23:30:34 RRSAgent has joined #wpwg 23:30:34 logging to https://www.w3.org/2019/09/15-wpwg-irc 23:30:35 Zakim has joined #wpwg 23:30:50 rrsagent, this meeting spans midnight 23:30:56 Meeting: Web Payments Working Group 23:31:00 Chair: NickTR 23:31:02 wanli_ has joined #wpwg 23:31:02 Scribe: Ian 23:31:07 Agenda: https://github.com/w3c/webpayments/wiki/FTF-Agenda-201909 23:31:28 mweksler has joined #wpwg 23:32:09 mweksler has left #wpwg 23:32:13 mweksler has joined #wpwg 23:36:33 Sophie has joined #wpwg 23:39:02 marcosc has joined #wpwg 23:45:00 mweksler has joined #wpwg 23:45:03 rouslan has joined #wpwg 23:45:42 norie has joined #wpwg 23:45:54 justin_toupin has joined #wpwg 23:46:10 Ciciley has joined #wpwg 23:46:29 Hello! 23:46:49 Present + 23:46:56 Present+ 23:47:13 zakim, who's here? 23:47:13 Present: Ciciley 23:47:15 On IRC I see Ciciley, justin_toupin, norie, rouslan, mweksler, Sophie, wanli_, Zakim, RRSAgent, wonsuk, masa-JCB, canton_, pea13, falken, Travis, dlehn, dlongley, rbyers, yoav, 23:47:15 ... hober, nicktr, mkwst, jungkees, danyao, jeffh, slightlyoff, JakeA, Ian, trackbot 23:47:15 present+ 23:47:24 alex_liu has joined #wpwg 23:47:30 takashi has joined #wpwg 23:47:57 present+ 23:48:00 present+ 23:48:48 present+ 23:49:11 sahel has joined #WPWG 23:49:13 present+ 23:49:43 jonathan has joined #wpwg 23:49:54 florent has joined #wpwg 23:50:06 alex_liu has joined #wpwg 23:51:42 agektmr has joined #wpwg 23:51:44 tomasz has joined #wpwg 23:51:59 Roy_ has joined #wpwg 23:55:44 helloworld has joined #wpwg 23:56:24 frank has joined #wpwg 23:57:29 marcosc has joined #wpwg 23:59:32 present+ 00:00:21 jfontana has joined #wpwg 00:02:26 helloworld has joined #wpwg 00:02:47 vkuntz has joined #wpwg 00:03:06 present+ 00:03:20 jezza has joined #wpwg 00:04:52 gildas has joined #wpwg 00:05:07 present+ 00:05:11 present+ 00:05:35 present+ Wonsuk_Lee 00:06:15 krystosterone has joined #wpwg 00:06:46 present+ 00:06:48 present+ 00:06:49 present+ 00:06:50 present+ 00:06:50 present+ 00:06:50 present+ 00:06:52 present+ 00:06:54 present+ 00:06:55 cwarnier_ has joined #wpwg 00:06:56 present+ 00:07:02 benoit has joined #wpwg 00:07:05 present+ 00:07:06 present+ Tony_Nadalin 00:07:13 present+ 00:07:30 present+ 00:07:30 Giulio has joined #wpwg 00:07:36 present+ 00:07:37 present+ 00:07:42 AdrianHB has joined #wpwg 00:07:44 Gerhard has joined #wpwg 00:07:47 present+ 00:07:49 html5cat has joined #wpwg 00:08:20 present+ 00:08:22 present+ 00:08:36 jv has joined #wpwg 00:09:07 present+ Bryan_Luo 00:09:28 present+ Jonathan_Vokes 00:09:39 dwim has joined #wpwg 00:09:47 tung has joined #wpwg 00:09:55 present + 00:10:30 cwarnier__ has joined #wpwg 00:10:56 heejin has joined #wpwg 00:11:13 present+ 00:11:44 present+ 00:11:52 sakiko has joined #wpwg 00:12:09 krystosterone_ has joined #wpwg 00:12:14 present+ 00:12:31 Wu_yaohua has joined #wpwg 00:12:57 Topic: Introductions 00:13:28 NickTR: Welcome to the meeting! It is your meeting; let Adrian and Ian and me know if you have priorities we are not addressing. 00:13:53 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 00:14:17 NickTR: Meeting proceedings are public 00:14:24 nicktr: unlike other organizations 00:15:08 -> https://www.w3.org/2008/04/scribe.html IRC how to 00:15:09 q+ 00:15:09 q+ 00:15:13 q? 00:15:15 ack rouslan 00:15:20 ack marcos 00:15:29 (Nick show us some IRC command magic) 00:15:32 frank has joined #wpwg 00:16:06 present+ Jalpesh_Chitalia(Remote) 00:16:07 Fawad has joined #wpwg 00:17:40 jv has joined #wpwg 00:17:41 [Nick reviews the agenda] 00:17:46 -> https://github.com/w3c/webpayments/wiki/FTF-Agenda-201909 Agenda 00:18:59 L2WD02 has joined #wpwg 00:19:02 vkuntz_ has joined #wpwg 00:19:15 present+ 00:19:31 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 00:20:55 present+ Andy_Estes(RemoteA) 00:23:17 present+ Vishal_Mehta 00:23:39 Fawad has joined #wpwg 00:23:50 Topic: Meeting Objectives 00:23:55 present + 00:24:16 --- 00:24:17 Remove any blockers to moving Payment Request forward in publication process 00:24:17 Explore enablers