00:00:13 ....you could do the same thing with payment credentials like updating the name on the card. 00:00:42 NickTR: Could a balance be a credential? 00:00:53 Lee: Yes. 00:00:53 ...the issuer could update the balance in your wallet. 00:01:03 NickTR: The use case I have in mind is offline. 00:01:11 Gus; EMVCo has a full spec for offline chip and pin ; quite used in Brazil. 00:01:17 ...you could replicate the constraints in this world. EMVCo has covered the edge cases. 00:01:18 q+ 00:01:22 ack nicktr 00:01:26 ack nick_s 00:01:30 ack nick_s 00:01:42 Nick_s: Practically speaking it doesn't always work like that. 00:02:16 JohnBradley: One thing you could do...if the wallet is sophisticated it could participate in tokenization. 00:02:33 ...e.g., bank app acting as a wallet, tokenizes card and provides pseudonymous information to the merchant 00:03:01 Lee: Seamless inline issuance is an interesting use case. 00:03:19 ...e.g., in the EU the user's PID (national ID) could be presented and exchanged for a digital payment credential during the SCA flow. 00:03:19 kavramesh has joined #wpwg 00:03:33 ...we think this is seamless enough to do inline in the SCA moment,. 00:03:48 ...imagine a flow where your card is not provisioned in the wallet. The wallet does have your national ID. 00:04:03 ...you could present the national ID to the bank, and ask that it be exchanged for a payment credential at that moment. 00:04:10 ...we believe that could be done inline with a transaction. 00:04:25 ...the user could easily get a payment credential and be able to use it henceforth. 00:04:41 q+ 00:04:53 ack nick 00:05:41 nick_s: A theme from this morning related to data for fraud mitigation. Are there mitigations for digital credentials to prevent asking for as much data as possible? 00:06:15 Lee: The EU is working on a trust framework. A web site will have to get permission in order to request credentials. 00:06:37 ...a goal is to prevent arbitrary sites from asking for data. So safeguards are on the issuance side. 00:06:38 q+ 00:06:41 ...US might be different. 00:06:43 q+ 00:06:48 ...so it will come down to UX friction 00:06:51 ack rbyers 00:07:09 rbyers: We don't know for sure yet. We expect we'll have a risk engine and potentially alter our UI. 00:07:43 ...where we have signals that something is abusive or riskier, those are transactions where there would be more incentives to release less information. 00:07:58 Nick_S: So are you saying that the responsibility lies with the issuers? 00:08:13 rbyers: I think it's primarily a problem for the issuers and wallets, with the browser as a backstop 00:08:14 q? 00:08:17 q+ Kristina 00:09:48 John: You'll have a lot more flexibility in trust signals with digital credentials than webauthn 00:09:51 ack ben 00:10:22 benoit: Customers also provide information they shouldn't out of convenience. 00:10:44 ...the same type of information sharing will happen. Who decides who I should open my wallet to? 00:11:00 John: That exists with form fillers today. The question is whether we can do something better. 00:12:21 Kristina_Yasuda: We seek to have guardrails in place to prevent race to the bottom. 00:12:56 ...could you summarize for payments use case, what's the biggest delta from current APIs? Is it presentation of 2 credentials? 00:13:25 Lee: We need multi-doc presentation and transaction confirmation. That's what OIDP would need to land. 00:13:39 ...I don't think the browser API needs to fundamentally change, it's just what goes in the request. 00:13:49 JohnB: We need to think about what the wallet selector presents. 00:14:08 ...e.g., some standardized way to present a series of things to the user to avoid confusion 00:14:29 q? 00:14:31 ack Kris 00:14:47 Lee: Another idea - receipts could be issued to the wallet after a transaction. 00:15:01 ...also, we'd get cross-device issuance using FIDO CTAP 00:16:28 Mike Jones: if you have a flow where you use multiple credentials at once (e.g., payment + age). Can you talk about the UX challenges and solutions? 00:16:41 Lee: If you are requesting 2 things and both are in the same wallet, it's pretty easy. 00:17:05 ...there could be one consent moment and one fingerprint tap. 00:17:14 ...what's tricky is when credentials are in different wallets. 00:17:28 ...we have to do a mediation thing where we get consent from different wallets. 00:17:30 q+ 00:17:37 ...we are still thinking how best we could do this at the platform level. 00:17:46 ...we could start with a MVP of expectation of "same wallet" 00:18:14 ..from an online POV, another approach is to serialize the requests. But in an in-person flow, that's not as acceptable. 00:18:29 ...we have some ideas including a single biometric fired off to 2 wallets. 00:18:42 aprotyas has joined #wpwg 00:18:44 ...if you have custom consent language from two wallets we are still working on how to do that. 00:18:56 q? 00:19:08 JohnBradley: the EU Commission has a notion of "related keys." 00:19:34 ..the notion that the age comes from a credential derived from the personal identity doc, and the KYC was from the same document, that might be important in some use cases. 00:19:46 ...so "coming from the same document" may be valuable 00:20:06 q+ Eric 00:20:08 ack Nick_S 00:20:26 Nick_S: I'm not sure it's that easy to do with 2 credentials from same wallet. 