W3C

Web Payments Working Group

02 July 2026

Attendees

Present
Albert Schibani (Capital One), Bjorn Hjelm (Yubico), Darwin Yang (Google), David Benoit, Ian Jacobs (W3C), Jean-Luc di Manno (FIME), John Earnshaw (American Express), Praveena Subrahmanyam (Airbnb), Ravi Shekhar (PayPal), Rene Leveille (1Password) , Ricky Graziosi (Block), Ryan Watkins (Mastercard), Slobodan Pejic (Google), Stephen McGruer (Google), Steve Cole (MAG), Sue Koomen (American Express), Takashi Minamii (JCB)
Chair
Ian
Scribe
Ian

Meeting minutes

Ecommerce Workshop

The deadline for agenda proposals for the E-commerce for Humans and AI Agents has been extended to 10 July.

SPC BBK topics

w3c/secure-payment-confirmation#334

Ian: Anything left to do on this?

John: I'm happy with it

<stephen_mcgruer> +1 to merge

Ian: Any objections to merge?

(None)

<stephen_mcgruer> w3c/secure-payment-confirmation#321

<stephen_mcgruer> +1 to close as complete

SPC / WebAuthn restrictions

w3c/secure-payment-confirmation#332

stephen_mcgruer: We added the ability for SPC calls to include webauthn extensions two years ago, but that created some privacy issues.
… some extensions where an RP would not want a third-party to have access to that information.
… we looked into auth-time extensions that would be useful to be used by a third-party
… in chrome, we landed a change so that SPC calls fail if you call SPC with a webauthn extension and it's a third-party call.
… I suggest we land 332 today (to reflect implementation)_ and can update in future if we need to

stephen: We also chatted with WebAuthn folks at Google.

Proposed: Merge 332 to align with chrome implementation.

<Ian> +1

RESOLUTION: Merge Pull Request 332

SPC and third party definition

w3c/secure-payment-confirmation#328

stephen: SPC's definition of third party is more restrictive than the world of webauthn≥
… in webauthn subdomain.domain.com is allowed to claim domain.com. SPC does not allow that.
… so identity.bank.com and bank.com SHOULD both be able to claim bank.com (in WebAuthn)(
… so we propose to update the spec (and implementation likely already follows WebAuthn) to align with WebAuthn

benoit: I see real world applications of this.
… but there are cases where third party domains run in domains of banks
… any way to allow for some limitations?

stephen: If this is true, that domain is already susceptible to issues in webauthn land.
… webuathn uses the "public suffix list"
… I think it's reasonable to raise the concern; please add a comment to the issue.

Ian: Let's leave this open to get more feedback.

Stephen: That works.

Ian: We'll try to close this at one of next 2 upcoming calls.

Roaming authenticators

w3c/secure-payment-confirmation#12 (comment)

https://www.w3.org/2026/06/04-wpwg-minutes.html#ActionSummary

(Stephen notes that 3DS folks did not provide information on needed Web Extensions)

Bjorn: Did not get to review 332.

Stephen: Let's put this discussion on the 16 July agenda. By then I'll have a document on the current situation and what would need to change.

(We move roaming auth discussion to 16 July)

TPAC agenda

Draft TPAC schedule => https://www.w3.org/calendar/tpac2026/

Registration to open 9 July

Ian: Agenda ideas for the WPWG meeting on Thursday

- SPC pilots

- PR API / PH API

- Agentic payments

- SPC and roaming authenticators

- Autofill and checkout

Jean-Luc: We are seeing a lot of emerging protocols. In particular x401
… may have synergies with SPC
… might be interested to understand the use cases, and see how they relate
… could we talk to them about potential SPC intersections?

(No one on call directly involved in those activities)

<stephen_mcgruer> https://x401.id/ <--- I assume?

<stephen_mcgruer> (Via https://www.proof.com/blog/introducing-x401 )

ACTION: Ian to work with the Chairs to reach out to see if x401 might be part of joint WebAuthn/WPSIG meeting on Tuesday

Jean-Luc: For agentic, we see growing need for "trust surface" . Perhaps browser could play this role.
… there are synergies with SPC ; how to rely on browser UX

https://github.com/w3c/ecommerce-for-humans-and-AI-Agents-workshop/issues

Next meeting

16 July

Summary of action items

  1. Ian to work with the Chairs to reach out to see if x401 might be part of joint WebAuthn/WPSIG meeting on Tuesday

Summary of resolutions

  1. Merge PR 332
Minutes manually created (not a transcript), formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).