These are some ideas for a security task force scope within the IG. This is a draft in development by Ken Mealey and Ian Jacobs.

Questions? Contact Ian Jacobs <ij@w3.org>.

Goals

• Consistent with the WPIG Charter, help assess that deliverables of the Web Payments Working Group may be used to make secure payments.
• Through trusted assessments and review, provide assurances to ecosystem stakeholders about the ability to use the APIs securely.
• Encourage specification implementers to adopt security best practices to protect user data.

Discussion Scope

• Assessment of deliverables of the Web Payments Working Group

Out of Scope

• Digital Offers
• Digital Receipts
• Strong Authentication / FIDO integration

Tactics for Developing Assessments

• Solidify assessment methodology
  • Research/leverage how EMVCo, PCI, FIDO and X9 do security reviews.
• Recruit qualified reviewers
  • Work with the Web Security IG
  • Hire a form to perform a security evaluation
  • Encourage review by other organizations with similar interests in security (e.g., PCI, EMV, FIDO)
  • Request that W3C Member organizations implementing the specification share their own security evaluations.

Deliverables

• Assessments
  • Web Security IG review (first requested January 2017).
  • Security Evaluation Report from a firm specializing in security evaluations
  • Evaluation / public statement by PCI and other affiliates
• Translation of assessments
  • Into concrete comments on WPWG deliverables
  • Into best practices in the developer portal

Candidate Topics

• Digital Signatures on PaymentRequest or PaymentResponse
• End-to-End Encryption for Payment Instrument Details
• Tokenization for Payment Instruments
• Relation to PCI scope (and whether we can do better than status quo)