W3C

Web Payments Interest Group Teleconference

08 May 2017

Agenda

See also: IRC log

Attendees

Present
Manu, dlongley, dezell, Ian, Katie, Ken, Brian, MarkT, Adam, Erik
Regrets
Chair
dezell
Scribe
Ian, manu

Contents

<Ian> Scribe: Ian

Agenda

Automotive

<manu> Ian: Some of the people that have been involved in the Automotive BG have started to have a discussion on use cases.

<manu> scribe: manu

<Ian> Fuel pump use case => https://www.w3.org/Payments/IG/wiki/Automotive/UseCase_PayAtPump

Ian: I have turned some of that private conversation into this wiki page.
... This is not quite there yet, but raises the question on how to use Web technology to streamline pay at pump scenario.
... There are sections in the document where we talk about requirements from individuals, that's mostly what we've been doing. I anticipate that we'll have a chat w/ them on Thursday.

<Zakim> manu, you wanted to mention his discussion w/ John Carrier at Conexxus.

Ian: I wanted to point folks at this use case, I may know more after this Thursday.

<Ian> Manu: I chatted with John Carrier at the Conexxus conf two weeks ago. We had a good discussion about automotive use cases. He showed us some of the work he has done at Shell.

<Ian> ..it basically has to do with a mobile app that does pay at pump stuff.

<Ian> ...I mention this because we have also had other conversations with people at Conexxus.

<Ian> ..it's beyond automotive to retail

Ian: One quick note - this problem is generalizable to proximity payments. We may get there... but want to treat this as an automotive one since those are the folks that are driving it. It very well may become vending machines, or other scenarios like that. I sense the same thing that you're talking about, but don't want to generalize too soon.

<Ian> dezell: Membership in the BG? How does that work?

DavidE: Quick question - membership in the BG - what does that entail? Is that open to CG folks, or is it something more focused?

Ian: BGs differ from CGs in that BGs require membership of some kind.
... There are a small number of BGs, if you are a W3C member, you can participate in a BG at no additional cost.

<Ian> dezell: I also spoke with JohnC about the use case...brings together various ideas like payment selections / wallet

DavidE: I spent some time with John Carrier, it's a coming together of ideas in payments - payment selection, wallet, and ins/out of doing fuel on forecourt. This is the main reason W3C should care about it - sheer number of dollars involved in these transactions... yearly basis, airline tickets and fuel in car are biggest ticket items. Important to be in that stream.
... I don't want to discuss that use case right now, but it's a very important one. I invite all IG members to take a look at that, if you have an interest. There is a lot to know there.
... Ian, have you talked w/ John about how to edit that page?

Ian: I have, they're in the IG, that makes that easy. Life will become more challenging once it becomes a TF.

<Ian> http://www.nacsonline.com/Media/Press_Releases/2016/Pages/PR092816.aspx

Brian: I spoke w/ John about the Automotive use case - there is a solution for this - Mobile Today - mobile device that talks to a cloud-based payment provider, standard in Conexxus that defines how site can communicate to provider - products available at pump, standard also includes ability to control pump equipment - largely already in place.
... Seems like lots of these problems are solved.

Ian: Great, please go edit the wiki - to be clear - we don't want to reinvent the wheel... my assumption is that solutions to date are proprietary?

Brian: The application to the payment host is proprietary - that's where this group could do some work. As far as cloud service to pump, that standard is in place.

<Ian> IJ: Please help drive the conversation by helping us understand where we can add value, and where standards exist.

Ian: Please jump into the wiki and help determine what direction the work should take, let us know what already exists.

DavidE: What Conexxus has done in mobile is very much like what a walled garden looks like - you exist in someone's world. We want to open it up to the general web.

