13:54:08 <RRSAgent> RRSAgent has joined #wpwg
13:54:12 <RRSAgent> logging to https://www.w3.org/2026/04/09-wpwg-irc
13:54:13 <Ian> Meeting: Web Payments Working Group
13:54:25 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260409
13:54:27 <Ian> Chair: Ian
13:54:30 <Ian> Scribe: Ian
13:54:32 <Ian> present+
13:54:39 <Ian> agenda+ BBKs
13:54:45 <Ian> agenda+ SPC and roaming authenticators
13:54:52 <Ian> agenda+ Currency code question
13:55:02 <Ian> agenda+ FYI - survey on impact of AI
13:55:11 <Ian> agenda+ upcoming meetings
13:59:04 <Ian> present+ Rogerio_Matsui
13:59:30 <Takashi> Takashi has joined #wpwg
13:59:37 <Takashi> present+
14:00:08 <Ian> present+ Sami_Tikkala
14:00:23 <Ian> present+ Ashwany_Rayu
14:00:48 <Ian> present+ Jean-Luc_di_Manno
14:00:54 <Ian> present+ Sue_Koomen
14:01:45 <Ian> present+ John_Earnshaw
14:03:06 <Ian> present+ NickTR
14:03:11 <Ian> present+ Dan_Pelegero
14:03:19 <Ian> present+ Darwin_Yang
14:03:27 <Ian> present+ Jorge
14:03:45 <Ian> present+ Kenneth_Diaz
14:04:03 <Ian> zakim, take up item 1
14:04:03 <Zakim> agendum 1 -- BBKs -- taken up [from Ian]
14:04:12 <JL> JL has joined #WPWG
14:04:15 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/321#issuecomment-4206232571
14:04:33 <darwin> darwin has joined #wpwg
14:04:33 <Roger> Roger has joined #wpwg
14:04:46 <Ian> present+ Ehsan_Toreini
14:04:57 <Ehsan> Ehsan has joined #wpwg
14:05:08 <Ian> (We review the questions)
14:05:11 <SueKoo> SueKoo has joined #WPWG
14:05:22 <Ian> John: Acknowledge the issue around vague definition of "account"
14:05:27 <kenneth_entersekt> kenneth_entersekt has joined #wpwg
14:05:54 <Ian> present+ Ryan_Watkins
14:06:06 <sidvishnoi> present+
14:06:26 <Ian> Ian: Do we need changes anywhere?
14:06:38 <Ian> John: Suggest clearer information in the spec
14:06:43 <Ian> present+ Arman
14:07:00 <Ian> John: A note might be fine.
14:08:24 <Ian> Ian: Might need to be normative.
14:09:30 <Ian> Ian: Is a more crisp definition needed to unblock usage of the API?
14:09:38 <Ian> present+ John_Bradley
14:09:50 <Ian> present+ Ioana
14:10:17 <Ian> action: Darwin to chat with Stephen about whether spec change / clarification is useful
14:11:03 <Ian> zakim, take up item 2
14:11:03 <Zakim> agendum 2 -- SPC and roaming authenticators -- taken up [from Ian]
14:11:51 <Ian> JohnB: Let's wait for result of discussions a bit longer
14:11:59 <Ian> present+ Gerhard
14:12:26 <Ian> zakim, take up item 3
14:12:26 <Zakim> agendum 3 -- Currency code question -- taken up [from Ian]
14:14:06 <rbl> rbl has joined #wpwg
14:14:13 <rbl> +present
14:14:49 <Ian> https://www.iso.org/iso-4217-currency-codes.html
14:15:23 <Ian> (Question: what is status of ISO4217 codes?)
14:17:20 <Ian> ACTION: Ioana will reach out to ISO group to see what there plans are about cryptocurrency codes
14:18:50 <Ian> https://github.com/w3c/payment-request/issues?q=is%3Aissue%20state%3Aclosed%204217
14:19:49 <sidvishnoi> the note in PR in question: https://www.w3.org/TR/payment-request/#dom-paymentcurrencyamount-currency
14:20:23 <Ian> present+ Rene
14:20:37 <Ian> present+ David_Benoit
14:20:50 <Ian> zakim, close this item
14:20:50 <Zakim> agendum 3 closed
14:20:51 <Zakim> I see 4 items remaining on the agenda; the next one is
14:20:51 <Zakim> 1. BBKs [from Ian]
14:20:55 <Ian> zakim, take up next item
14:20:55 <Zakim> agendum 1 -- BBKs -- taken up [from Ian]
14:21:48 <Ian> zakim, take up item 4
14:21:48 <Zakim> agendum 4 -- FYI - survey on impact of AI -- taken up [from Ian]
14:22:45 <Ian> https://github.com/w3c/strategy/issues/544
14:23:35 <Ian> John: We'd need to divide up what AI will impact.
14:23:40 <Ian> ...SPC is designed to stop AI
14:24:41 <Ian> Jean-Luc: There are two trends - using VC and using passkeys
14:24:54 <benoit> q+
14:25:04 <Ian> ...it could be interesting to capture the user intent via something like SPC (transition data enhancement)
14:25:19 <benoit> q-
14:26:25 <Ian> jean-luc: If there is an existing trust relationship, the user would consent to authenticate a transaction. There would be differences between trusted relationships and untrusted relationships
14:26:38 <Ian> ...could be interesting to think about expanded transaction data.
14:26:51 <Ian> ...to a kind of authorization context.
