W3C

Web Payments Working Group

25 September 2025

Attendees

Present
Albert Schibani (Capital One), Arman Aygen (EMVCo), Ashawany Rayu (JCB), Dan Pelegero (RPGC), Daniel Wyckoff (Shopify), David Benoit, Ehsan Toreini (Samsung), Fahad Saleem (Mastercard), Gustavo Kok (Netflix), Henna Kapur (Visa), Ian Jacobs (W3C), Juan-Pablo Marzetti (Block), Nakjo Shishkov (Netceterea), Nick Telford-Reed, Praveena Subrahmanyam (Airbnb), Rogerio Matsui (Rakuten), Steve Cole (MAG), Sue Koomen (American Express), Taskashi Minamii (JCB), Tommaso De Orchi (Futurae), Vasilii Trofimchuk (Block)
Regrets
-
Chair
Ian
Scribe
Ian, nicktr

Meeting minutes

Extending SPC with line items

w3c/secure-payment-confirmation#313

Vasilii: The problem statement - when you want to check out (including agentic AI checkout) where there is limited buyer/seller interaction, there may be concern about the buyer paying for something they didn't accept. This opens up risk for chargebacks.
… I wanted to explore whether there is an opportunity to aid sellers by putting additional information into the display and what is signed.
… namely the line items

Gustavo: I'd like to tie into this conversation about AP2 and how they are thinking about tackling this topic. They are not combining the info with the payment; they are separating them.
… so the user's prompt happens first (with a signature), then payment happens separately
… and so the user intent achieves the goal.
… I think something like that makes more sense to me than trying to embed too much into SPC>

Vasilii: Fair point. This AP2 came after I raised the issue. :)
… but it makes a good point about having the groups work together.

Henna: To answer the point about these groups coming together...my understanding is that AP2 was mostly done on the google side and they put it out as an idea. On the FIDO Alliance Payments WG side, we'll start talking about a component of that proposal, related to signing the intent.
… that discussion will start very soon.
… I think the signed intent is still very much linked to a payment object; it's not completely separate.

Fahad: There are several intent types mentioned by Google (including a raw intent for what the user wants to purchase)
… that ends up in a VC
… the next step is when the agent is executing it against a merchant, the merchant can check the mandate and issue it's own "cart mandate" with cart items
… all of that happens before the payment method has been selected.
… at the end there is a payment mandate with payment credential.
… we think that the VC that will be discussed at FIDO will have the payment bound together, but there may be scenarios where a mandate is not bound to a payment credential
… I think this will come down to payment details.

<Zakim> nicktr, you wanted to quickly talk about regulatory requirements under psd2

nicktr: I think it's interesting ... but I have a regulatory point (and a UX point). The challenge I think that the payment step in agentic payments (in regulated markets) is that you'll need to come back up to user space for the actual payment.
… you can't rely on card on file for agentic payment. The user needs to sign across the amount, currency, and merchant

Gustavo: We've been talking with Google about this, and their intent was to kick off a conversation.
… one question is where to host conversations.
… there's something on GitHub for collecting feedback.
… I'm hoping that the conversation goes into an entity where the space can be well-described.
… there's also going to be need for flexibility about how much friction will be necessary in a particular context.

Nick: Right, success will go to who can best understand inferred intent.

Gustavo: There are use cases where the agenda does the search but in the end the user agrees to a cart. But the frictionless flow will be the most challenging.

Ian: I'm trying to get someone to TPAC

Gustavo: I can help make a connection.

Ian: What should we do with the pull request at this point?

Vasilii: I welcome feedback on the pull request.
… I think the main idea was conferring with the user during the last mile.
… I think the problem will still be there. I think there will be some experiences in the browser.

Avoiding double-step up related to BBKs

<nicktr> w3c/secure-payment-confirmation#287 (comment)

<Tom> please, repost for late(new) joins :-)

<nicktr> w3c/secure-payment-confirmation#287 (comment)

<Tom> Thank you sir

dan: I think the second option (multiple BBKs) is more likely to find favour with the ACS vendors

TPAC check-in

<Ian> (We review the draft WPSIG agenda and candidate WPWG agenda)

<Ian> Ian: Any other topics to cover

<Ian> Vasilii: Any updates on 3DS?

<Ian> Arman: I'll double check with the 3DS team and get back to you

<Ian> Ian: One question I was asked recently - what is the state of ACS support of 3DS 2.3.1?

<Ian> Arman: I can look for the number of products that have gone through testing.

<Ian> Dan: See EMVCo's list of approved 3DS 2.3.1 implementations

Upcoming meetings

<Ian> 9 and 23 October

Minutes manually created (not a transcript), formatted by scribe.perl version 244 (Thu Feb 27 01:23:09 2025 UTC).