for wider engagement of community with Payment Handler 00:24:17 Hear about developments in new payment methods 00:24:17 Agree priorities for future work and re-chartering 00:24:19 Continue to develop our web payment community 00:24:20 --- 00:24:39 NickTR: A big value of these meetings is the conversations that happen outside the room 00:24:56 ..these relationships sustain us when we are not all in the same room 00:25:02 frank has joined #wpwg 00:25:22 ..happy memories of reindeer and snowfall and the morning light over the fen. 00:26:18 ...if we can walk away Tuesday knowing how we will complete PR API, PMI published, that will be very valuable 00:26:24 bryanluo has joined #wpwg 00:26:35 ...payment handlers is another important topic - but not as broadly implemented as we'd like 00:26:41 maxh has joined #wpwg 00:26:43 ...so we need to understand more of what we need to be doing. 00:26:57 ..and then for payment methods I'm interested in hearing about SRC, payments in Asia, Web monetization 00:27:10 estes has joined #wpwg 00:27:31 present+ 00:27:35 present+ 00:28:55 jezza has joined #wpwg 00:29:07 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 00:29:59 bryanluo has joined #wpwg 00:30:40 present+ Jeremy_Wagemans 00:32:08 Topic: Payment Request API 1.0 Status Update 00:32:17 [We start with updates from the Chrome Team] 00:33:19 Rouslan: The remaining Chrome issue wrt Payment Request is actually related to Feature Policy implementation, so we are working with them on it 00:33:29 ...we estimate a fix in Chrome 80 00:33:45 ...(current version of Chrome is 77( 00:34:59 ...thanks to Jinho! 00:35:11 [We see a demo of the new retry functionality] 00:35:16 jv has joined #wpwg 00:35:35 ...the demo shows the merchant calling retry with an error message customized by the merchant 00:37:10 html5cat has joined #wpwg 00:37:39 ian: [talk through slides] 00:38:10 jezza has joined #wpwg 00:38:21 ... features: identified in 2018, stable since CR (April 2019) 00:39:46 html5cat_ has joined #wpwg 00:40:38 ... [ talk through tests] 00:40:59 ... some small fixes required to get us to CR for frozen feature set 00:42:29 ... proposal to address objection from Sam Weiler (W3C Staff) is to replace boolean request for data with requests for specific details of user data 00:42:59 ... Sam is happy with proposal but not fully implemented in browsers 00:43:16 ... and WG has no implementation experience 00:45:00 rouslan: we suggest this goes into 1.1 as we are already implementing it (i.e. spec version odesn't affect our work as a browser) but it shouldn't hold up having a solid spec (1.0) that has gone to CR 00:45:27 Ian: can I type instead? 00:45:42 yes 00:46:32 heejin has joined #wpwg 00:46:56 ian: people can deploy PR API today. There is no need to wait for CR but we need to know if there are members of the community that won't proceed unless the spec is finalized 00:47:03 gildas has joined #wpwg 00:47:14 Dongwoo has joined #wpwg 00:47:24 nicktr: my sense is that getting to CR is a confidence signal 00:48:05 Ian: I think the existing requestShipping API with redaction rules is suitable for 1.0. Apple's implementation experience with that type of API is years long and I believe we're comfortable with its privacy characteristics. I'm comfortable with waiting for 1.1 or later for the improved address API. 00:48:43 ian: options for proceeding... 00:48:54 ... finish 1.0 with no mention of this feature 00:49:05 heejin_ has joined #wpwg 00:49:14 ... finish 1.0 with a mention of the feature as optional 00:49:24 ... include the feature in 1.0 00:49:28 +1 on finishing 1.0 without the feature and marking it as optional 00:49:36 sakiko has joined #wpwg 00:49:48 1) Finish 1.0 with no mention of feature 00:49:50 present+ 00:49:53 2) Finish 1.0 with features optional 00:50:06 3) Wait for new feature before finalizing 1.0 00:50:09 gildas_ has joined #wpwg 00:50:29 Where the feature is defined in this pull request: https://github.com/w3c/payment-request/pull/873#issuecomment-506864905 00:51:12 q+ 00:51:13 ian: