IRC log of wpwg on 2017-05-02
Timestamps are in UTC.
- 15:29:11 [RRSAgent]
- RRSAgent has joined #wpwg
- 15:29:11 [RRSAgent]
- logging to http://www.w3.org/2017/05/02-wpwg-irc
- 15:29:15 [Zakim]
- Zakim has joined #wpwg
- 15:29:19 [Ian]
- Meeting: Tokenization Task Force
- 15:29:23 [Ian]
- Chair: Roy
- 15:29:26 [Ian]
- Scribe: Ian
- 15:31:04 [Ian]
- present+
- 15:31:07 [Ian]
- present+ Christian
- 15:31:09 [Ian]
- present+ Olivier
- 15:31:34 [Ian]
- present+ Stan
- 15:33:37 [Ian]
- present+ Roy
- 15:34:00 [Ian]
- regrets+ AdrianHB
- 15:35:39 [Ian]
- Topic: The project
- 15:35:49 [mweksler]
- mweksler has joined #wpwg
- 15:35:50 [Ian]
- Roy: What do we need to do to get the spec to a place where it is supported?
- 15:36:05 [Ian]
- oyiptong: We did get some feedback in Chicago
- 15:36:22 [Ian]
- ...next steps included the possibility of multiple payment method specs
- 15:36:25 [Ian]
- q+
- 15:36:38 [Ian]
- present+ Sachin
- 15:36:43 [Ian]
- present+ Manash
- 15:37:31 [Roy]
- Roy has joined #wpwg
- 15:37:37 [SachinAhuja]
- SachinAhuja has joined #wpwg
- 15:37:38 [Manash]
- Manash has joined #WPWG
- 15:38:03 [Ian]
- https://www.w3.org/2017/03/24-wpwg-minutes#item03
- 15:38:40 [Ian]
- IJ: what problems do we want to solve?
- 15:39:49 [Ian]
- Roy: My rendition of "what problem we want to solve": basic card is a bootstrapping mechanism. Where we want to go as an industry is toward tokenization
- 15:40:03 [oyiptong]
- q+
- 15:40:05 [Ian]
- ...so the purpose of the spec is to make it easier to do tokenized (card) payments
- 15:40:06 [Ian]
- ack me
- 15:40:12 [Ian]
- ack oy
- 15:40:45 [Ian]
- oyiptong: If I may, I know you just mentioned that gateway tokens might be too proprietary ... I would like for us to consider also creating a gateway token spec
- 15:40:46 [Ian]
- q?
- 15:41:09 [Manash]
- q+
- 15:41:19 [Ian]
- roy: It's not that we don't think it's valuable, but we think that the inputs/outputs are so different, we weren't sure how to produce a payment method spec
- 15:41:20 [Ian]
- ack man
- 15:41:48 [Ian]
- manash: MC joined W3C the week before last. Sachin and I will be representing MC in the task force and we're happy to be here.
- 15:42:16 [Ian]
- ..MC (as well as Visa, Amex) have been promoting tokenization in the market for some time. EMVCo's standard has been adopted by issuer banks, acquirers, merchants, and gateways
- 15:42:51 [Ian]
- ..there are different types of tokenization...there is card on file but also card on file on the merchant side
- 15:43:04 [Ian]
- ..you can generate cryptograms through cloud-based methods
- 15:43:08 [Ian]
- ..there are tokens on secure elements
- 15:43:12 [Ian]
- ..there are tokens in the cloud
- 15:43:29 [Ian]
- ...we should look at existing standards in the market
- 15:43:48 [Ian]
- ...we think that tokens are more secure (than PAN)
- 15:43:52 [Ian]
- ..and also liability shift is an important consideration
- 15:44:15 [Ian]
- ....we should also understand what should motivate merchants when they adopt tokenization
- 15:44:24 [oyiptong]
- q+
- 15:44:27 [Ian]
- ack oy
- 15:44:34 [Ian]
- q+ oyipton
- 15:44:45 [Ian]
- sachin: I need some clarity on the drivers on this
- 15:45:13 [Ian]
- Roy: Spec had been focused on issuer/network tokens
- 15:45:20 [Ian]
- Sachin: the conversation is around acceptance...
- 15:46:05 [Ian]
- ...suppose stripe starts accepting network/issuer token...doesn't that solve e.g., the Airbnb use case and liability issue is covered?
- 15:46:07 [Ian]
- oyiptong: Yes
- 15:46:27 [Ian]
- Michel: I think issuer tokens would work, they would require a different integration than the one we have today, which is not a small undertaking.
- 15:46:45 [Ian]
- ..where olivier was going earlier was to try to create a standard that would more closely describe what many merchants have today
- 15:46:53 [Ian]
- ..where they have someone like braintree or stripe they integrate with .
- 15:47:01 [Ian]
- ...and those are gateway tokens
- 15:47:26 [Ian]
- ...I think that there are many merchants that have integrations like that....they get a token that they use
- 15:47:47 [Ian]
- ..I take roy's point that there's a lot of proprietary information, but I think that there's room to create a standard to make integration earier
- 15:47:57 [Ian]
- Sachin: There is merit in that conversation. The construct is similar
- 15:48:07 [Ian]
- ...there is definitely room for standardization. ...but
- 15:48:22 [Ian]
- ..the merchant might need to recode their backened to the new standard
- 15:48:29 [Ian]
- ..or there's a data arbitrage that does the conversion
- 15:49:07 [Ian]
- oyiptong: Where is tokenization done? At issuer level or gateway level?