<Ian> manu: The way this happens today is through proprietary apps; the part where W3C can help is not the backend protocols

<Ian> ...it's in the higher level / app level

<Ian> ...I think what W3C would do would be complementary to Conexxus work

<Ian> ...or other standards (e.g., GS1)

Ian: It's not a 1-to-1 swap, we ask the question: what can we gain by using the Web? One of the requirements that I've listed is that I should be able to pay for gas w/o installing a proprietary app.
... Some of today's solutions require me to enter and store data w/ gas merchant so that the merchant can re-use credentials and I use a streamlined experience. With PaymentRequest, that's no longer going to be required for payments.
... There are interop gains possible, that's what the discussion is about.

Digital Receipts

DavidE: Ian has started a discussion here on Digital Receipts = https://github.com/w3c/webpayments-payment-handler/issues/143

<Ian> https://github.com/w3c/webpayments-payment-handler/issues/143

Ian: One of the things that we talked about at WPIG F2F - the concept was raised about whether or not we want a post payment communication mechanism.
... This was just the start of an idea - we currently don't have a mechanism for doing "after the fact" information delivery ... like what we'd need for digital receipts.
... I put an idea out there and had Matt, Adrian, and Manu provide feedback... they didn't agree with the proposal, so I may let that issue stay there and not work on it further.
... Are digital receipts actually interesting? That's where I am, looking for feedback.

<Zakim> manu, you wanted to clarify what he was saying.

<Ian> Manu: Clarification - digital receipts are interesting. The pushback was on the specifics of the thread to return receipts through the browser

<Zakim> manu, you wanted to clarify on "API"

<Ian> IJ: I don't have an Api proposal; I was only talking about payment handler identity needs in case we have a return of data.

<Ian> Manu: People seem to agree that you need an endpoint where to send the digital receipt. And that endpoint needs to be established during PR API

<Ian> ...the question is "how do you get the receipt back to the app"

<Ian> ...the thread talked about a browser API, but Digital Bazaar does not think it should be a browser API

<Ian> ...so I think:

<Ian> a) We have agreement digital receipts are important

<Ian> b) How do we identify endpoints; I think we agree on that

<Ian> c) How receipt is delivered; I don't think we have agreement there yet.

<Ian> dezell: Please note interest from Alibaba and US Fed on digital receipts (but they are not on the call today)

DavidE: This is more of a "what if" - if we deliver these through a backchannel, we may want a specific mimetype to say it's a receipt? I also want to mention that we have two members that have extreme interest - Todd Albers, US Fed and Max - Alibaba.
... In systems in use today - receipts are useful for "intent". I think objections weren't to the idea, it was just that there were items that people found concerning.

Ian: I don't think I'll have bandwidth to drive this work - I had a particular topic from payment handler API perspective - overall, I think we need a champion around digital receipts. I won't scale to cover that in addition to other topics.
... ideally, we'd spread out activities beyond usual suspects.
... Any volunteers to pick up Digital Receipts?

DavidE: Both Max and Todd may be willing to do this, but they may need some help.
... I'm willing to carry this if we have the right person...
... The requirements for this are broad.

Ian: Max has stepped up to co-chair this group, we should see if he can help drive this. We will chat w/ him on Wednesday.

DavidE: Anything else on digital receipts.

<Ian> Manu: One thing to add to this...I sent an email to the IG ...there are a number of orgs related to digital offers and digital receipts

<Ian> ...I'm concerned that people in Conexxus might have difficulting getting involved in W3C

<Ian> ..anything that we do around digital offers or receipts should definitely involve those retailers

Ian: I think the Champion is responsible for coordinating that...
... That is the strategy around Digital Offers... and will most likely be the strategy for Digital Receipts.

<Ian> https://www.w3.org/Payments/IG/wiki/WebPaymentIGProcess

Ian: It's important that Champions take that on, being a Champion requires outreach in addition to internal coordination in the group.

DavidE: This membership is mainly retailers... but CPGs are absent - Digital Offers CG meeting is today at noon. Please join us if you're a member of that group... we want to ensure the collective work includes all these people.
... Anything else on Digital Receipts?

