14:57:15 RRSAgent has joined #wpwg 14:57:15 logging to https://www.w3.org/2019/09/04-wpwg-irc 14:57:19 Meeting: Card Payment Security Task Force 14:57:21 Chair: Ian 14:57:37 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2019Sep/0005.html 14:57:43 present+ 14:57:57 agenda+ TPAC planning 14:58:15 RRSAGENT, make minutes 14:58:15 I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian 14:58:21 RRSAGENT, set logs public 14:58:25 regrets+ Jalpesh_Chitalia 14:59:29 present+ Michel 15:00:00 present+ David_Benoit 15:00:04 present+ Dean_Ezra 15:00:58 present+ Jonathan_Grossar 15:01:20 deanezra has joined #wpwg 15:02:09 mweksler has joined #wpwg 15:03:28 present+ Tomasz_Blachowitz 15:03:47 present+ Brian_Piel 15:03:55 present+ Adrian_Hope-Bailie 15:04:04 present+ Jonathan_Vokes 15:04:05 tm has joined #wpwg 15:04:10 tomasz has joined #wpwg 15:04:16 AdrianHB has joined #wpwg 15:04:42 Topic: Last Call Recap 15:04:54 Jonathan: We reviewed Jalpesh's flows; he made some minor modifications based on the discussion. 15:05:04 There were many good questions (reflected in the minutes 15:05:20 ...the idea is at TPAC to show user journey in a demo and to reflect these flows we reviewed 15:05:24 ...first time user adding a card 15:05:27 ..returning user on the same device 15:05:50 ....the demo will go further by illustrating the date exchanged through PR API 15:06:21 ...we did not have time to go through the 3DS flows 15:06:24 ...there were 2 objectives: 15:06:33 a) As part of SRC, if 3DS is invoked what does it look like? 15:06:52 ...Tomasz can speak to that (e.g., invoked by merchant, payment handler, SRC system on behalf of others, etc.) 15:06:58 ...Tomasz can show one view of that 15:07:17 ..also, a month ago there was a request that we find a way to leverage 3DS outside of SRC 15:07:19 jv_ has joined #wpwg 15:07:24 ...we don't have that today but we can also prepare that for TPAC 15:07:37 q+ 15:08:07 ...I suggest we go through the flows today with representation of 3DS...we will add the flows in the next few days to represent the other options 15:08:42 IJ: Do you think we should work on 3DS outside of SRC as a priorioty? 15:09:42 ..should we just start with SRC and then learn from that? 15:09:52 Jonathan: +1 to get the data flow down 15:10:07 ...if browsers can facilitate some 3DS experience, then I think it can be done independent of SRC 15:10:24 q+ 15:10:35 Tomasz: This is also related to where exactly the merchant declares that they want 3DS facilitated by the payment handler 15:10:46 ...so we could have this in the PR API request (at top level) and it maps into the SRC payment method 15:10:58 ...or we could include it in the SRC payment method definition 15:11:06 ack AdrianHB 15:11:36 AdrianHB: I had a call today with somebody today who mentioned this topic explicitly. They were wondering whether they could write a payment handler that does basic card + 3DS 15:11:42 ...so there may be use cases for this 15:12:07 Jonathan: It might come form the PSD2 regulation 15:12:37 https://w3c.github.io/3ds/index.html 15:12:52 https://w3c.github.io/3ds/index.html#howtouse 15:12:58 jonathan_ has joined #wpwg 15:13:03 benoit has joined #wpwg 15:14:11 ack me 15:14:27 https://github.com/w3c/src/wiki 15:15:05 IJ: Could we extract some of the good questions from last week's call into the payment method wiki? 15:15:26 Could we add some abstraction of the 3DS function to PR API? Something like a requestData where 3DS is an implementation of a service that can provide this? 15:16:09 Jonathan: We can add some explanations from last week's call to the wiki 15:16:20 ...idea of a FAQ is probably a good idea as well 15:17:16 ACTION: Jonathan to send Ian some notes for text to integrate into the SRC wiki 15:17:17 'Jonathan' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., john203445, versky). 15:17:38 Topic: 3DS flows 15:18:22 [Tomasz shows flows] 15:18:51 Tomasz: First flow shows SRC systems communicating with 3DS sever. 15:18:58 s/sever/server 15:19:08 ...the 3DS system can be asked to facilitate 3DS on behalf of merchant 15:19:35 ...SRC system connects to issuing bank (via the directory service [not shown]) 15:19:54 ...if the authentication request is Y or A, then auth is frictionless. 