00:20:31 ...I think the UX is going to be challenging. 00:20:51 Eric(Visa): Is there an assumption that user validation will be done through the wallet? 00:21:05 John: If so that means that wallet needs to be trusted by the issuer 00:21:22 Eric: You can spoof the credentials to a fake wallet. 00:21:36 John: One hopes that the credit card issuers won't issue credit cards to insecure wallets. 00:21:56 Eric: Attackers will try to issue credneatils to fake wallets. 00:22:06 John: We are assuming wallets are certified. 00:22:17 Lee: There is transitive trust. 00:22:41 ...as an RP I get some trust at the issuance level 00:22:54 John: If the RP has to know about the trust posture of the wallet, you get a fragile ecosystem. 00:23:01 present+ Steve_Venema 00:23:11 zakim, this meeting extends past midnight 00:23:13 I don't understand 'this meeting extends past midnight', Ian 00:23:17 rrsagent, this meeting extends past midnight 00:23:17 I'm logging. I don't understand 'this meeting extends past midnight', Ian. Try /msg RRSAgent help 00:23:26 rrsagent, this meeting goes past midnight 00:23:26 I'm logging. I don't understand 'this meeting goes past midnight', Ian. Try /msg RRSAgent help 00:23:38 rrsagent, this meeting spans midnight 00:23:50 rrsagent, make minutes 00:23:52 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 00:24:30 rrsagent, make minutes 00:24:32 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 00:25:02 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 00:26:25 (Architecture ideas) 00:26:38 Tim: One question is relationship to PR API? 00:27:16 ...there are some overlaps between PR API and other specs. Is there an appetite for convergence? 00:27:32 ...especially where there is a transition period where multiple APIs are in use. 00:27:40 q+ to discuss the transaction payload 00:27:41 westin has joined #wpwg 00:27:45 q? 00:27:52 ack eric 00:27:53 ack rouslan 00:27:53 rouslan, you wanted to discuss the transaction payload 00:27:56 q+ to contrast DC and SPC tradeoffs 00:28:32 Rouslan: Thank you for the connection to PR API. When we designed PR API, I leaned more towards trying to standardize parameters common among multiple payment methods. 00:28:43 ...there are arguments for and against. 00:28:59 Nick_S has joined #wpwg 00:29:03 ... when more information is available to the browser, the browser can do a better job mediating / creating UX 00:29:05 q+ 00:29:18 ...when more information is part of the payment method, it makes payment method innovation easier. 00:29:35 ...so I advise surfacing a bit information to enable the browser to understand the payload. 00:29:43 ack rbyers 00:29:43 rbyers, you wanted to contrast DC and SPC tradeoffs 00:30:10 rbyers: Right now the digital credentials spec has a registry of supported protocols. OpenID for VP is looking at PR API. 00:30:25 ...at a high level we agree, but it's also a question of what layer of abstraction we are talking about 00:31:09 rbyers: Agree with tradeoff between innovation and other considerations like consistency, or help from the browser. 00:31:30 q? 00:31:46 rbyers: Another big topic is we don't have a plan yet for digital credentials on desktop. 00:32:13 John: I have a solution, but it doesn't yet connect to the digital credentials API 00:32:28 rbyers: There are some open questions around desktop. 00:32:57 ...this relies on getting a wallet installed and provisioning a credential. I see SPC as offering some help here. 00:33:02 q+ 00:33:10 ack Nick_S 00:33:33 Nick_S: +1 to rouslan's point. Browser needs information to protect the user. 00:34:33 ...the browser should protect the user from input that is not trusted. 00:35:17 ...we should be sure that if we way that the browser should pass data to an environment with elevated privilege, we should be cautious 00:35:23 Lee: I don't have the same level of concern. 00:35:43 ack me 00:37:33 IJ: PR API has on the fly installation. 00:37:33 Christian has joined #wpwg 00:37:37 Takashi has joined #wpwg 00:38:15 q+ 00:38:54 ack Nick_S 00:39:28 kavramesh has joined #wpwg 00:39:34 Nick_S: Are we suggesting two independent APIs related to payments? 00:39:54 John: Right now the EU commission is doing a large scale pilot to do payments as part of the European digital credential. 00:40:16 ...they are standardizing it and various people are looking at a way to do this. 00:40:29 q? 00:40:30 rbyers: And one reason is that payment handler does not have broad support across platforms. 00:40:32 q? 00:41:27 Kristina: It would be helpful if we could have one profile for payments. 00:41:35 ..it's working well for mobile driving licenses. 00:43:01 ...I'm happy to help. For content of transaction data I'd need to work with people. 00:43:26 ...another use cases is qualified electronic signatures 00:44:05 ...having clarity on the profiles and clarity on whom to collaborate with would be helpful. 00:44:15 Tim: Right, we'd need to break apart what the profile would be. 00:44:34 ...there's a query component, a credential structure, how you request it. 00:44:39 ...and what you're requesting. 00:44:58 NickTR: When we designed payment request we broadly punted on the payment method specific data. 00:45:17 ..payment method owners define their own data models. 