IRC log of wpay on 2017-02-24

Timestamps are in UTC.

13:53:24 [RRSAgent]
RRSAgent has joined #wpay
13:53:24 [RRSAgent]
logging to http://www.w3.org/2017/02/24-wpay-irc
13:53:26 [trackbot]
RRSAgent, make logs 413
13:53:26 [Zakim]
Zakim has joined #wpay
13:53:28 [trackbot]
Zakim, this will be
13:53:28 [Zakim]
I don't understand 'this will be', trackbot
13:53:29 [trackbot]
Meeting: Web Payments Interest Group Teleconference
13:53:29 [trackbot]
Date: 24 February 2017
13:53:37 [Ian]
Meeting: Vision Task Force
13:53:39 [Ian]
Chair: Ian
13:53:57 [Ian]
agenda: https://lists.w3.org/Archives/Public/public-webpayments-ig/2017Feb/0036.html
13:57:58 [todd_a]
todd_a has joined #wpay
13:59:03 [adam]
what is the access code?
14:00:06 [manu]
phone: 16173240000 code: 646665346
14:00:20 [Ian]
present+
14:00:23 [Ian]
present+ Todd
14:00:43 [manu]
present+ Manu
14:00:45 [dezell]
dezell has joined #wpay
14:01:56 [Ian]
present+ Adam
14:02:00 [adam]
present+ Adam
14:02:08 [Ian]
zakim, who's here?
14:02:08 [Zakim]
Present: Ian, Todd, Manu, Adam
14:02:10 [Zakim]
On IRC I see dezell, todd_a, Zakim, RRSAgent, canton, ShaneM, Ian, trackbot, ted, dlehn, dveditz, Dongwoo, mkwst, nicktr, AdrianHB, cwilso, adam, schuki, manu, dlongley, csarven
14:02:13 [Ian]
regrets+ Jeff
14:02:58 [dezell]
Present+ dezell
14:03:08 [Ian]
=> https://lists.w3.org/Archives/Public/public-webpayments-ig/2017Feb/0036.html
14:04:34 [Ian]
regrets+ Ken
14:04:51 [Ian]
regrets- Ken
14:04:53 [Ian]
present+ Ken
14:05:49 [Ian]
Topic: Ken presentation continued
14:06:11 [Ian]
Last week's discussion => https://www.w3.org/2017/02/17-wpay-minutes#item02
14:06:52 [Ian]
scribe: Ian
14:07:09 [Ian]
Ken: If this topic ends up on FTF agenda I will prepare slides for that meeting
14:10:08 [Ian]
Ken: Last time I focused on how important EMV is in the payments industry
14:10:32 [Ian]
...and in the US there's a technology migration....that typically causes fraud to move to where there is less security, e.g. online payments
14:10:59 [Ian]
...we focus on security as a pre-emptive measure but also analyze breaches that have occurred
14:11:18 [Ian]
...e.g., home depot (56M cards impacted)
14:11:30 [Ian]
...estimated $70M cost (+ brand damage)
14:11:50 [Ian]
..JP Morgan Chase 76M cards + personal
14:12:02 [Ian]
....estimated remediation cost $250M
14:12:11 [Ian]
....Target 40M card accounts....248M remediation
14:12:20 [Ian]
...Sony playstation 100M customer accounts impacted
14:12:40 [Ian]
...they suffered a second breach in 2014...cost of remediation was $38M
14:13:09 [Ian]
...our risk and security teams look closely about what happened, trends, etc.
14:13:30 [Ian]
...we believe security should be handled collaboratively
14:13:46 [Ian]
...US office of personnel management suffered breach - 18M US gov employee records lost
14:13:59 [Ian]
...remediation cost estimate $133M
14:14:06 [Ian]
....US Postal breached, ....