there has been a request to apply this to billing address too 00:51:15 Option 1, please 00:51:38 +1 for option 1 00:51:44 +1 on options number 2 00:51:56 +1 for option 2 00:52:25 I agree marcosc 00:52:38 I think the WebKit impl of this would not change the Apple Pay payment handler 00:52:44 marcos: browser could apply redaction to data even if payment handler provides full address 00:53:30 q+ 00:53:38 ack mar 00:53:41 ian: the data is in the payment method data 00:53:43 ack giu 00:53:45 q/= 00:53:49 q+ 00:54:07 rouslan: it is payment method specific (billing address) 00:54:41 giulio: can we add the feature as optional? 00:54:45 ian: that is option 2 00:54:49 +1 for option 1 00:55:08 +1 for option 1 00:55:10 How long is adding the feature going to delay the spec, months or years? 00:55:11 Option 2 00:55:18 q+ ... again 00:55:32 ian: we will still support both features for merchants 00:55:37 q+ 00:55:38 Fawad has joined #wpwg 00:55:41 ack ben 00:55:46 ... chrome team suggest adding the feature will take 8 months 00:56:03 benoit: I would opt for the option that does not delay the Rec stamp 00:56:14 ...I would also like to see this feature for billing address as well 00:56:26 ...billing is only needed to facilitate payment 00:56:27 ack mar 00:56:33 queue== 00:56:41 Marcos: Let's break out on this topic! 00:56:48 +1 00:57:14 +1 for option 2 00:57:23 show of hands for option 1: 9 00:57:43 show of hands for option 2: 14 00:57:55 show of hands for option 3 (in v1): 0 00:58:03 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 00:58:29 scribe: Ian 00:58:34 Topic: Payment Handlers 00:58:44 [Justin Toupin from Google presenting] 00:58:52 q? 00:59:29 [Reminder of what a payment handler is] 01:00:44 Justin: Value proposition is we believe that there will be higher completion rates due to trust 01:00:54 ...we also think there are better properties for connectivity 01:01:09 ...we also think there is lower implementation effort for a payment handler for than other approaches 01:01:18 ...we also think it will help improve reliability 01:01:27 tobie has joined #wpwg 01:01:29 ...we also think that this approach will improve payment security. 01:01:34 ..the origin of the payment handler is visible 01:01:38 ...help reduce phishing risks 01:01:53 q? 01:01:55 Justin: We continue to invest in the improvement of payment handlers: 01:02:01 - Respond to change events 01:02:17 - Full delegation of requests for contact, shipping info to payment handlers (instead of browser-stored data) 01:02:26 ...many payment handler providers see themselves as full identity providers 01:02:49 - Improved ergonomics...we've heard from a number of people and have improved tooling 01:03:06 - Additional UI options ... people wanted more flexibility to developers 01:03:17 Fawad has joined #wpwg 01:03:34 Demo: Payment handler can get updated total from merchant based, on, e.g., changes in billing address 01:04:55 q? 01:05:33 jezza has joined #wpwg 01:05:46 gerhard: I'm following in the specs. In the payment handler spec is this defined? 01:06:21 Rouslan: The event is part of payment request (paymentmethodchange event) 01:07:09 https://w3c.github.io/payment-request/#paymentmethodchangeevent-interface 01:08:36 AdrianHB: You can see that the paymentMethodChangeEvent only tells you method name and "method details" blob 01:09:05 q? 01:09:06 ...the question is whether we want the billing address to be a standard model...that might let us simplify the topic of removing pieces of billing address 01:09:31 [Just in time install] 01:10:05 jezza has joined #wpwg 01:10:18 Rouslan: We now make just-in-time payment handler installation in more cases. 