TPAC Recap!

Group photo of WPWG, November 2017

It’s the people that make TPAC worthwhile. More than 600 from the W3C community attended the annual “week of group meetings” this year: TPAC 2017 in Burlingame, California. With that many people over 5 days, you can pack a lot of hallway discussion into breakfasts, breaks, and receptions. What I sacrificed in sunshine, I gained in conversation.

A record seventy people participated in the Web Payments Working Group’s busy two-day agenda. Detailed minutes are available (6 Nov, 7 Nov, and an extra 3DS breakout on 8 Nov) but here are my highlights.

Day One

Payment Request API is being implemented in all major browsers. We heard from each vendor about implementation status and, for the first time, were treated to Webkit and Firefox demos. Marcos Caceres (Mozilla) is leading the effort to develop a test suite to help ensure that implementations of the API interoperate. The tests also play a role in enabling the group to advance to the next step in the W3C process. So it was great to hear that, according to Marcos, we are about “99% done” writing tests. This means that for the next 6 months or so, implementations (and the test suite) will work out the bugs so that by mid-2018, we anticipate all new browsers will support Payment Request API on a range of form factors.

The Working Group’s charter expires at the end of December. I have every expectation that W3C will recharter the group, and so we have begun discussion of a draft charter. Part of our TPAC discussion involved which “v2” features for Payment Request API should explicitly be in scope for potential Working Group deliverables. Topics people raised included:

  • Multi-tender payments
  • Discount codes
  • Access to and validation of billing address
  • Merchant validation
  • Facilities for improved error reporting to the user
  • Encryption of payment method data
  • The relationship of Payment Request API to EMVCo 3D Secure
  • Facilities to enable merchants to test Payment Request API in their environments.

At this stage we have not prioritized these topics, just called them out as candidates for discussion. The minutes include more topics (e.g., related to the design of the API).

We also discussed a proposal to remove two current deliverables from our next charter: HTTP API and HTTP Messages, both intended for out-of-browser payments. The consensus at the meeting was to keep some of the work (message structure for HTTP-based or other out-of-browser payments) but drop the HTTP API. In addition, we expect to enhance W3C’s liaison with the IETF HTTP Working Group for discussion of HTTP-based payments.

In the afternoon of day one we turned our attention to Payment Handler API. Rouslan Solomakhin (Google) and Manash Bhattacharjee (Mastercard) showed a demo of the early implementation of the (still evolving) API in Chrome, using two Masterpass-powered Web-based payment apps to make payments. We then walked through Payment Handler API open issues gathering feedback for the editors.

Manu Sporny (Digital Bazaar) closed day one with a presentation on the polyfill his company developed to bring the new user experience to older browsers.

Day Two

Day two began with a brief discussion of the Payment Method Manifest specification, which enables a payment method owner to bolster the security of the payment app ecosystem for that payment method. That specification is deployed in Chrome; I expect the Working Group will publish it as a First Public Working Draft before the end of the year.

We then moved on to payment methods “beyond basic card.”

Cyril Vignet (BPCE) discussed the evolution of the credit transfer task force’s thinking since the March face-to-face meeting. We have three draft credit transfer payment methods that reflect different flows and are evaluating the pros and cons of each. Matt Saxon (Worldpay) demonstrated an implementation combining one of our draft credit transfer specifications with one of the APIs being developed in the context of PSD2 in Europe. The goal of the prototype was to see whether we could create a superior user experience with Payment Request API (compared to deployed user experiences). The initial result was somewhat disappointing; the user experience was more or less the same, and not very good. However, the experiment revealed some new issues and suggested ways to improve the user experience. Over the next couple of days in Burlingame, the editors huddled together to come up with an improved credit transfer specification, and now work is underway on the next draft.

Adrian Hope-Bailie (Ripple) shared an update on the Interledger Protocol (ILP) Payment Method, which enables value transfer across disparate ledgers, initiated via Payment Request API. The ILP Community Group held a meetup in San Francisco later in the week.

Olivier Yiptong (Airbnb) presented ideas for encrypting basic card data to improve merchant PCI compliance compared to basic card. There was support for this idea, and two enhancements gained traction during discussion:

  • Encryption could well be useful with a variety of payment methods, including network tokenization.
  • It would be interesting to reduce PCI exposure and increase security, for example, by using digital signatures to address some browser-based man-in-the-middle attacks.

As a result of TPAC discussion, there is now (very early!) work on generalized encryption.

For several months, our tokenization task force has been discussing how to bring EMVCo network tokens to the Web. Manash Bhattacharjee and Sachin Ahuja (Mastercard) presented some of their experimental findings. The task force now plans to bring a Tokenized Card Payment Method specification to the Working Group to see if there is support for formally adopting the draft. Colleagues from Mastercard plan to continue to develop their prototype for presentation at the next face-to-face meeting, which may be in Asia in Q2 2018.

One of the hottest new topics on the Working Group’s agenda was 3D Secure (3DS) 2. Several EMVCo colleagues joined our meeting in person, and discussion spilled over into a breakout session the next day. In part due to regulatory requirements related to 3DS in some regions, there was strong support for investigating how to streamline EMV 3D Security via Payment Request API. In December or January we plan to create a 3DS task force within the Web Payments Working Group to continue detailed discussion.

By this point in the meeting, participants were losing energy. We had brief discussions of visual identity for Web payments. With representatives from the Privacy Interest Group we looked at some data protection issues, then adjourned so that people could organize ad-hoc meetings and get more done.

I extend thanks to all the participants and guests who joined the meeting and made it both productive and fun. Congratulations to the Working Group for their progress so far and what’s to come to make payments on the Web easier and more secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you comment here, note that your IP address is sent to Akismet, the plugin we use to mitigate spam comments.