14:14:24 [Ian]
....New York Atty General reported 22-23M records in a breach
14:14:39 [Ian]
...for us these are big breaches from a cost and brand perspective
14:15:01 [Ian]
...the size and scale is tremendous, the cost of remediation is high and can take years to recover from damage
14:15:09 [Ian]
...CF the Gemalto incident report
14:15:26 [Ian]
http://www.gemalto.com/brochures-site/download-site/Documents/ent-Breach_Level_Index_Annual_Report_2015.pdf
14:15:39 [Ian]
...relevant to w3c because (1) standards are global
14:15:57 [Ian]
...the disparity in NA compared to other regions
14:16:16 [Ian]
...e.g., 76% of incidents allocated to NA, 12% to Europe, Asia 8%, ...
14:16:46 [Ian]
...I'm sharing this information to convey the importance of the topic, and some Amex perspective
14:17:17 [manu]
q+
14:17:20 [Ian]
...Jeff asked last week - how and why do we think it's relevant to the WPIG and not just the security WGs at w3c?
14:17:20 [manu]
q-
14:18:14 [Ian]
Manu: Thank you for the helpful background information. I'm interested to know whether there are any ideas for specific things the group can work on
14:18:43 [Ian]
...e.g., if there are tokenization requirements
14:19:43 [dezell]
q+
14:19:57 [Ian]
Ken: I'm going to speak more to the opportunities (even if myopic) and that can foster discussion to get to the question of what specs might be worked on
14:20:16 [Ian]
Ken: One question is "does it have to be part of the spec"
14:20:48 [Ian]
Ken: My security team asked "who is involved in the spec development who has security expertise?"
14:20:53 [dezell]
q-
14:21:00 [Ian]
...I couldn't answer the question
14:21:44 [Ian]
...the other thing that I think is relevant to the merchant adoption strategy task force - are there security issues that might hinder adoption? E.g., related to PCI compliance
14:22:06 [Ian]
...PCI is the bare minimum of what we encourage (or mandate) merchants
14:22:13 [Ian]
...and our mutual clients
14:22:20 [Ian]
Ken: Does it have to be part of the spec and why?
14:22:27 [Ian]
...we came at this question from 2 perspectives
14:22:41 [Ian]
...when our security team looked several months ago at the specs, what they didn't see in the specs
14:22:53 [Ian]
..was, within the protocol, to ensure that certain data elements were called out so that our issuers
14:23:09 [Ian]
...(banks, etc.) receive the information they need to take a risk based approach
14:23:19 [Ian]
...from a security perspective, we look at things from a risk-based approach
14:23:36 [Ian]
...the reason that we think data is so important is that our issuers look at it, and make decisions according to criteria
14:23:56 [Ian]
...some criteria may also be region-sensitive
14:24:11 [Ian]
...e.g., size of payment may trigger an action differently in different regions
14:24:20 [Ian]
...if geolocation information unavailable, then they might look at other data
14:24:38 [Ian]
...we look at credit risk and security risk.
14:24:50 [Ian]
...one thing the security team though was to give rigor to the IDMV process
14:25:18 [Ian]
...e.g., we might come up with requirements for ANY payment app to help people make risk assessment
14:25:30 [Ian]
..if that information is not available, then other forms of verification might be helpufl
14:26:05 [Ian]
..we want to streamline checkout but are also mindful that data may be required by payment app owner to make a risk-based decision
14:26:37 [Ian]
...there are also opportunities for payment app distributor to return to merchant for additional information
14:27:08 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/02/24-wpay-minutes.html Ian
14:29:41 [manu]
q+ to note that DB has been frustrated with the lack of security thinking in the current work. Risk-based adds complexity, how can we automatically protect implementers via adoption? When you implement X, you are protected in ways X, Y, and Z from data breaches. HTTPS Everywhere is a good example.
14:29:45 [Ian]
...another recommendation is to collaborate with PCI early to get a security review
14:29:47 [dezell]
q+
14:29:53 [Ian]
ack d
14:30:07 [Ian]
dezell: +1 to Ken's remarks
14:30:27 [Ian]
...I am anxious to figure out how to turn this topic into an interesting problem for W3C to engage with
14:32:12 [Ian]
...harvesting ISO 20022 security info may be helpful
14:33:17 [Ian]
Ken: EC just came out with a new CDM mandate
14:33:19 [dezell]
q+ to recommend one more point I left out...