00:45:33 ...Payment Request is limited to thinks like amount, currency, and a few other things. 00:45:52 Kristina: Starting point could be https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html 00:46:20 kavramesh1 has joined #wpwg 00:46:44 cccccbldufrtfgecbvvkkteelvvcnttbbettedcgirvv 00:46:59 s/cccccbldufrtfgecbvvkkteelvvcnttbbettedcgirvv// 00:47:24 q+ 00:47:36 (Discussion of rendering and selection challenges like de-dedupig) 00:47:43 q+ 00:47:48 ack NIck_Sh 00:48:15 Nick_S: We spent a lot of time talking about deduping; it would be bad if you clicked a button and got 8 wallets with the same card. 00:48:30 ack me 00:49:49 IJ: Display order and selection is very complex. Lots of opposition to handing the UX over to the browser. 00:52:12 IJ: The more you stuff in a wallet, the higher the stakes will be 00:52:32 (Next steps) 00:52:48 Tim: Where do we discuss query syntax? Types? Specificity? 00:53:01 ..where do we go post TPAC? 00:53:21 q+ 00:53:22 Sue: Where's the discussion happening today in W3C? 00:53:34 Tim: In the WICG at W3C, DCP at OpenID 00:53:36 aprotyas has joined #wpwg 00:53:43 ack Nick_S 00:53:54 Tim: I think it's the DCP work at OpenID 00:54:16 Nick_S: If the w3c is going to standardize anything on payments, I would recommend the WPWG. 00:54:41 ...I think this group would be a good forum discuss the payment elements. 00:54:56 ...there are also questions about getting something out fast 00:55:05 JohnB: EU is not thinking about W3C at all. 00:55:54 present+ Arman_Aygen 00:57:07 Lee: All the current proposals are using custom URL schemes. 00:57:28 ...it's clunkier 00:58:08 EWC = EUDI Wallet Consortium -> https://eudiwalletconsortium.org/project/ 00:58:16 DavidTurner has joined #wpwg 00:58:21 Nick_S: Would hate to rush a standard for a single juristdiction 00:59:24 ACTION: Ian to work with TimC, LeeC, NickTR, and Kristina Yasuda on next steps. 00:59:35 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 01:02:21 TallTed has joined #wpwg 01:13:54 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 01:14:01 rrsagent, set logs public 01:14:33 rrsagent, bye 01:14:33 I see 1 open action item saved in https://www.w3.org/2024/09/24-wpwg-actions.rdf : 01:14:33 ACTION: Ian to work with TimC, LeeC, NickTR, and Kristina Yasuda on next steps. [1] 01:14:33 recorded in https://www.w3.org/2024/09/24-wpwg-irc#T00-59-24 16:04:52 RRSAgent has joined #wpwg 16:04:52 logging to https://www.w3.org/2024/09/24-wpwg-irc 16:04:56 Meeting: Web Payments WG 16:05:00 Chair: Nick 16:05:02 Scribe: Ian 16:05:14 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2024 16:05:16 present+ 16:05:19 present+ 16:05:22 present+ 16:05:22 present+ 16:05:23 pavelar has joined #wpwg 16:05:26 present+ 16:05:27 present+ 16:05:27 present+ 16:05:28 present+ 16:05:29 present+ 16:05:30 rrsagent, this meeting spans midnight 16:05:31 maximeg has joined #wpwg 16:05:33 present+ 16:05:37 Jayadevi has joined #WPWG 16:05:39 nsiskov has joined #wpwg 16:05:45 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 16:05:49 present+ 16:05:57 Sue has joined #wpwg 16:05:59 Jeff has joined #wpwg 16:06:00 takashi has joined #wpwg 16:06:07 KennethDiaz has joined #wpwg 16:06:07 present+ 16:06:13 present+ 16:06:14 present+ 16:06:15 Arman has joined #WPWG 16:06:19 present+ 16:06:24 jthomas has joined #wpwg 16:06:29 present+ 16:06:35 Gud has joined #wpwg 16:06:38 vkuntz has joined #wpwg 16:06:44 kavramesh has joined #WPWG 16:06:45 present+ 16:06:47 present+ 16:06:47 present+ 16:07:09 Sharanya has joined #WPWG 16:07:16 Steele has joined #wpwg 16:07:18 pablosfor_meli has joined #wpwg 16:07:28 Jorge has joined #wpwg 16:07:34 Gus has joined #wpwg 16:07:54 Vanitha has joined #wpwg 16:08:02 present+ 16:08:53 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 16:09:14 Topic: Mercado Libre presentation 16:09:20 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 16:09:41 Wade has joined #wpwg 16:09:58 +present 16:10:11 Soumya has joined #wpwg 16:10:19 present+ 16:10:23 jeanluc has joined #WPWG 16:10:32 present + 16:10:36 present+ 16:10:37 present+ 16:10:40 present+ 16:10:41 nick_s has joined #wpwg 16:10:45 present+ 16:10:59 SameerT has joined #wpwg 16:11:04 present+ 16:11:09 HennaKapur has joined #WPWG 16:11:14 present + 16:11:22 liucougar has joined #WPWG 16:12:58 present+ 16:13:21 present+ 16:13:51 Steve_C has joined #wpwg 16:15:32 q+ 16:16:28 (Gus presents Mercado Libre in slides that will be made available in the minutes.) 16:16:57 JACK has joined #wpwg 16:17:00 Gerhard has joined #wpwg 16:17:14 present+ 16:18:10 present+ 16:18:28 ack nicktr 16:18:38 Takashi has joined #wpwg 16:19:41 doug has joined #wpwg 16:19:54 +present 16:22:38 q? 16:23:35 present+ Doug 16:23:46 maticompiano has joined #wpwg 16:24:36 Arman has joined #WPWG 16:25:10 Gus: Central bank drove financial inclusion through several efforts, including more informal accounts and PIX 16:26:07 ...PIX has grown over 700% in three years 16:26:27 ...accounts for almost half of the financial transaction accounts in Brazil (but not volume) 16:26:56 ...there is another mechanism called EDT which is not a consumer payment method. 16:28:46 ...credit resilience mostly due to different funding source and demographics 16:29:23 ..the central bank does have plans to evolve PIX in a way that might have an impact on credit. 