13:53:24 RRSAgent has joined #wpay 13:53:24 logging to http://www.w3.org/2017/02/24-wpay-irc 13:53:26 RRSAgent, make logs 413 13:53:26 Zakim has joined #wpay 13:53:28 Zakim, this will be 13:53:28 I don't understand 'this will be', trackbot 13:53:29 Meeting: Web Payments Interest Group Teleconference 13:53:29 Date: 24 February 2017 13:53:37 Meeting: Vision Task Force 13:53:39 Chair: Ian 13:53:57 agenda: https://lists.w3.org/Archives/Public/public-webpayments-ig/2017Feb/0036.html 13:57:58 todd_a has joined #wpay 13:59:03 what is the access code? 14:00:06 phone: 16173240000 code: 646665346 14:00:20 present+ 14:00:23 present+ Todd 14:00:43 present+ Manu 14:00:45 dezell has joined #wpay 14:01:56 present+ Adam 14:02:00 present+ Adam 14:02:08 zakim, who's here? 14:02:08 Present: Ian, Todd, Manu, Adam 14:02:10 On IRC I see dezell, todd_a, Zakim, RRSAgent, canton, ShaneM, Ian, trackbot, ted, dlehn, dveditz, Dongwoo, mkwst, nicktr, AdrianHB, cwilso, adam, schuki, manu, dlongley, csarven 14:02:13 regrets+ Jeff 14:02:58 Present+ dezell 14:03:08 => https://lists.w3.org/Archives/Public/public-webpayments-ig/2017Feb/0036.html 14:04:34 regrets+ Ken 14:04:51 regrets- Ken 14:04:53 present+ Ken 14:05:49 Topic: Ken presentation continued 14:06:11 Last week's discussion => https://www.w3.org/2017/02/17-wpay-minutes#item02 14:06:52 scribe: Ian 14:07:09 Ken: If this topic ends up on FTF agenda I will prepare slides for that meeting 14:10:08 Ken: Last time I focused on how important EMV is in the payments industry 14:10:32 ...and in the US there's a technology migration....that typically causes fraud to move to where there is less security, e.g. online payments 14:10:59 ...we focus on security as a pre-emptive measure but also analyze breaches that have occurred 14:11:18 ...e.g., home depot (56M cards impacted) 14:11:30 ...estimated $70M cost (+ brand damage) 14:11:50 ..JP Morgan Chase 76M cards + personal 14:12:02 ....estimated remediation cost $250M 14:12:11 ....Target 40M card accounts....248M remediation 14:12:20 ...Sony playstation 100M customer accounts impacted 14:12:40 ...they suffered a second breach in 2014...cost of remediation was $38M 14:13:09 ...our risk and security teams look closely about what happened, trends, etc. 14:13:30 ...we believe security should be handled collaboratively 14:13:46 ...US office of personnel management suffered breach - 18M US gov employee records lost 14:13:59 ...remediation cost estimate $133M 14:14:06 ....US Postal breached, .... 14:14:24 ....New York Atty General reported 22-23M records in a breach 14:14:39 ...for us these are big breaches from a cost and brand perspective 14:15:01 ...the size and scale is tremendous, the cost of remediation is high and can take years to recover from damage 14:15:09 ...CF the Gemalto incident report 14:15:26 http://www.gemalto.com/brochures-site/download-site/Documents/ent-Breach_Level_Index_Annual_Report_2015.pdf 14:15:39 ...relevant to w3c because (1) standards are global 14:15:57 ...the disparity in NA compared to other regions 14:16:16 ...e.g., 76% of incidents allocated to NA, 12% to Europe, Asia 8%, ... 14:16:46 ...I'm sharing this information to convey the importance of the topic, and some Amex perspective 14:17:17 q+ 14:17:20 ...Jeff asked last week - how and why do we think it's relevant to the WPIG and not just the security WGs at w3c? 14:17:20 q- 14:18:14 Manu: Thank you for the helpful background information. I'm interested to know whether there are any ideas for specific things the group can work on 14:18:43 ...e.g., if there are tokenization requirements 14:19:43 q+ 14:19:57 Ken: I'm going to speak more to the opportunities (even if myopic) and that can foster discussion to get to the question of what specs might be worked on 14:20:16 Ken: One question is "does it have to be part of the spec" 14:20:48 Ken: My security team asked "who is involved in the spec development who has security expertise?" 14:20:53 q- 14:21:00 ...I couldn't answer the question 14:21:44 ...the other thing that I think is relevant to the merchant adoption strategy task force - are there security issues that might hinder adoption? E.g., related to PCI compliance 14:22:06 ...PCI is the bare minimum of what we encourage (or mandate) merchants 14:22:13 ...and our mutual clients 14:22:20 Ken: Does it have to be part of the spec and why? 14:22:27 ...we came at this question from 2 perspectives 14:22:41 ...when our security team looked several months ago at the specs, what they didn't see in the specs 14:22:53 ..was, within the protocol, to ensure that certain data elements were called out so that our issuers 14:23:09 ...