14:33:47 [Ian]
...my preference is to use a light hand initially - we don't want to slow down the work that's being done; just want to incorporate other considerations early (from security + regulatory perspectives)
14:33:55 [Ian]
ack man
14:33:55 [Zakim]
manu, you wanted to note that DB has been frustrated with the lack of security thinking in the current work. Risk-based adds complexity, how can we automatically protect
14:33:58 [Zakim]
... implementers via adoption? When you implement X, you are protected in ways X, Y, and Z from data breaches. HTTPS Everywhere is a good example.
14:34:20 [Ian]
manu: Digital bazaar has been frustrated by lack of security thinking in the current work
14:34:54 [Ian]
...risk based analysis is good but one down side is that it provides too many options for people deploying payment apps
14:35:48 [Ian]
...the easiest path for a payment app today is PAN in the clear; there was a good reason to do that, but it also puts payment apps in full PCI scope
14:36:05 [Ian]
...tokenized specs are in development
14:36:16 [Ian]
..but it's not clear to me that the group is taking the full end-to-end security of tokenization into account
14:36:54 [Ian]
..it's fine if the specs we work on, but if it's not the easiest way, then it may not be implemented
14:37:21 [Ian]
...it took many years for HTTPS everywhere; but that's just a basic layer of security that the web is moving towards
14:37:53 [Ian]
...right now we are not on the path of promoting end-to-end security easily
14:38:00 [Ian]
q+
14:38:22 [Ian]
...I'd like W3C to push ecosystem towards path of security end-to-end
14:39:17 [Ian]
Ken: I have two thoughts (1) there are trade-offs between usability and security...
14:39:33 [Ian]
...but the flip side of it is "what can we do proactively to stimulate merchant adoption?"
14:39:41 [Ian]
..what will be initial hurdles we need to overcome?
14:41:17 [Ian]
q?
14:41:28 [manu]
+1 - that's a very solid strategy! Involve PCI from day one.
14:41:40 [Ian]
ack de
14:41:40 [Zakim]
dezell, you wanted to recommend one more point I left out...
14:42:13 [Ian]
dezell: +1 to security considerations early
14:42:44 [Ian]
ack me
14:43:09 [adam]
yes, get PCI involved. Are they currently participating at W3C?
14:43:23 [manu]
Ian: I wanted to support looking at security topics closely, collaborating with PCI, but also indicate that security has not been neglected during the process. A number of features and discussions could be pointed to.
14:43:54 [manu]
Ian: We are moving in the direction of more security. I wouldn't dismiss those efforts to create a secure ecosystem and ensure that payment apps are authorized by proprietary payment mechanisms.
14:44:20 [manu]
Ian: Further analysis of ecosystem and finding out what the critical features are sounds like a very healthy exercise. We should do that sort of gap analysis.
14:45:08 [manu]
Ian: Where are the next spaces where we should provide improved technology to do secure end-to-end payments. Building on the work that's been done, bringing in the ideas of other organizations, and determining wether there is Web-wide security needs, or more specific ones.
14:45:28 [Ian]
Ken: My security team is happy to join a call to share their perspectives on how they look at security.
14:45:31 [Ian]
q?
14:45:39 [Ian]
Topic: IG FTF
14:46:00 [manu]
Ian: I'd like people to be able to leave this call with a sense of what they need to prepare for wrt. face-to-face meeting.
14:46:09 [manu]
Ian: What are the topics we're going to cover, what are the deliverables we'd like to see.
14:46:29 [manu]
Ian: We have four main topics that we'd like to discuss in the forum - automotive, security, wallets, and digital receipts.
14:47:17 [manu]
Ian: Based on wallets, the topic is most closely tied to digital offers and we try to tie that into Digital Offers discussion.
14:48:03 [Ken]
Ken has joined #wpay
14:48:20 [manu]
Ian: This is largely about integration of digital offers, digital offers discussion - piece that has to do w/ integration is a project, unearth specific requirements. That discussion on it's own can happen in digital offers space. It's about articulating use cases tied to digital offers. In the context of payments/search.