16:30:01 junhui has joined #wpwg 16:30:03 ...this chart includes all channels 16:31:04 Gus: PIX took off in Brazil because it bridged the inclusion gap. 16:31:32 q? 16:32:06 Gus: Now the government wants to release three new flows: in-person payments (tap to pay), passkey-based flows, and support for recurring payments 16:32:36 ...these changes are likely to make PIX the almost exclusive rails for Brazil. 16:33:19 ...one flow is to scan a QR code and use your PIX app to make the payment. 16:33:41 NickTR: How does merchant know they have been paid? 16:33:46 Gus: Push message to phone 16:33:52 ...there's almost no latency 16:34:11 vkuntz: Is there a time limit on the? 16:34:34 s/the?/the transaction/ 16:34:37 s/on the/on the execution time/ 16:34:59 Gus: Time limit depends on level of sophistication of the store front 16:35:21 ...POS transaction has a timeout...I think it's about a minute. 16:35:28 Paulo: It may be even longer. 16:35:44 tre has joined #wpwg 16:35:47 ...the protocol has very narrow windows 16:36:07 q+ to ask about latency for e-commerce 16:36:23 ack smcgruer_[EST] 16:36:23 smcgruer_[EST], you wanted to ask about latency for e-commerce 16:36:43 smcgruer_[EST]: We had heard statement or claims that for e-commerce, users saw high latency in PIX payments after returning to the merchant. 16:37:18 Gus: You're not wrong. The latency is not because of PIX but rather the ways the current web flows work. 16:37:40 ...this is for in-person payments. 16:38:19 Gus: The central bank has been working with some of the Pays to enable the onboarding of a PIX account into the wallet using passkeys as the identifier for the account. 16:38:24 q+ 16:38:31 ...if you set your PIX account as your default payment method, you can use tap to pay in-store 16:38:48 NickTR: You would also need to work with the terminal providers. 16:39:01 q+ 16:39:05 q- 16:39:26 bkardell_ has joined #wpwg 16:39:39 Gus: There are aspects of tap-to-pay that are still evolving; we are waiting for the central bank to determine the path. 16:40:17 q+ 16:40:22 ack nick 16:41:00 s/tap-to-pay/tap-to-pay for PIX/ 16:41:20 Gus: We are piloting tap-to-pay 16:41:32 ...there's a difference between tap-to-pay and tap-to-your own phone 16:41:47 ...it's widespread for merchants to use their own phones as a terminal 16:42:05 ...that's what we're piloting right now: tap your card to your own phone. 16:42:13 ...for tap-to-pay, that's BAU. 16:42:25 rbyers: Will tap to your own phone work on the Web? 16:42:33 Gus: Not yet; that would be awesome. 16:42:46 Nick_S: Do you get liability shift for tap to your own phone? 16:42:54 NickTR: You'd need to talk to the schemes about that. 16:43:53 q? 16:44:26 (Some discussion of recurring payments plans) 16:45:04 Gus: You'll be able to schedule payments. You will be able to authenticate once and generate a token. The merchant will use the token to request payment according to the frequency. 16:45:51 ...the subsequent transactions are merchant-initiated without user interaction 16:46:16 q? 16:46:24 (Evolution of PIX for web mobile) 16:46:35 Gus: Today you have two options when buying online: 16:46:51 a) You are on a desktop and scan a QR code on your desktop screen. Requires two devices. 16:47:14 b) Or you can use copy-and-paste pix. It's clunky but needed because many people don't have two devices. 16:47:45 ...so the central bank has decided that passkeys will be the authentication mechanism for PIX transfers. 16:47:48 q+ to ask why copy and pasted instead of deep linking into banking app, e.g., with payment request and payment handler. 16:48:26 ack rouslan 16:48:27 rouslan, you wanted to ask why copy and pasted instead of deep linking into banking app, e.g., with payment request and payment handler. 16:48:47 Gus: Copy/paste happened because they could not figure out how to do a safe transaction with a single device. 16:49:15 Paulo: Once of the concerns of the central bank was also defaults. 16:50:15 q+ 16:50:24 Gus: You need to use the scanner within your bank app in QR code flow 16:51:37 Gus: In copy paste flow, the merchant allows you to copy a string with a button, and then paste the string into your bank app. And bank apps can easily recognize you have a PIX string in your copy buffer. 16:51:40 ack smcgruer_[EST] 16:51:56 smcgruer_[EST]: Do bank accounts allow you to screen shot a QR code? 16:52:01 q+ rbyers 16:52:24 Paulo: Some banks used to allow sharing of PDF of boleto, so I guess it could happen in theory 16:52:40 Gus: I'm not aware that any bank has prioritized this since they expected other flows 16:53:00 rbyers: What about Malware that detects payment addresses and puts its own address in instead? 16:53:13 Sidd has joined #WPWG 16:53:37 Paulo: I think there was a scenario like that a couple of years ago (a sophisticated attack). 16:53:56 Gus: Our biggest challenge is drop-offs. 16:54:25 rbyers: All the problems you are mentioning are the ones that came up in discussion yesterday around digital credentials. 16:55:29 https://github.com/WICG/digital-credentials/blob/main/custom-schemes.md 16:56:03 Gus: The central bank has been showcasing a passkey flow. 16:56:47 (Slide showing double click - passkey flow) 16:57:11 q+ 16:57:11 Gus: the decision to use passkeys has been communicated, but I don't believe the specifications are available. 