15:20:03 ...more interesting case is when the issuing bank specifies the challenge flow 15:20:25 ...the SRC payment handler would create a challenge window (e.g., in an iframe if a web environment) 15:21:04 ...then there's a challenge request to the issuing bank 15:21:35 ...the challenge is submitted to the ACS, which sends back and auth value 15:22:03 ...then there is a request to close the challenge window in the payment handler 15:22:29 ...because the challenge flow was executed, the payment handler needs to go back to the SRC system to complete checkout and get the auth value and credentials 15:22:39 ...all this is packed in the encrypted payload 15:24:12 ...regarding the shape of the output data 15:24:37 https://github.com/w3c/src/wiki 15:25:02 https://github.com/w3c/src/issues/16 15:25:53 Ian: We don't yet have specifics about the shape of the assurance data. 15:26:23 Tomasz: We can either include the assurance data (output from the 3DS auth) in the response from the SRC payment method, or we can elevate this into the PR API response. 15:26:47 q? 15:26:53 Ian: I am hearing three options: 15:27:03 - 3DS parameters / response data as part of next version of PR API 15:27:23 - 3DS params / response data hardwired into SRC...but could also hardware other assurance methods into SR 15:27:42 - 3DS params/response data in separate module, and a payment method imports as many similar modules as it wants 15:28:56 Tomasz: We do have other assurance methods but we don't have specs for those yet 15:29:23 Brian: I think the goal should be to define how 3DS works within PR API 15:29:42 ...SRC payment handler may want to use it...there might be some nuances to the SRC case 15:29:48 ...but in general having 3DS work within PR API should be a goal 15:29:56 ...(as we previously discussed) 15:30:35 ..there's also an SDK view of 3DS 15:30:38 q+ to ask about encryption 15:31:30 ack me 15:31:30 Ian, you wanted to ask about encryption 15:34:21 q+ 15:34:25 ack mweksler 15:34:36 IJ: I think there are complexities to doing it at the PR API level due to encryption (at least) 15:34:54 ...feels more right to make 3DS a module (including, due to encryption) 15:35:06 mweksler: +1 to not overloading PR API 15:35:25 ...also, the "most engineered way" where there's an includable module is a nice long-term approach 15:37:05 IJ: Today basic card is not supported in Firefox or Safari, so in practice we have N=1 use cases (SRC) 15:37:13 Brian: We should factor in "who can initiate the call" 15:37:32 ...could be merchant, or PSP (on the merchant side) 15:38:03 ...could be some call-outs that "when I am initiating through PR API" I would like to use 3DS 15:39:32 IJ: Do we need to figure out what to do in merchant-initiated 3DS flows? 15:39:42 Brian: There is a user experience issue 15:42:03 Brian: In payment handler scenario, the UX is built-in 15:43:08 q? 15:47:46 PROPOSED: Continue to treat 3DS as a part of SRC; later if there is demand we look at factoring out 3DS as a reusable module for payment methods 15:47:47 +1 15:48:00 +1 15:48:01 +1 15:48:15 +1 15:48:16 +1 15:48:38 ACTION: Ian to update the wiki to let people know that that is our current strategy 15:48:38 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs). 15:49:16 Topic: TPAC 15:49:16 https://github.com/w3c/webpayments/wiki/FTF-Agenda-201909#16-september 15:50:18 IJ: How should we allocate the 2 hours? 15:50:36 Jonathan: Start with demo (and explain the differences since April) 15:50:45 ...walk through identity management 15:50:54 ...suggest 1 hour for that 15:52:48 IJ: Can we have a JSON response sample? 15:52:59 Action: Tomasz to produce a sample JSON response data blob for SRC 15:53:00 Created ACTION-127 - Produce a sample json response data blob for src [on Tomasz Blachowicz - due 2019-09-11]. 15:53:44 -> https://github.com/w3c/src/issues 15:59:43 ACTION: Ian to look for someone to do an SRC v1 intro to the WG 15:59:43 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs). 16:00:56 benoit has joined #wpwg 16:02:08 jv has joined #wpwg 16:06:27 Topic: Next meeting 16:06:28 In Japan! 16:06:34 I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian 16:07:58 I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian 16:08:06 RRSAGENT, set logs public 16:38:29 zakim, bye 16:38:29 leaving. As of this point the attendees have been Ian, Michel, David_Benoit, Dean_Ezra, Jonathan_Grossar, Tomasz_Blachowitz, Brian_Piel, Adrian_Hope-Bailie, Jonathan_Vokes 16:38:29 Zakim has left #wpwg 16:38:31 Prrsgaent, bye 16:38:35 RRSAGENT, bye 16:38:35 I see 4 open action items saved in https://www.w3.org/2019/09/04-wpwg-actions.rdf : 16:38:35 ACTION: Jonathan to send Ian some notes for text to integrate into the SRC wiki [1] 16:38:35 recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-17-16 16:38:35 ACTION: Ian to update the wiki to let people know that that is our current strategy [2] 16:38:35 recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-48-38 16:38:35 ACTION: Tomasz to produce a sample JSON response data blob for SRC [3] 16:38:35 recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-52-59 16:38:35 ACTION: Ian to look for someone to do an SRC v1 intro to the WG [4] 16:38:35 recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-59-43