01:10:52 ...so if the merchant accepts A and B and the user has a payment handler for A, chrome will now show B for just-in-time installation 01:11:03 [Payment handler event logging] 01:11:31 Rouslan: We have heard payment handler developers say that developing the handler can be confusing, so we have built a tool to help developer handlers 01:11:41 ...some improvements include more verbose messaging 01:12:15 urata has joined #wpwg 01:12:25 q? 01:12:45 ...we now put messages in the console while testing 01:13:02 ...and when deployed, they can be collected on the server side and analyzed 01:13:18 ..what we are seeing on the screen is the ability to see the events fired in the payment handler and see what happens 01:13:30 vkuntz has joined #wpwg 01:13:43 present+ 01:14:10 q? 01:14:53 [Delegation of requests for contact, shipping to payment handlers] 01:15:07 [Sahel shows a proof of concept] 01:15:27 See also the -> https://github.com/sahel-sh/shipping-contact-delegation/blob/master/Explainer.md Explainer from Sahel 01:15:53 q? 01:16:04 ...we think that this will reduce checkout times due to skipping the sheet 01:16:18 ...we propose that at registration time, the handler tells the browser what the handler can handle 01:16:52 Fawad has joined #wpwg 01:17:27 ...if the payment handler can handle a request, we don't show the request in the sheet (and that is true for each type of data: address, contact) 01:18:00 Justin: If the payment handler claims to be able to supply data, the expectation is that the payment handler will do so. 01:18:19 jezza has joined #wpwg 01:18:26 Sehal: Today we are doing partial delegation; another option is "all or nothing" 01:18:34 +q 01:18:41 AdrianHB: You want to be sure the browser does not give data to the payment handler 01:18:42 Justin: That's correct 01:19:03 Sehal: Today the merchant has said what they want. They don't make any change to their call. It's just who handles it that changes. 01:19:20 Tomasz:These are the payment options. (Our demo does not show billing address) 01:20:59 q? 01:21:01 ack 01:21:08 ack tomasz 01:21:12 IJ: Payment handler API does not yet show passing these booleans to the payment handler; that is todo 01:21:28 Sehal: What Chrome proposes is new APIs for change shipping address/options 01:21:46 ...and notifying the merchant of changes so the merchant can update the total 01:22:17 [More UX improvements in the payment handler implementation in Chrome] 01:22:35 Rouslan: We have heard that people want a more native like user experience 01:23:21 ...in first implementation payment handler screen was 70% of height of window 01:23:26 jezza has joined #wpwg 01:23:38 ...that is fixed and was creating some problems for payment handlers requiring more space 01:23:44 bryanluo has joined #wpwg 01:23:52 ...so we are experimenting with enabling payment handler UI to expand to the top of the screen 01:24:22 Justin: The use case is payment sheets with long scroll bar...that would trigger automatic expansion in height 01:24:41 AdrianHB: Does this change the spec? 01:24:52 Justin: No. I'd like to hear from payment handler developers 01:25:17 (7-ish payment handler developers in the room) 01:25:25 NickTR: Why not more?? :) 01:26:17 Rouslan: Some payment handler developers want the browser to handle some of the UI (e.g., list credit cards, authenticate the user) 01:26:24 ...one thing that we are thinking about is "minimal UI flow" 01:27:05 ...in some circumstances, some payment handlers could say "I would like to handle only name, total, account balance" 01:27:44 q? 01:28:08 ....in this demo, user just initially sees a prompt to authenticate 01:28:15 ..user can pull payment handler window up to see more 01:29:09 ...we are thinking about various constraints. 01:29:30 ...e.g., during registration there may be some sort of negotiation of when to show the minimal UI 01:29:44 q? 01:30:00 ...one other thing is that if this UI is enabled, the payment handler would not be able to show other UX 01:30:26 Justin: We have been exploring the range of complexity of payment handler UX 01:31:03 Gerhard: These are great. One of the ones that we'd been looking for is to flip into a bank app, interact with the bank app, and then flip back 01:31:11 Roiuslan: We have heard that use case. I Think we can use that today 01:31:18 ..the bank app would alter their payment method manifest a bit 01:31:43 ...and if the merchant calls PR API with