16:57:15 q+ 16:57:27 ack rbyers 16:57:29 ack fahad 16:57:47 fahad: How does the merchant trigger the WebAuthn flow 16:57:55 Gus: We don't have those details yet 16:58:23 ...but we expect the bank that provides the funding account will provide the passkey 16:59:11 nick_s has joined #wpwg 16:59:25 ...the central bank wants a passkey per pair of bank account / wallet. 16:59:31 ...and the issuer would be the relying party 17:00:14 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 17:00:17 q- 17:00:24 q? 17:01:41 Ian: When would you expect more details to be available? 17:01:50 Gus: By the end of the year, we will have a better sense. 17:03:24 rbyers: When it shows bank A / Bank B...what if the list is very long? 17:03:50 Gus: The central bank's idea is to show the list of banks for which you are ready to pay. And if you don't see your bank you might see an "Add bank" button. 17:03:59 rbyers: So each merchant would maintain a list of banks for their customer? 17:04:04 q+ 17:04:33 Gus: The central bank doesn't want your phone to have a single passkey for your bank account A (my current understanding) 17:04:58 q- 17:05:03 ...they want the user to clearly consent to each payment initiator. 17:05:51 smcgruer_[EST]: My general thought is that we're looking here at a variant of the Nascar problem. 17:06:19 ...to filter we run into privacy issues. 17:06:29 ...I'm curious to see what the central bank is thinking and how we might help. 17:06:31 q+ 17:06:58 q- 17:07:18 Gus: Because we are both on the seller and buyer sides, we have a few use cases we want to explore 17:07:41 (We move onto some challenges specifically for discussion at TPAC) 17:07:56 (See SWOT slide) 17:08:49 Gus: We have a challenge when merchant is selling at their own origin. 17:11:26 ..what we want is to enable the use of saved credentials cross-origin 17:12:17 ...we want the UX to be the same whatever the payment method 17:13:23 Jonathan: How do I select methods when on the merchant site? 17:13:29 Gus: We are the PSP. 17:13:53 Gus: We don't want to redirect. We want to recognize you in the seller context, so that the seller can later show the list of payment methods. 17:13:54 q+ 17:14:21 Jonathan: Who is the RP? 17:14:21 q+ to comment about user recognition challenges 17:14:28 q- 17:14:33 Gus: We'll have passkeys for the user to authenticate to MercadoLibre. 17:14:57 ...that would already be useful to use a pre-existing session to get the right key associated with your account 17:15:02 ack rouslan 17:15:02 rouslan, you wanted to comment about user recognition challenges 17:15:49 rouslan: One concern would be tracking. Can you use something like FedCM, WebAuthn, Payment Handlers? If something doesn't work we can work together to improve them. 17:16:33 Gus: When the user is on MercadoLibre we would enroll the user to be able to pay across participating merchants. 17:17:09 q? 17:18:28 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 17:19:09 Sidd: I thought there might be a "Pay with Mercado Libre" and they would authenticate with you, and then after authentication instruments would be shown in wallet. 17:19:31 Gus: We do have a payment button (especially for outside of Brazil) 17:19:55 ...in that scenario, you click the button, you are redirected. if there is an existing session you see your existing wallet, you select an instrument, and you pay. 17:20:07 ...but merchants don't want redirects or adding 3p buttons to their checkout 17:21:04 q? 17:21:53 q? 17:22:32 q+ to suggest fenced frames as a consideration 17:22:36 Gus: Topics for discussion: 17:22:53 - How to recognize returning user whatever their original session (web/native) on that device, or the merchant they are visiting 17:23:12 - How do we use the session later to pick the passkey associated with their Meli account, and/or 17:23:27 - How do we use that session later to pick the passkey associated with the payment method they selected? 17:23:37 ack rouslan 17:23:37 rouslan, you wanted to suggest fenced frames as a consideration 17:23:55 rouslan: There's an upcoming technology called "fenced frames' that might allow you to embed 3p information in a 1p context without the ability to track 17:24:51 Fenced Frame -> https://wicg.github.io/fenced-frame/ 17:24:51 Paulo: Fenced frames cannot communicate to server or parent page? 17:25:01 Rouslan: Correct, you can only read the data that user has stored. 17:25:07 q? 17:25:14 q? 17:25:54 Pablo: We are exploring payment request API for decoupling the integration into the seller from authentication method 17:26:10 ...that would allow for native app authentication. 17:26:26 Steve_C has joined #wpwg 17:26:32 ...we think this is interesting. 17:27:17 q+ 17:27:19 q+ 17:27:22 Paulo: We are also interested in FedCM 17:27:38 q- 17:27:46 q? 17:27:47 Chris: Multiple IDPs are in the works. 17:28:02 rbyers: We have an origin trial going on right now related to this. 17:28:04 q? 17:28:06 ack rbyers 17:28:09 ack rbyers 17:28:15 q+ 17:28:59 Paulo: We welcome any suggestions to experiment with them in our checkouts. I expect we'll have multiple solutions and we'll have to negotiate with merchants to see which they prefer. 17:29:11 liucougar has joined #WPWG 17:29:18 ack Jayadevi 17:29:36 Jayadevi: PIX sounds similar to UPI. I think there are a lot of synergies. 