(banks, etc.) receive the information they need to take a risk based approach 14:23:19 ...from a security perspective, we look at things from a risk-based approach 14:23:36 ...the reason that we think data is so important is that our issuers look at it, and make decisions according to criteria 14:23:56 ...some criteria may also be region-sensitive 14:24:11 ...e.g., size of payment may trigger an action differently in different regions 14:24:20 ...if geolocation information unavailable, then they might look at other data 14:24:38 ...we look at credit risk and security risk. 14:24:50 ...one thing the security team though was to give rigor to the IDMV process 14:25:18 ...e.g., we might come up with requirements for ANY payment app to help people make risk assessment 14:25:30 ..if that information is not available, then other forms of verification might be helpufl 14:26:05 ..we want to streamline checkout but are also mindful that data may be required by payment app owner to make a risk-based decision 14:26:37 ...there are also opportunities for payment app distributor to return to merchant for additional information 14:27:08 I have made the request to generate http://www.w3.org/2017/02/24-wpay-minutes.html Ian 14:29:41 q+ to note that DB has been frustrated with the lack of security thinking in the current work. Risk-based adds complexity, how can we automatically protect implementers via adoption? When you implement X, you are protected in ways X, Y, and Z from data breaches. HTTPS Everywhere is a good example. 14:29:45 ...another recommendation is to collaborate with PCI early to get a security review 14:29:47 q+ 14:29:53 ack d 14:30:07 dezell: +1 to Ken's remarks 14:30:27 ...I am anxious to figure out how to turn this topic into an interesting problem for W3C to engage with 14:32:12 ...harvesting ISO 20022 security info may be helpful 14:33:17 Ken: EC just came out with a new CDM mandate 14:33:19 q+ to recommend one more point I left out... 14:33:47 ...my preference is to use a light hand initially - we don't want to slow down the work that's being done; just want to incorporate other considerations early (from security + regulatory perspectives) 14:33:55 ack man 14:33:55 manu, you wanted to note that DB has been frustrated with the lack of security thinking in the current work. Risk-based adds complexity, how can we automatically protect 14:33:58 ... implementers via adoption? When you implement X, you are protected in ways X, Y, and Z from data breaches. HTTPS Everywhere is a good example. 14:34:20 manu: Digital bazaar has been frustrated by lack of security thinking in the current work 14:34:54 ...risk based analysis is good but one down side is that it provides too many options for people deploying payment apps 14:35:48 ...the easiest path for a payment app today is PAN in the clear; there was a good reason to do that, but it also puts payment apps in full PCI scope 14:36:05 ...tokenized specs are in development 14:36:16 ..but it's not clear to me that the group is taking the full end-to-end security of tokenization into account 14:36:54 ..it's fine if the specs we work on, but if it's not the easiest way, then it may not be implemented 14:37:21 ...it took many years for HTTPS everywhere; but that's just a basic layer of security that the web is moving towards 14:37:53 ...right now we are not on the path of promoting end-to-end security easily 14:38:00 q+ 14:38:22 ...I'd like W3C to push ecosystem towards path of security end-to-end 14:39:17 Ken: I have two thoughts (1) there are trade-offs between usability and security... 14:39:33 ...but the flip side of it is "what can we do proactively to stimulate merchant adoption?" 14:39:41 ..what will be initial hurdles we need to overcome? 14:41:17 q? 14:41:28 +1 - that's a very solid strategy! Involve PCI from day one. 14:41:40 ack de 14:41:40 dezell, you wanted to recommend one more point I left out... 14:42:13 dezell: +1 to security considerations early 14:42:44 ack me 14:43:09 yes, get PCI involved. Are they currently participating at W3C? 14:43:23 Ian: I wanted to support looking at security topics closely, collaborating with PCI, but also indicate that security has not been neglected during the process. A number of features and discussions could be pointed to. 14:43:54 Ian: We are moving in the direction of more security. I wouldn't dismiss those efforts to create a secure ecosystem and ensure that payment apps are authorized by proprietary payment mechanisms. 14:44:20 Ian: Further analysis of ecosystem and finding out what the critical features are sounds like a very healthy exercise. We should do that sort of gap analysis. 