14:27:29 <Ian> John_Bradley: I agree that taking advantage of SPC makes sense there, but do we need a general purpose API or payment-specific?
14:28:24 <nicktr> +q
14:28:43 <Ian> Jean-Luc: A big issue is how to trust UI (which we get with SPC)
14:28:48 <Ian> ..but we can't shopping agent UI
14:29:05 <Ian> John_Bradley: That could be an interesting angle to explore
14:29:47 <Ian> NickTR: Today in the EU you need explicit information about merchant and amount at the point of authentication for the transaction.
14:29:58 <Ian> ...so payments can't make payments autonomously and comply with dynamic linking
14:30:21 <Ian> jean-luc: Indeed, but the short term use case will be human-in-the-loop
14:31:47 <Ian> NickTR: This takes us back to conversations we've had about SPC in native apps.
14:33:48 <Ian> Ian: My sense from TPAC was that the DPC folks said "Don't expand use cases."
14:34:03 <Ian> John_Bradley: But SPC may make it easier too prove that there was a human in the loop (may be useful for PSD2)
14:34:30 <Ian> ...because FIDO requires user interaction.
14:35:15 <Ian> Ian: Does the ARF require user interaction?
14:35:33 <Ian> John_Bradley: There's no fundamental underlying regulation for that at the moment
14:35:43 <Ian> ...there might be some guarantees per-country
14:35:53 <Ian> ...but people are building wallets for agents that don't require human interaction
14:36:11 <Ian> ...so SPC's assumption that there's a human in the loop may give it leverage
14:38:12 <Ian> Ian: Would "a human must be in the loop" be something to surface at the DC API layer?
14:38:13 <Ian> John: No
14:39:15 <Ian> ...it would likely be part of the wallet and it would be credential-specific.
14:39:27 <Ian> ...SPC is easier to reason about
14:39:33 <Ian> present+ Shunsuke_Oka
14:40:50 <Ian> John_Bradley: There's no reason your agent couldn't be a RP in an SPC flow
14:41:02 <Ian> ..the information that would be required could be passed on in SPC
14:41:26 <Ian> ...question of whether we need to add a parameter "I'm an agent that's doing this"
14:43:18 <Ian> ..if an agent were doing SPC, what would go in the client extension input data?
14:43:28 <Ian> ...we may want to add clarifying notes for when agents are using SPC
14:43:36 <Ian> ...from a protocol POV, an agent is like  merchant.
14:43:55 <Ian> ...but there may be more info that's needed (merchant talking with agent)
14:44:47 <Ian> ...agent could lie about what merchant it's getting an authorization for.
14:45:03 <Ian> NickTR: I think there's a difference between agent and merchant in terms of threat modeling.
14:46:10 <Ian> John_Bradley: Right, it might be ok when the bank says "Yes, Claude is allowed to act as an intermediary for my credentials". If we include enough info in the assertion for the bank to make a risk decision, that would likely suffice.
14:46:33 <Ian> NickTR: For card payments, who is vouching for the agent and its trustworthiness?
14:47:43 <Ian> ...you'd likely need some extra layer of certification so that the agent can sign over the transaction
14:48:09 <Ian> John_Bradley: if someone wanted to build that certification ecosystem, would the API have enough hooks for the data exchange?
14:48:36 <Ian> Jean-Luc: I think there's no liability shift in implementations I've seen.
14:50:04 <Ian> ...big point is how to have trust when AI is non-deterministic and selects merchant/products based on user intent.
14:52:24 <Ian> present+ Mannish
14:52:29 <Ian> present+ Manjush
14:52:32 <Ian> present- Mannish
14:53:11 <Ian> John: What you want to sign over is "the merchant is best buy, my agent is claude, and I am signing this amount to allow claude to interact with best buy"
14:53:19 <Ian> ...we may need to capture this extra level of interaction.
14:53:45 <Ian> ...normally the merchant is the top origin, but it's not in this case.
14:56:03 <Ian> Ian: I think this is similar to marketplace story, which I think SPC covers
14:56:16 <Ian> John_Bradley: Agree an agent is acting as a virtual marketplace
14:56:31 <Ian> ...where we would have a problem is the next step
14:56:50 <Ian> ...doing SPC before the merchant has been selected v after the agent has selected the merchant
14:57:18 <Ian> Manjush: Would the agent be operating in the browser or stand-alone?
14:57:26 <Ian> John: Today SPC doesn't work in apps
14:58:07 <Ian> Manjush: From a UX experience, you'd be interacting with an app. After capturing the intent, the agent might present choices to the user via a browser.
14:58:20 <Ian> John: Might be the merchant domain or a redirect to an agent portal.
14:58:57 <Ian> ..if the agent redirects the user in a browser to a merchant, we don't need to change anything
14:59:38 <Ian> zakim, take up item 5
14:59:38 <Zakim> agendum 5 -- upcoming meetings -- taken up [from Ian]
14:59:59 <Ian> 7 May
15:00:03 <nicktr> I would note that PSD3 and the upcoming PSR have pretty trenchant views on agents - broadly I would say that they will remove the limited agent exclusion
15:00:13 <Ian> RRSAGENT, make minutes
15:00:14 <RRSAgent> I have made the request to generate https://www.w3.org/2026/04/09-wpwg-minutes.html Ian
15:00:16 <Ian> RRSAGENT, set logs public
15:00:27 <sidvishnoi> sidvishnoi has left #wpwg
15:07:17 <TallTed> TallTed has joined #wpwg