[Draft] Web Payment Security Interest Group Charter
Status: This is a draft charter for review by the W3C Advisory Committee, the EMVCo Board, and the FIDO Alliance Board.
The mission of the Web Payment Security Interest Group is to enhance the security and interoperability of various Web payments. payments technologies. The group pursues its mission by creating a forum for organizations to define areas of collaboration and identify gaps between existing technical specifications in order to increase compatibility among different technologies.
It is not part of this group’s mission to establish dependencies between specifications or to endorse products or implementations.
| Start date | 17 April 2019 25 March 2021 |
|---|---|
| End date | 25 24 March 2021 2023 |
| Chairs |
|
| Team Contacts | Ian Jacobs (FTE %: 5) |
| Meeting Schedule |
Teleconferences:
Teleconferences
to
be
held
as
required.
Face-to-face: Participants generally meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the Participants, usually no more than 2 per year. |
Introduction
The payments ecosystem is complex and undergoing significant change due to technology advances, the rise of mobile computing, regulatory changes, faster payments initiatives, and more. The complexity and rapid changes increase the challenge of securing end-to-end payments and ensuring privacy protection.
Each of the Founding Organizations —EMVCo, the FIDO Alliance, and W3C— has undertaken steps to improve online payment security. As those efforts have matured, it has become more apparent that greater coordination will help ensure compatibility and foster broader deployment.
In particular, the organizations acknowledge the growing importance of strong customer authentication in payments and other interactions. For example, the FIDO Alliance is simultaneously collaborating with W3C (on Web Authentication) and with EMVCo (related to EMV® 3-D Secure) on strong authentication solutions. The organizations recognize the value of building and sharing a vision of the future of strong authentication on the Web, including streamlining the user experience.
Scope
Interest Group Activities in Scope
- Formulate a vision: Formulate a vision for improving Web Payment Security, taking into consideration a variety of payment methods.
- Describe use cases: Collect industry needs at the high level of desired functionality. However, because Participants make no patent licensing commitments by virtue of participation in this forum, discussion of specification details, including potential changes to existing specifications, remains out of scope.
-
Conduct
gap
analyses
:
Gain
understanding
of
whether
current
or
planned
technology
can
be
used
to
enhance
security
and
interoperability
of
Web
payments.
This
activity
may
include:
- identification of gaps;
- interpretation of specifications.
- identification of potentially conflicting requirements;
- use of prototypes and mockups as tools for understanding;
- identification of which organization(s) should address issues.
- Liaise: Build a shared understanding of how the work of the Partner Consortia relates, in order to foster compatibility and interoperability, and avoiding conflicting requirements. This activity may include discussions with other groups, standards organizations, regulatory agencies/bodies, and Web developers.
- Communicate: Communication of Interest Group vision, use cases, and best practices to the broader community.
- Identify standardization opportunities: Identification (e.g., through use cases) of capabilities that exist or need to be created to improve Web payment security and interoperability.
Activities Out of Scope
- Development of technical specifications specifications.
- Discussion of specific products or implementations consistent Consistent with W3C's Antitrust and Competition Guidance </a>. , the group will not discuss specific products or implementations.
Web Payment Security Topics in Scope
This Interest Group discusses the intersection of the activities of the Partner Consortia around payments and authentication. Within that scope, the Interest Group will address these topics:
- Technology compatibility / interoperability
- Fraud reduction mechanisms, including through strong customer authentication and data security
- Privacy protection
- Emerging rules and regulations (e.g., Payment Services Directive 2 (PSD2) in Europe)
- Harmonization with other standards activities (e.g., ISO 20022)
Topics Out of Scope
- Topics internal to a Partner Consortium that do not require collaborative discussion.
Deliverables
Although the Interest Group may publish vision, use cases, gap analyses or other deliverables consistent with the scope of this charter, the deleted text: initial expectation is that such deliverables will be rare. Instead, conversations are likely to be redirected at the appropriate time to the most relevant group.
This Interest Group might recommend standardization activities in any of the Founding Organizations, and participation in that standardization work would follow the general rules of those organizations.
For all Group Notes, this Interest Group will seek horizontal input and review for accessibility, internationalization, performance, privacy, and security with the relevant Working and Interest Groups, and with the Technical Architecture Group (TAG).
