpwg 15:55:20 Gregoire: One thing bothers me a bit, the details on the transaction. There's an increasing need for precise information for some types of transaction (e.g., recurrence) 15:55:34 ...I am afraid that this could be a limiting factor for markets where precision is required 15:56:35 smcgruer_[EST]: I agree. I am worried that browsers may not be able to keep up with all regulatory requirements ... 15:56:53 ..having said that, I am more optimistic about some spaces where EMVCo has already done work on this! 15:57:15 ...therefore I'm more optimistic we can find a way to address this without taking arbitrary strings as input. 15:57:52 Topic: Next meeting 15:57:54 29 February 15:59:02 RRSAGENT, make minutes 15:59:03 I have made the request to generate https://www.w3.org/2024/02/15-wpwg-minutes.html Ian 15:59:39 RRSAGENT, set logs public 16:01:01 Gregoire has left #wpwg 16:02:14 Gerhard has left #wpwg