14:45:08 Ian: Where are the next spaces where we should provide improved technology to do secure end-to-end payments. Building on the work that's been done, bringing in the ideas of other organizations, and determining wether there is Web-wide security needs, or more specific ones. 14:45:28 Ken: My security team is happy to join a call to share their perspectives on how they look at security. 14:45:31 q? 14:45:39 Topic: IG FTF 14:46:00 Ian: I'd like people to be able to leave this call with a sense of what they need to prepare for wrt. face-to-face meeting. 14:46:09 Ian: What are the topics we're going to cover, what are the deliverables we'd like to see. 14:46:29 Ian: We have four main topics that we'd like to discuss in the forum - automotive, security, wallets, and digital receipts. 14:47:17 Ian: Based on wallets, the topic is most closely tied to digital offers and we try to tie that into Digital Offers discussion. 14:48:03 Ken has joined #wpay 14:48:20 Ian: This is largely about integration of digital offers, digital offers discussion - piece that has to do w/ integration is a project, unearth specific requirements. That discussion on it's own can happen in digital offers space. It's about articulating use cases tied to digital offers. In the context of payments/search. 14:49:07 Manu: I don't know if I can get through all the content and do the demo in 30 minutes 14:49:20 (25) 14:49:25 Ian: Assigning another half hour would be difficult, bulk of it is about digital offers... 14:50:07 q+ 14:50:16 https://www.w3.org/community/digitaloffers/wiki/Discussion_Topics 14:51:51 Ian: We could condense the presentation in the Digital Offers discussion... 14:51:51 Manu: next step is how to schedule time in the digital offers portion 14:52:04 dezell: We are still working on the digital offers session 14:52:15 https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Mar2017 14:53:05 Ian: Digital Offers agenda is still being fleshed out.... if 1.5 hours, including demo, isn't enough, we could take another 30 minutes. 14:53:34 Ian: I'm leery about manu doing 30 minutes that is not integrated into very similar use cases in Digital Offers CG. 14:54:20 Ian: It's cool if the demo highlights missing pieces of Web Architecture, but in addition to that, to have another half hour that's going to be duplicative of the digital offers conversation, that's not good. 14:55:06 ACTION: David to work with Manu and Linda to flesh out the digital offers agenda and determine whether 2 hours is needed rather than 1.5 14:55:06 'David' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., dbaron, dezell2, djackso3, dlehn, dmnicol, dsinger2). 14:55:57 Ian: Second topic to go over is Automotive, it should be part of our agenda... 14:56:01 PROPOSED: Digital offers integrated into digital offers session 14:56:15 PROPOSED: Ted Guild to present automotive proposal at IG FTF meeting 14:56:46 Ian: I continue to hear a growing number of automotive use cases, number of auto companies doing work at W3C is growing, we've had conversations with them in the past, they still want to move this forward. 14:56:58 +1 to include automotive 14:57:09 dezell: +1 14:57:24 +1 to include Ken's security discussion 14:57:36 +1 to security 14:57:38 +1 14:57:45 +1 14:57:47 +1 14:58:17 +1 for digital receipts - understanding how the ecosystem works. 14:58:28 +1 for working to revise 14:58:41 how do you provide endpoint for storage, and send to endpoint. 14:59:20 I can offer to help on digital receipts because it's important to Digital Bazaar. Adam may be looking into it. 15:00:41 q+ to outline the problem. 15:00:47 q- 15:01:06 q+ to outline the problem - how does a digital wallet store a digital receipt? What's the interaction look like? 15:01:53 IJ: I have not understood what the problem is yet. 15:02:04 dezell: I have been working on a list of benefits. 15:02:30 IJ: What is preventing us from achieving those benefits today? 15:02:43 dezell: We don't have a single way of doing it 15:03:03 IJ: I am not convinced that consistency of receipt format is not the main problem (or one for W3C to address) 15:03:06 ack manu 15:03:06 manu, you wanted to outline the problem - how does a digital wallet store a digital receipt? What's the interaction look like? 15:03:13 ack dezell 15:03:20 manu: +1 to digital receipt format. We want to be able to store them. 15:03:30 ..right now we have no idea how merchant gets receipt to customer 15:03:46 Ian: Strongly +1 to consideration of the protocol to get merchant receipt to user payment app 15:05:02 Ian: I am interested in the digital receipt storage solution 15:05:16 Note that "format" is not the same as content. 15:05:35 rrsagent, make minutes 15:05:35 I have made the request to generate http://www.w3.org/2017/02/24-wpay-minutes.html manu 15:05:45 RRSAgent, set logs public 17:05:35 Zakim has left #wpay 23:09:05 nicktr has joined #wpay