17:30:31 ...there are some interesting features emerging like the "UPI circle" where I can add my daughter to an account. 17:30:34 FYI: FedCM Multi-IDP origin trial (desktop only for now) details: https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-128-updates 17:31:02 Jayadevi: I recommend looking at the UPI feature set. 17:31:09 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 17:33:07 q? 17:33:35 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 17:33:44 vkuntz7 has joined #wpwg 17:33:55 quit 17:34:02 vkuntz7 has left #wpwg 17:34:54 vkuntz4 has joined #wpwg 17:35:05 vkuntz4 has left #wpwg 17:50:53 dlehn1 has joined #wpwg 17:57:45 melissavs has joined #wpwg 18:02:19 DominicB has joined #wpwg 18:06:03 Vanitha has joined #wpwg 18:06:06 I'm hearing that there's a power outage at the hotel 18:10:48 Yes, they asked us to move outside for safety. The building is dark due to power being out. We are waiting to see how long the power will be out. 18:12:17 benoit_ has joined #wpwg 18:14:17 Steve_C has joined #wpwg 18:18:38 kavramesh has joined #WPWG 18:21:40 Just FYI, Power went out at hotel 18:25:25 Steve_C has joined #wpwg 18:45:07 Gerhard has joined #wpwg 19:05:29 Steve_C has joined #wpwg 19:12:16 jthomas has joined #wpwg 19:29:11 KennethDiaz has joined #wpwg 19:39:30 nsiskov has joined #wpwg 19:39:37 present+ 19:44:26 KennethDiaz has joined #wpwg 19:54:42 Steve_C has joined #wpwg 20:08:31 benoit_ has joined #wpwg 20:09:39 aprotyas has joined #wpwg 20:10:09 Soumya5 has joined #wpwg 20:14:55 Takashi has joined #wpwg 20:16:44 vkuntz has joined #wpwg 20:16:50 present+ 20:26:28 Jorge has joined #WPWG 20:35:21 westin has joined #wpwg 20:42:12 Steve_C has joined #wpwg 20:43:40 Gerhard has joined #wpwg 21:00:34 Steve_C has joined #wpwg 21:07:33 Gerhard6 has joined #wpwg 21:08:44 Jayadevi has joined #WPWG 21:09:10 maximeg has joined #wpwg 21:09:54 present+ 21:10:01 zakim, who is here? 21:10:01 Present: Ian, westin, rbyers, smcgruer_[EST], fahad, benoit_, aprotyas, Hari_PayPal, rouslan, maximeg, nsiskov, Jeff, Sue, KennethDiaz, takashi, jthomas, Arman, vkuntz, pavelar, 21:10:04 ... Jorge, present, Soumya, melissavs, Wade, Sid, nick_s, SameerT, nicktr, liucougar, Gerhard, kavramesh, Doug 21:10:04 On IRC I see maximeg, Jayadevi, Gerhard6, Steve_C, Gerhard, vkuntz, Takashi, aprotyas, benoit_, melissavs, dlehn, Soumya, Wade, RRSAgent, Zakim, TallTed, pea1358, canton_, benoit, 21:10:04 ... aki, jets, Ian, tobie_, nicktr, rbyers, hadleybeeman, ljharb, slightlyoff, smcgruer_[EST], rouslan, hober 21:10:10 present+ 21:10:43 ioana has joined #wpwg 21:10:52 Topic: Payment Handers in Chrome 21:11:05 -> https://www.w3.org/2024/Talks/TPAC/chrome-ph-20240924.pdf Rouslan's payment handler slides 21:11:33 Gerhard3 has joined #wpwg 21:11:48 q? 21:11:57 Steve_C has joined #wpwg 21:12:59 (Rouslan shows a slide with current payment handler experience) 21:14:25 Rouslan: As a reminder, both web apps and native apps can be used on Android. 21:16:12 (Rouslan does a refresher for payment handlers; see the slides) 21:17:50 bkardell_ has joined #wpwg 21:18:25 melissavs has joined #wpwg 21:20:46 q? 21:20:58 fahad has joined #wpwg 21:20:58 q+ 21:21:28 Jeff has joined #wpwg 21:24:05 Ian: Can we pull back from PH API to discuss payment handlers and digital credentials API? 21:24:24 Nick_S: I think that's an interesting topic. It's possible that the work in identity will cause us to revisit payment handler. 21:24:47 Jorge has joined #WPWG 21:24:50 pablosfor_meli has joined #wpwg 21:24:56 q- 21:24:58 pavelar has joined #wpwg 21:25:04 Nick_S: There's a lot of value in PH API, including ability to talk to apps. 21:25:11 ...so that's a valuable effort. 21:25:26 nsiskov has joined #wpwg 21:25:37 ...it's interesting in a case like UPI where there may be multiple wallets for a standardized payment method. 21:25:38 present+ 21:25:53 liucougar has joined #WPWG 21:26:17 present+ 21:26:38 alexlakatos has joined #wpwg 21:27:11 Ian: we imagined standardized payment methods (e.g., basic card) with N handlers per payment method, but that vision has not panned out. 21:27:39 nick_s has joined #wpwg 21:29:00 Rouslan: Furthermore, people could use multiple payment methods per PR API call, but in practice they only use one. 21:30:05 ...it would be nice in practice to be able to have a single payment request call referring to multiple payment handlers. But that's probably a long way off. 21:30:17 q? 21:30:53 Rouslan: One topic of interest is "can user activation be implementation specific?" 21:31:52 ...paymentRequest.show() had required user activation, but we have seen requests from payment method owners to not always have them, especially when the payment handler shows up after a redirect. 21:32:34 ...the compromise in our implementation is to not require a user activation after a redirect, but only one time. 21:32:57 Jorge has joined #WPWG 21:33:00 ...we'd like to add this to the specification and want some feedback from other browser vendors and PSPs 21:37:05 (Rouslan and Marcos and Abrar will chat about user activation) 21:39:02 q+ to ask about digital credentials app/payment handler cross over (e.g. android-credential-manager) 21:39:21 ack nicktr 21:39:21 nicktr, you wanted to ask about digital credentials app/payment handler cross over (e.g. android-credential-manager) 21:40:13 nicktr: Has there been any experimentation to use the PR / PH handler pattern for credential management? 