Security Task Force

Ken: Anything other than a status update?

Ian: Depends on what you want to cover...

Ken: We're continuing to discuss items internally... status update on what we've talked about, next steps, etc.
... The position/proposal was somewhat general - putting forward topic of security in general.

<scribe> scribe: Ian

Ken: At the FTF meeting there was agreement generally to have a security emphasis.
... we have been discussing since then how to evaluate WPWG deliverables
... first research about how to do these evaluations, and there are a variety of ways
... so I've been discussing inside Amex and also with EMVCo colleagues
... one observation is that WPWG work is largely around software rather than hardware, so that means it's less of a fit with some of the practices we've experienced in payments previously
... we noted also that WPWG members themselves are doing internal due diligence about security evaluations
... what's missing, though, and i think is a bit of a departure for how some of the W3C participants might typically look at things....we may not have taken a holistic / end-to-end approach.
... so with Ian we have been coming up with a proposal for what the security task force can work on

https://www.w3.org/Payments/IG/wiki/Main_Page/Security2017

scribe: so I have been looking at what security solutions exist today, and doing a gap analysis.
... we would also do threat modeling and ensuring we are mindful of the risks as we look holistically at the W3C solution
... two steps described in the wiki:

1) Getting the right talent involved in assessments

2) Getting assessments

3) Translate of assessments into deliverables

Ken: Ian is also continuing to drive relationship with PCI...and W3C/EMVCo chatting
... another option we also consider interesting is (if needed) hiring a firm to do a security evaluation

<Zakim> manu, you wanted to pick biggest pain points - future looking stuff - encrypted card, tokenized payments, digitally signed offers, digitally signed receipts, etc.

Manu: This sounds good but also high level.
... I'm wondering if it would help to identify topics (as I have added already to the wiki)
... we may wish to talk about signing request/responses
... end-to-end encryption
... tokenization

<manu> Ian: One of the things that we should call out - scope

<manu> Ian: We're talking about building a Security Task Force - to ensure that WPWG can be used to make more secure payments. Digital Receipts and Digital Offers are not in scope - current proposal is to emphasize, in a timely fashion, help assess deliverables of WG. So, this is very focused.

<manu> Ian: We can discuss scope - didn't want to change wiki to something else.

<Ken> +q

dezell: It might be helpful to list some topics as out of scope explicitly

<dezell> 1) what are the assets? 2) where do they "go"? 3) what are the countermeasures (if any)?

[David is talking about assessment methodology]

Ryladog: It's interesting you brought up a security evaluation. Is it for certification? To satisfy financial institutions?

Ken: Too soon to talk about certification
... our focus here is mostly about methodology
... I think there's an education process here to get through
... some may not even see the need to do a security assessment today

<manu> thanks Ken, that makes sense ... I didn't understand the scope... I expect the scope will change over time as we finish the specific focus items.

Katie: Will Amex be providing resources?

Ken: Yes

Kate: A security task force should be looking at everything that we are doing and providing guidance
... even if we need to scope our work

Katie: We should look at the specs but if we start to go in a direction related to security, people need to be informed as quickly as possible.

Ken: This will require ongoing dialog
... Like Ian I am convinced we should focus on the specs

<manu> Ian: Briefly - next steps ...

<manu> Ian: Ken is doing some research on security review methodologies... there are a few deliverables - previously asked the Web Security IG to review the specs - that's one form of evaluation.

<manu> Ian: We're continuing discussions w/ EMVCo and PCI...

<manu> Ian: We're gathering expertise within W3C - don't know if we have concrete next steps there - trying to figure that out.

<manu> Ian: I don't know whether other people here are interested - are there other people here that want to meet w/ Ken and me and take actions?

<dezell> I would.

<Erik> I volunteer. This is the most important topic

Next meeting

22 May

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/05/08 15:03:02 $