- 15:49:13 [Ian]
- ..I think it doesn't matter as long as there is one standard
- 15:49:24 [Ian]
- ..but I think we need to account for a transition period
- 15:49:42 [stan]
- stan has joined #wpwg
- 15:49:45 [Ian]
- ...there will still be knowledge needed to generate the tokens
- 15:49:55 [Ian]
- ..we could align ourselves with something that exists
- 15:50:52 [Ian]
- Sachin: We are calling both these things "tokens"...but they are fundamentally different
- 15:51:03 [Ian]
- ...PSP token is an identifier of data kept in the PSP's data store
- 15:51:21 [Ian]
- ..the issuer token is a cryptogram that is associated with a single-use transaction that can also provide a liability shift
- 15:51:41 [Ian]
- mweksler: Yes, they are different as described, but in their pattern of use they are not so different
- 15:51:51 [Ian]
- ...e.g., the user provides a PAN and the merchant gets a token
- 15:52:03 [Ian]
- ..they do have different characteristics
- 15:52:11 [Ian]
- ...but the distinction for user or merchant is less clear
- 15:52:22 [Ian]
- ..the way that the data is transmitted to the acquirer is very different
- 15:52:35 [Ian]
- 1) PSP token - the regular PAN is eventually transmitted
- 15:52:49 [Ian]
- 2) Gateway - Cryptogram is transmitted and PAN never leaves the vault.
- 15:53:14 [Ian]
- Manash: there is also additional data that is communicated
- 15:53:29 [Ian]
- ...the nature of tokens is different.
- 15:53:37 [Ian]
- mweksler: What are the differences?
- 15:53:56 [Ian]
- Sachin: It might help for us to have an overview session regarding network tokenization ... but before we do that:
- 15:54:16 [Ian]
- ..in the case of a network token is what we are generating is a cryptogram that goes in a specific field in the message sent to the acquirer.
- 15:54:21 [Ian]
- ..the funding PAN is never transmitted
- 15:54:53 [Ian]
- ..so there are big differences in what data is transmitted.
- 15:55:46 [Ian]
- Stan: I will take the voice of our users...I think of merchants and users speaking in terms of gateway tokens
- 15:55:56 [Ian]
- ..if they are happy users of their gateways, they don't want to switch
- 15:56:05 [Ian]
- ...at the end of the day, users/merchants really do want gateway tokens
- 15:56:26 [Ian]
- ..if we only come up with a standard that excludes gateway tokens, we will end up with client-side javascript libraries
- 15:56:44 [oyiptong]
- +1
- 15:56:49 [oyiptong]
- q+
- 15:56:50 [Ian]
- ..even if the w3c standard is used under the hood, stripe, braintree, etc. would have to use their own APIs
- 15:56:57 [Ian]
- ...in client-side libraries
- 15:57:03 [Ian]
- ..that's one argument for including gateway tokens
- 15:57:26 [Ian]
- sachin: I hear that ... want to understand a bit more
- 15:57:53 [Ian]
- ...suppose you have a merchant who is not PCI compliant..they will continue to use gateway tokens...and any issuer tokenization needs to be handled, it will be handled by the gateway (e.g., behind the scenes)
- 15:58:13 [Ian]
- mweksler: I think what's important to think about is from the user/merchant perspective..t.he fact that we are doing gateway or network does not look that different
- 15:58:17 [Ian]
- ..the merchant "does not care"
- 15:58:29 [Ian]
- ...of course the tokens are used differently and have different security properties
- 15:58:40 [Ian]
- ...but if you look at what the user and merchant see using the standard, is that they have a similar experience
- 15:58:46 [Ian]
- ...the user provides a PAN and out comes a token
- 15:58:54 [Ian]
- q?
- 15:59:03 [Ian]
- queue==oyiptong
- 15:59:19 [Ian]
- mweksler: If the differences are big we might end up with 2 standards....
- 15:59:26 [Ian]
- Sachin: I think the diffs are fundamentally large
- 15:59:40 [Ian]
- ..we can write down both types, or sequence diagrams to help
- 15:59:47 [Ian]
- ack oyiptong
- 16:00:00 [Ian]
- oyiptong: I want to add to michel / stan...i think there are current business needs met with gateway tokens
- 16:00:19 [Ian]
- ..vaults are important for recurring payments
- 16:00:39 [Ian]
- Sachin: Agreed. These are fundamentally different constructs
- 16:00:48 [Ian]
- ..I think the w3c need my be more toward gateway tokens
- 16:00:56 [Ian]
- ..and behind the scene activity may be different
- 16:01:22 [Ian]
- Topic: Next meeting
- 16:01:25 [Ian]
- 9 May
- 16:02:25 [Ian]
- Stan: I think the right spec should be a layering of network tokens and on top of that gateway tokens
- 16:02:45 [Ian]
- Sachin: I will take 2 actions
- 16:02:50 [oyiptong]
- q+
- 16:02:51 [Ian]
- 1) Present network token spec as an example
- 16:03:02 [Ian]
- 2) Sequence diagrams for both network and gateway
- 16:03:05 [Ian]
- ack oyiptong
- 16:03:21 [stan]
- stan has joined #wpwg
- 16:03:25 [Ian]
- oyiptong: It seems like the network and gateway tokens are orthogonal and we could come up with an abstraction
- 16:04:02 [Ian]
- IJ: Maybe we start thinking about things as layers
- 16:04:12 [Ian]
- RRSAGENT, make minutes
- 16:04:12 [RRSAgent]
- I have made the request to generate http://www.w3.org/2017/05/02-wpwg-minutes.html Ian
- 16:07:20 [Ian]
- RRSAgent, set logs public
- 16:39:34 [hober]
- hober has joined #wpwg
- 17:27:17 [cweiss]
- cweiss has joined #wpwg
- 17:50:23 [Ian]
- rrsagent, bye
- 17:50:23 [RRSAgent]
- I see no action items