21:40:36 ack nicktr 21:40:45 q+ 21:40:47 rouslan: We've seen FedCM as a card selector in a demo 21:41:28 Rouslan: We might want to have "handler" as a primitive - a special window with special properties and security that can be opened in an 1p context in a privacy preserving way. 21:41:36 ...that concept we may want to spin out into its own API. 21:42:26 ack Ger 21:42:30 ack Gerhard3 21:42:51 Gerhard: There is potential of using the payment handler as a vehicle to improve the 3DS iframe window. 21:43:31 ...the merchant would reach out to ACS in an AREQ. The ACS would say "I would like you to use a payment handler to create this challenge" 21:43:42 Steve_C has joined #wpwg 21:43:48 ...that would require installation and activation of the payment handler instead of the Method URL 21:44:00 ...is that a feasible use case for payment handlers? 21:44:18 ...the payment handler would return the 3DS cryptogram. 21:46:08 aprotyas has joined #wpwg 21:46:52 Rouslan: Recall that it is no longer possible to install a payment handler manually, it can only be installed on the fly. 21:47:37 q? 21:47:57 NickTR: Does the current SPC implementation use a payment handler? 21:48:07 Rouslan: No. It uses PR API but not a payment handler. 21:50:01 Ian: If that's the case, could you allow SPC within a Web-based payment handler if you have an "if statement"? 21:50:12 Rouslan: Might be feasible but some small challenges perhaps. 21:52:29 Ian: It would be useful to to be able to use SPC within a web-based payment handler. 21:53:05 ...that's more secure and convenient than vanilla in that context. 21:54:33 (Some discussion of using FIDO and selecting credentials v. empty credential list) 21:56:23 https://github.com/w3c/webauthn/issues/2086 21:58:06 maximeg has joined #wpwg 22:01:10 Ian: Can you say more about Web Payment handlers in Webviews? 22:01:22 Rouslan: Webviews don't have interfaces provided by the library. 22:01:44 ...so we don't think web payment handlers will come to web views, but web views run on android and there is support for android-based payment apps 22:01:58 ...so there's more hope that android payment apps will work in web views. That would make sense. 22:02:35 ...we might need to change some ways we invoke android-based payment apps, but the key component is that web view host apps would have to provide permission to invoke payment apps. 22:03:04 arman has joined #wpwg 22:03:06 ...for developers who fork web view, what's the typical motivation for that? 22:03:39 SamWeiss: There are a variety of motivations. We sometimes run into edge cases. Initialization performance can be slow, for example. 22:03:57 ...one feature we are working on currently is asynchronous browser initialization 22:04:02 ...to avoid freezing the UX 22:04:24 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 22:04:41 Rouslan: Can you say anything about Meta views on payment request and payment handler? 22:05:24 Sam: Payment processing is important for us, and making it efficient is important to us. I don't know that we have positions on specific standards, but we'd like to improve them for the ecosystem. 22:05:45 Rouslan: Does any of this discussion apply to the Webkit web view? 22:05:52 Nick_S: Probably doesn't apply. 22:44:42 nick_s has joined #wpwg 22:44:49 aprotyas has joined #wpwg 22:45:01 Sue has joined #wpwg 22:48:45 HennaKapur has joined #WPWG 22:48:59 Topic: Merchant Perspectives 22:50:54 SteveCole: I am here from MAG. Our Membership is large US merchants. We focus on payments through collaboration, advocacy, and education. 22:52:11 ...please note that "merchants" are a large and diverse group, and don't necessarily see eye-to-eye on all topics 22:52:48 q? 22:53:12 stevecole: Merchants do want to maintain control over their customers' experiences. 22:53:19 ...so good to see when the community works in that direction. 22:54:23 liucougar has joined #WPWG 22:54:25 ...some disclaimers: the "hot topics" comes from a wide and diverse group of merchants. So may be hot for some but not others. 22:55:09 ...these hot topics are focused on pain points (rather than "future directions") 22:57:29 ...hot topics in ecommerce: 22:57:39 * OmniChannel retail and barriers to seamless transactions 22:57:41 * Pay by bank 22:57:46 * PCI 4.0 readiness 22:57:49 * 1p fraud 22:58:32 vkuntz has joined #wpwg 22:58:37 SteveCole: One question has been "would there be a pullback from e-commerce in light of where we are with covid?" I think the answer is that experiences will become more integrated, with blurring of line between online and in-person 22:58:51 ...buy online + authenticate in store created authentication issues. 22:58:56 present+ 22:59:20 present+ 22:59:48 Jayadevi has joined #WPWG 22:59:53 SteveCole: But it remains a challenge to solve for: authenticating the user and the credential. There are scenarios where merchants have tried to lower their costs (e.g., you presented a card on the web)...you pick up in store and present a different or same card...is that a card present traction? 23:00:17 ...I don't see a pullback from e-commerce but rather more integrated experiences. 