14:49:07 [Ian]
Manu: I don't know if I can get through all the content and do the demo in 30 minutes
14:49:20 [Ian]
(25)
14:49:25 [manu]
Ian: Assigning another half hour would be difficult, bulk of it is about digital offers...
14:50:07 [dezell]
q+
14:50:16 [Ian]
https://www.w3.org/community/digitaloffers/wiki/Discussion_Topics
14:51:51 [manu]
Ian: We could condense the presentation in the Digital Offers discussion...
14:51:51 [Ian]
Manu: next step is how to schedule time in the digital offers portion
14:52:04 [Ian]
dezell: We are still working on the digital offers session
14:52:15 [Ian]
https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Mar2017
14:53:05 [manu]
Ian: Digital Offers agenda is still being fleshed out.... if 1.5 hours, including demo, isn't enough, we could take another 30 minutes.
14:53:34 [manu]
Ian: I'm leery about manu doing 30 minutes that is not integrated into very similar use cases in Digital Offers CG.
14:54:20 [manu]
Ian: It's cool if the demo highlights missing pieces of Web Architecture, but in addition to that, to have another half hour that's going to be duplicative of the digital offers conversation, that's not good.
14:55:06 [Ian]
ACTION: David to work with Manu and Linda to flesh out the digital offers agenda and determine whether 2 hours is needed rather than 1.5
14:55:06 [trackbot]
'David' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., dbaron, dezell2, djackso3, dlehn, dmnicol, dsinger2).
14:55:57 [manu]
Ian: Second topic to go over is Automotive, it should be part of our agenda...
14:56:01 [Ian]
PROPOSED: Digital offers integrated into digital offers session
14:56:15 [Ian]
PROPOSED: Ted Guild to present automotive proposal at IG FTF meeting
14:56:46 [manu]
Ian: I continue to hear a growing number of automotive use cases, number of auto companies doing work at W3C is growing, we've had conversations with them in the past, they still want to move this forward.
14:56:58 [manu]
+1 to include automotive
14:57:09 [Ian]
dezell: +1
14:57:24 [manu]
+1 to include Ken's security discussion
14:57:36 [dezell]
+1 to security
14:57:38 [adam]
+1
14:57:45 [todd_a]
+1
14:57:47 [Ian]
+1
14:58:17 [manu]
+1 for digital receipts - understanding how the ecosystem works.
14:58:28 [dezell]
+1 for working to revise
14:58:41 [manu]
how do you provide endpoint for storage, and send to endpoint.
14:59:20 [manu]
I can offer to help on digital receipts because it's important to Digital Bazaar. Adam may be looking into it.
15:00:41 [manu]
q+ to outline the problem.
15:00:47 [manu]
q-
15:01:06 [manu]
q+ to outline the problem - how does a digital wallet store a digital receipt? What's the interaction look like?
15:01:53 [Ian]
IJ: I have not understood what the problem is yet.
15:02:04 [Ian]
dezell: I have been working on a list of benefits.
15:02:30 [Ian]
IJ: What is preventing us from achieving those benefits today?
15:02:43 [Ian]
dezell: We don't have a single way of doing it
15:03:03 [Ian]
IJ: I am not convinced that consistency of receipt format is not the main problem (or one for W3C to address)
15:03:06 [Ian]
ack manu
15:03:06 [Zakim]
manu, you wanted to outline the problem - how does a digital wallet store a digital receipt? What's the interaction look like?
15:03:13 [Ian]
ack dezell
15:03:20 [Ian]
manu: +1 to digital receipt format. We want to be able to store them.
15:03:30 [Ian]
..right now we have no idea how merchant gets receipt to customer
15:03:46 [Ian]
Ian: Strongly +1 to consideration of the protocol to get merchant receipt to user payment app
15:05:02 [manu]
Ian: I am interested in the digital receipt storage solution
15:05:16 [dezell]
Note that "format" is not the same as content.
15:05:35 [manu]
rrsagent, make minutes
15:05:35 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/02/24-wpay-minutes.html manu
15:05:45 [Ian]
RRSAgent, set logs public
17:05:35 [Zakim]
Zakim has left #wpay
23:09:05 [nicktr]
nicktr has joined #wpay