Deliverable Maintenance
The Interest Group anticipates maintaining its previously published deliverable:
Participation
Interest Group Participants ("Participants") are eligible participants of Partner Consortia and Invited Experts . All participants must follow the W3C Code of Ethics and Professional Conduct and W3C's Antitrust and Competition Guidance .
Participation in this Interest Group will not preclude or interfere with any collaboration (bi-lateral or multi-lateral) between any set of Participants under terms developed and agreed to outside the context of this Charter.
Each Partner Consortium will provide a registration mechanism for its eligible participants .
Founding Organizations
The Founding Organizations for this Interest Group are EMVCo , the FIDO Alliance , and W3C .
Partner Consortia
A Partner Consortium is either:
- A Founding Organization, or
- A <a href= "/2019/Process-20190301/#MemberConsortia"> Member Consortium that is invited by the Founding Organizations to participate, and that accepts the invitation. All Founding Organizations must support an invitation. Such an invitation is revoked when any Founding Organization no longer supports it. Each Founding Organization establishes its own internal process for reaching a decision to invite a Member Consortium to participate or revoke that invitation. A Member Consortium that seeks an invitation should contact the co-Chairs.
Participant Eligibility
Each Partner Consortium determines which people associated with the Partner Consortium are eligible to participate in this Interest Group. For the Founding Organizations:
- From W3C: W3C staff and <a href= "https://www.w3.org/2019/Process-20190301/#member-rep"> W3C Member representatives .
- From EMVCo: EMVCo staff and employees of any EMVCo Member. This does not include Associates and Subscribers. However, EMVCo staff may also invite an Associate or Subscriber to participate, in which case that organization's employees become eligible to participate in this Interest Group on behalf of that organization.
- From FIDO: FIDO staff and employees of any FIDO Member.
Each Member Consortium invited by the Founding Organizations must declare its participant eligibility policy prior to joining the group.
Invited Experts
From time to time, the Founding Organizations may invite individuals with expertise to participate who are not employees of a Partner Consortium or its Membership. These individuals, who must be invited with the unanimity of the Chairs, participate under the W3C Invited Expert and Collaborator Agreement and according to the <a href= "https://www.w3.org/2019/Process-20190301/#invited-expert-wg"> W3C Process for Invited Experts . These individuals must disclose employment affiliation when participating in W3C work.
Communication
The Founding Organizations operate under different confidentiality levels. To best accommodate diverse requirements, and because this Interest Group does not publish technical specifications, Participants generally communicate in non-public channels. By joining the Interest Group, all Participants agree to keep such information "non-public" according to terms specific to each Partner Consortium (e.g., W3C participants agree to keep the communications of this group <a href= "https://www.w3.org/2019/Process-20190301/#Member-only"> Member-only ).
This group primarily conducts its discussions on the non-public mailing list member-wpsig@w3.org ( archive ).
Non-public artifacts of the Interest Group must indicate the appropriate level of visibility for all the Partner Consortia.
Each Partner Consortium may archive and distribute non-public communications within its own membership (including participants in EMVCo programs, such as Associates and Subscribers).
In general, each Partner Consortium does not plan to share its own confidential materials with the other Partner Consortia. Participation in this group does not grant access to other non-public information outside of this group's activities.
Public Communications
From time to time and where there is consensus to do so, the Interest Group may make available public summaries or statements to keep the community apprised of its progress or suggestions.
From time to time (e.g., when seeking feedback on deliverables), this Interest Group collaborates with other groups that operate in public. After consultation with WPSIG participants, the Chairs can (and should) organize meetings with these groups where the proceedings are public. The agenda of any such meeting will state the confidentiality level.
Decision Policy
The Chairs of the Interest Group will pursue consensus decisions among the Participants for matters involving deliverables or group operations.
Copyright Licensing of Public Deliverables
This Interest Group will use the W3C Software and Document license for any material published with the <a href= "https://www.w3.org/2019/Process-20190301/#Consensus"> consensus of the Participants.
About this Charter
Each Founding Organization will determine the process by which it approves this charter.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 5.2.3) :
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | 17 April 2019 | 25 March 2021 | N/A |
| Rechartered | 25 March 2021 | 24 March 2021 | Minor clarifications; see diff from initial charter . |