the information that matches the banking app, then chrome will validate the app, flip into it, and then flip back to the merchant 01:31:49 ...this is how Google pay works today in India 01:32:00 ...Anders Rundgren has built a demo of this 01:32:11 jezza has joined #wpwg 01:32:30 IJ: Why did you call this Native as opposed to "Minimal" 01:32:45 Justin: I agree "minimal" is probably a better description 01:33:19 Ian: For the breakout: how payment handlers specify what they want. 01:33:44 Justin some questions for discussion in the breakouts: 01:33:50 - What do we need to do to make payment handlers successful? 01:33:58 - What needs to be part of the payment handler API? 01:34:06 - What parts of UX are exciting to people? 01:34:35 jezza has joined #wpwg 01:34:56 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 01:35:10 Ian: Another big topic for breakout session - how to get more payment handler support 01:36:18 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 01:43:20 estes has joined #wpwg 01:46:04 Roy has joined #wpwg 01:51:30 Vishal has joined #wpwg 01:51:34 bryanluo has joined #wpwg 01:52:15 bryanluo has joined #wpwg 01:55:56 jezza has joined #wpwg 01:58:00 frank has joined #wpwg 01:59:19 jonathan has joined #wpwg 01:59:26 alex_liu has joined #wpwg 02:03:33 rouslan has joined #wpwg 02:04:41 AdrianHB has joined #wpwg 02:05:30 jezza has joined #wpwg 02:05:53 [End of break] 02:05:59 marcosc has joined #wpwg 02:06:41 Topic: Card Payment Security 02:07:45 scribenick: nicktr 02:07:57 bryanluo has joined #wpwg 02:08:01 jalpesh has joined #wpwg 02:08:04 Gerhard has joined #wpwg 02:08:07 Present+ 02:08:10 jv has joined #wpwg 02:08:14 Ian: welcome back. Can new joiners please identify themselves on irc with present+ 02:08:19 Vishal-Expedia has joined #wpwg 02:08:19 present+ 02:08:24 present+ 02:08:30 jezza has joined #wpwg 02:08:47 Topic: Security Task Force 02:08:50 lgombos has joined #wpwg 02:09:10 masa-jcb has joined #wpwg 02:09:31 Present+ Laszlo_Gombos 02:09:34 Ian: We had hoped to have an introduction on SRC from a delegate from EMVco but we couldn't get that sorted out 02:09:38 +1 for SRC summary 02:10:25 ...but we do have a document that the task force have been working on 02:10:50 Fawad has joined #wpwg 02:11:10 Ian: this draft is not currently public so it's still work in progress 02:11:13 bryanluo has joined #wpwg 02:11:51 dave2037 has joined #wpwg 02:11:57 Ian: (Pause while everyone reads the introduction to SRC on the screen) 02:12:33 q? 02:12:57 ...Any questions on SRC? 02:13:16 [Ian does mini intro to SRC] 02:13:16 (None) 02:13:18 scribenick: Ian 02:13:29 Jonathan: I'll show progress since the April discussion and demo. 02:13:39 bryanluo has joined #wpwg 02:13:44 zino has joined #wpwg 02:13:45 ...in April we illustrated how the EMVCo SRC specifications could be implemented within PR API flows 02:13:56 ...to show that the specs are not in competition but that they can be used together. 02:14:07 ...in the 5 months since then we have been looking into the details of that integration 02:14:16 ...what are the challenges we need to resolve? 02:14:20 ..what data model is involved? 02:14:26 ...how will identity and authentication work? 02:14:35 ...how to identify the user to enable them to access enrolled SRC cards 02:14:41 ...how can we leverage Web Authentication? 02:14:55 ...or identities from other identity providers 02:15:09 ....the goal today is to walk through some user experience flows 02:15:23 ...have been working with Jalpesh (Visa) and Tomasz (Mastercard) on the details 02:15:32 ...the first flow is "New user who is adding a card to SRC" 02:16:12 ...the second flow is "Returning user on the same device; select a previously enrolled card" 02:16:26 ...third flow is "Returning user but using Web Authentication" 02:16:28 More details on SRC, including set of specifications, can be found on EMVCo website: https://www.emvco.com/emv-technologies/src/ 02:17:03 ...the user may want to have protected access to cards or frictionless access to card. 02:17:20 ...when I select a card to pay with, I may ALSO have to authenticate. We want to avoid the user having to do too many authentications 02:17:22 gildas has joined #wpwg 02:17:31 Tony: When you say "Authenticate the transaction" what are you authenticating to? 02:17:34 Jonathan: The bank. 02:17:37 ...that could be done in a few ways 02:17:53 ...the goal is ultimately for the bank to recognize the cardholder. 