This is a summary of the October 2015 face-to-face meeting of the Web Payments Interest Group. See the agenda and 26 Oct minutes and 27 Oct minutes.

Summary

The goals of the meeting were:

• Review and update the strategic plan of the Interest Group
• Reach consensus on the next standardization priority and develop a plan and timeline for the creation and socialization of a new Working Group Charter.

The agenda was organized as follows:

• Review progress from the past year and evaluate against our charter.
• Hear use cases and inputs from different stakeholder groups
• Attempted to determine priority areas of work for the next 6 months.

The group heard a number of interesting presentations, but did not reach a strong consensus on the next priorities. However, the top candidates for investing energy for the next few months are:

• Identity and Credentials
• Interledger payments
• Ecommerce
• Security needs (e.g., beyond the strong authentication working groups in development)
• Relationship to ISO work, especially ISO20022.
• Reviving the Capabilities document effort

The group expects to hold a 1-day face-to-face meeting at the end of February 2016 on the West Coast (USA).

Note: Discussions summarized in the following sections took place in a slightly different order at the meeting; they have been reordered to simplify their presentation.

Strategy

Ian Jacobs led sessions to open and close the meeting to help determine "what the IG should be doing." The opening presentation focused on an evaluation of the group's successes and weaknesses in its first year. The closing session involved reviewing the two days of discussion to determine priorities for the next six months.

Stakeholder Perspectives

Banks

Arie Levy-Cohen gave a presentation on bank perspectives. Discussion focused on a matrix of topics perceived to be important to banks (based on survey questions and private conversations). The matrix looked at whether each topic was related to the Web, and whether it was primarily about lowering costs or creating new business opportunities. One topic that seems of particular importance is identity, and banks might have an opportunity to act as identity providers given the strong authentication role they play (or KYC/AML compliance).

Cyril Vignet then gave a presentation on Building trust for p2p transactions, or "bringing 4-corner to the Web." The presentation summarized some of the benefits of the 4-corner model, and included a proposal (nicknamed "SCAI") that described how to create a digital "paper trail" of consent to pay. It was observed that this proposal showed similarities to the Interledger protocol that was discussed elsewhere on the agenda.

Mobile Operators

Natasha Rooney gave a presentation on mobile operator perspectives (largely a GSMA perspective). In her view the big opportunities for mobile operators involves providing services around identity and authentication. While there are individual exceptions, mobile operators may be moving away from: app stores, carrier billing, using mobile phone numbers as identifiers. Some requirements for the Web for their perspective include: tokenization, supporting FIDO-style challenges, enforcing HTTPs, and simplifying merchant onboarding and user enrollment.

Merchants / Ecommerce

David Ezell gave a presentation on ecommerce/merchant perspectives. Key opportunities cited were:

• sufficient information in the standard to enable parties to determine "the best deal"
• integrate loyalty / points / coupons into the checkout flows
• support combining multiple instruments per transaction
• creating opportunities where customers could gain benefits by opting in to sharing more data with the merchant (and in general enabling merchants and customers to negotiate).

Payment Service Providers

Zephyr gave a presentation on PSP perspectives, which consisted of two parts: a brief overview of the finance ecosystem in China, followed by some PSP requirements. For the part of China, there was an emphasis on the use of QR codes to encode offers, and the importance of mobile payments. For the second part of the presentation, some topics for discussion (that we did not have time to explore in depth) included security (biometrics, tokenization, PCI compilance), regulation (taxes and tax reporting), risk management, and automated payments.

Customers with Disabilities and Accessibility Vendors

Katie Haritos-Shea and Charles McCathieNevile discussed some important accessibility topics to bear in mind as we envision a Web payments ecosystem, including attention to the balance between simplifying payments and having enough friction so that people do not make payments accidentally. We began a discussion about requirements in APIs to enable the creation of accessible user interfaces; that discussion continued at the Working Group meeting on Friday.

Automotive

Representing the Automotive Working Group, Kevin Gavigan gave a presentation on Automotive Use Cases for Payments. These included automatic payments with leaving a parking lot, automatic toll payments, and fuel payments. Discussion touched on a number of points, including privacy, management of credentials used for payments (e.g., car key-as-wallet), rental scenarios, subscription payments, and inter-automotive communication). The expectation is that the groups will continue to liaise to flesh out the use cases.

Capabilities

Security

Wendy Seltzer presented a Security Roadmap for W3C, with discussion about Web User Security (e.g., Crypto, HTTPS, Secure Contexts), Web Application Security (e.g., CSP, Referrer policy, Subresource integrity, Permissions, etc.), and Web Platform Security (reviews, liaisons). In particular, she presented two draft charters in development for strong authentication: Web Authentication WG (a collaboration with the FIDO Alliance) and Hardware-based Security WG. There was some discussion about the relationship between FIDO attestations and the work of the Credentials Community Group. There was also discussion about the FIDO distinction between biometric information (which remains local to a device) and attestations (which cross the network). There was also discussion about the challenge of bring trusted execution environments to the Web. We discussed some security topics that are not covered by these draft charters, and it was suggested that where the IG has requirements, we invite Wendy Seltzer (who leads this work for W3C) to further discussion.

Signed Claims / Credentials

Many Sporny gave a presentation on "signed claims" use cases, summarizing the results of a survey. Key themes that emerged from the use cases were the desire to simplify checkout (easier provision of data), make enrollment (KYC) easier, automate compliance, and ensure proper licensing and training. There was interest in pursuing this topic and several ideas for getting to the next level of clarity about use cases, including:

• Focus on credentials use cases specific to Web payments (within the Web Payments IG)
• Focus on a credential format and a way to exchange credentials.
• Identify limitations of existing formats and develop those further.
• Focus on lowering the cost of establishing meaning and trust.
• Create a new Verifiable Attributes CG focused on use cases (which would be faster than creating an IG)
• Focus on a generic credentials storage mechanism in the browser.

Manu created a Credentials Task Force proposal for next steps.

Interledger Protocol (ILP)

Evan Schwartz and Stefan Thomas gave a presentation on the Interledger Protocol (ILP). There were a number of good questions (see the minutes for details) and discussion will continue in the Interledger CG. See interledger.org for additional information on the protocol.

Capabilities Document Strategic Reset

Pat Adler gave a presentation on the Capabilities Document to help establish the value of the work, and figure out a way to restart it. He made the point that this work is valuable for a number of reasons, including to communicate the IG's views on architecture, to illustrate key principles, and help coordinate our work with other groups. It was argued that the primary reason this work stalled was that the people working on it mid-2015 turned their attentions to other projects (the chartering process, TPAC preparation, day jobs, etc.). There was support for continuing to evolve the document.

Liaisons

How a Web-based payment system could leverage ISO20022

Kris Ketels gave a presentation on how the Web could leverage ISO20022. Kris made the point that because of the wide adoption of this standard, if we can align our work with it we can achieve greater global interoperability. There are different avenues toward alignment, including:

• Proposing changes to ISO20022 to help integrate it into the Web (e.g., JSON serialization)
• Reusing parts of the ISO20022 repository (e.g., for flows, messages, and terminology)
• Define the Web Payment WG flows using the tools available from ISO20022 and including them in the ISO20022 Repository for others to use.

We also discussed where ISO20022 ends (e.g., it only describes data exchanged not the mechanisms that wrap business methods, or security). We also discussed briefly the process by which W3C might suggest changes to ISO20022. Kris plans to write a more detailed proposal on the opportunities to leverage ISO20022 and coordinate with the registration authority.