23:01:06 NickTR: I've spent a lot of time with retailers around this. This is another area where payments and commerce veer into identity. 23:01:44 maximeg has joined #wpwg 23:01:44 ...work around digital credentials that we discussed may help with the integrated experiences. 23:02:02 SteveC: The ability to identify the consumer is 99% of the battle. 23:02:48 SteveC: You may have seen a recent announcement of a large retailer supporting pay by bank. But that raises interesting questions about chargebacks and disputes. 23:02:57 ...the functionality that was announced was for online only. 23:03:18 ...and the question that's important is "was that the authorized user"? 23:03:43 ...PCI 4.0 requirements around MFA may be challenging. 23:04:09 ...for March 2025 23:05:18 ...I think many merchants are not prepared for MFA. 23:05:51 ...another area that's huge for merchants is 1p fraud. Although it's not exclusive to e-commerce, it's easier to say "I didn't get it" in remote context. 23:06:30 ...the networks are coming up with some approaches for helping understand that a consumer agreed to a payment. 23:07:09 ...as NickTR said, it comes down to identity in many cases. 23:08:02 NickTR: In the EU regulatory context, it seems the community encouraging more sharing of data to help combat fraud. 23:08:12 vkuntz: See the speech from Mario Draghi from a week ago 23:08:56 ->https://commission.europa.eu/topics/strengthening-european-competitiveness/eu-competitiveness-looking-ahead_en Draghi report 23:09:28 Steve: Browser token autofill creates issues for merchants; makes it hard to know their customers. 23:09:37 ..single use tokens can also cause routing issues 23:10:24 Report on Mario Draghi speech here -> https://www.euractiv.com/section/industrial-strategy/news/tech-takes-center-stage-in-draghi-report/ 23:10:49 Steve: 3DS is another area of interest. Some stakeholders think that merchants should be implementing 3DS in a more systematic manner. From a merchant perspective they see inconsistent implementation from issuers. 23:11:27 ...within MAG we need to drill down to better understand what the implementation issues are. Is it about decisioning process (probably not for WPWG) or other technical topics (perhaps more in-scope) 23:12:50 Another topics is fraud management in general, use of AI and machine learning 23:13:18 For AI and the Web see: 23:13:25 -> https://www.w3.org/reports/ai-web-impact/ AI & the Web: Understanding and managing the impact of Machine Learning models on the Web 23:14:01 NickTR: Regarding token autofill, is the issue that it's hard to join transaction due to differing numbers? What about PAR? 23:14:24 SteveC: PAR comes up in our membership. Perspective is that it's not being applied consistently enough to be useful. 23:15:12 Arman: EMVCo create the spec, but does not play a role of mandating a feature. 23:15:38 NickTR: Implementation cost would high. 23:16:23 nsiskov has joined #wpwg 23:16:29 present+ 23:16:36 ioana has joined #wpwg 23:16:40 aprotyas has joined #wpwg 23:17:20 Sue: For first party fraud, is there an industry where that happens more than others? 23:17:27 q+ 23:17:47 SteveC: It's more online than offline. But it seems to apply across industries. Return fraud is a variant of 1p fraud. 23:18:06 ...I'm not aware of e-commerce merchant who say it's not an issue for them. 23:18:47 benoit_: What is perspective generally on pay-by-bank? 23:19:21 Steve: It's not yet huge, although there are service providers with (fairly successful) pay-by-bank solutions. 23:19:32 ...you have to separate online from offline when talking about pay-by-bank. 23:19:45 ..with online transactions, the cardholder is in an environment where the amount is known. 23:19:53 ...in offline, you'd need "request for pay" for that to work. 23:20:18 ...that would be more challenging from a UX experience, so I think the online space may move faster. 23:20:23 ..but there are still latency issues. 23:20:33 ...small merchants may face challenges. 23:20:35 q? 23:20:36 q? 23:20:37 ack ben 23:20:40 ack benoit_ 23:20:57 rrsagent, make minutes 23:20:58 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 23:23:16 melissavs has left #wpwg 23:29:28 Soumya has left #wpwg 23:34:55 kavramesh has joined #WPWG 23:37:56 aprotyas has joined #wpwg 23:42:50 benoit has joined #wpwg 23:43:44 aprotyas has joined #wpwg 23:43:48 maximeg has joined #wpwg 23:47:50 Takashi has left #wpwg 23:49:37 liucougar has joined #WPWG 23:50:50 aprotyas has joined #wpwg 23:51:26 Is there an IRC channel for the WebPayments-WebAuthn joint meeting? 23:53:13 I don't think so - but we could make one 23:53:16 Soumya has joined #wpwg 23:53:52 Soumya has left #wpwg 23:53:57 I have created #tpac-webauthn-wpwg 23:54:20 matatk has joined #wpwg 23:57:50 you're welcome to join me there - type /join #tpac-webauthn-wpwg 00:01:13 pablosfor_meli has joined #wpwg 00:02:06 aprotyas has joined #wpwg 00:06:25 HennaK has joined #WPWG 00:14:13 Hari_PayPal has joined #wpwg 01:16:16 RRSAGENT, make minutes 01:16:17 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 01:16:59 rrsagent, bye 01:17:03 rrsagent, set logs public 01:17:06 RRSAGENT, make minutes 01:17:07 I have made the request to generate https://www.w3.org/2024/09/24-wpwg-minutes.html Ian 01:17:18 rrsagent, bye 01:17:18 I see no action items