02:18:03 ...this could be required by PSD2, or simply based on a risk assessment 02:18:14 Tony: You take into account the information provider in the PSd2 situation? 02:18:25 ...are you authenticating both ";info provider" and "payment provider"? 02:18:32 ...I may need some information before I do the payment. 02:18:40 Jonathan: We'll dive in after the demo 02:19:35 [Demo shows mobile checkout] 02:19:49 Jonathan: I am going to buy shoes. I click the "Checkout" button which is the SRC trigger. 02:19:54 ...ah, but first some assumptions; 02:20:22 (1) payment method can be implemented by browser or payment handler 02:20:30 (2) We show a demo of skipping the sheet 02:20:53 ...some questions about payment handler ecosystem to discuss 02:21:17 ....so in this demo I am a new user (to the SRC system(s)) 02:21:31 ...so I will enter a new card (in the SRC system) 02:22:38 tung has joined #wpwg 02:22:51 Jonathan: I am glad Chrome is working on expanding the payment handler window when there's a lot of content! 02:23:09 ...in this example, there's a user identity that is an email address 02:23:27 ...that data could come from a variety of sources, including typing by the user but also some email known to the browser for this user 02:23:52 q+ 02:23:53 MaheshK has joined #wpwg 02:24:13 ...after i enter data in the payment handler I enroll it in the SRC system. This demo is frictionless, but the demo could do 3DS for example 02:24:32 q? 02:24:34 q+ 02:24:36 ack Vishal 02:24:37 norie has joined #wpwg 02:24:59 Vishal: This is not exactly frictionless. I have to wait for the customer to add a card to SRC 02:25:17 ...the flow seems similar to google pay 02:25:46 ...why as a merchant would I opt for SRC when I need the user to add a credit card. 02:25:48 q+ 02:25:52 ...which might lead to a drop in auth rates 02:25:53 q? 02:26:13 Jonathan: I mean by frictionless that there was no customer authentication. 02:26:35 ...in this demo, the user has never enrolled a card. It could be that issuers already push cards into the system, which would reduce user typing. 02:27:14 q+ 02:27:15 ...part of the guest checkout experience in general requires the user to enter some card; but we are hoping for more and more experiences where the user doesn't have to enter info...this flow is the "worst case" one we are seeing; they are smoother once the user has enrolled a card. 02:27:39 Jonathan: This email is stored by the SRC system to identify a user and cards. So when I change devices, I just have to enter email on a new device. 02:27:50 ...but for a new device, I will need to be verified, and those approaches may vary 02:27:58 ...e.g., OTP or trusting an identity provider, etc. 02:28:02 sakiko has joined #wpwg 02:28:10 present+ 02:28:11 ack Jalpesh 02:28:41 jalpesh: I agree with Jonathan's comments. The key point I want to emphasize is that this flow does not come into play unless the merchant says the user has to key in data. 02:29:03 ack jv 02:29:33 justin_toupin has joined #wpwg 02:29:39 +q 02:29:42 ack me 02:29:44 ack justin 02:29:53 justin_toupin: How do you see this working with other payment handlers? 02:30:01 q+ 02:30:38 Justin: How would this work with an existing wallet? 02:31:15 Rouslan: Another way to ask the question: can you see PayPal, Google Pay, etc. accessing SRC for cards? 02:31:19 Jonathan: Yes 02:31:21 ack Jal 02:31:24 q- 02:31:35 bryanluo has joined #wpwg 02:31:38 bryanluo has joined #wpwg 02:31:53 [Demo of returning user; first is with frictionless auth and second is with user interaction] 02:32:59 jezza has joined #wpwg 02:33:06 Jonathan: In this demo, the payment handler queries SRC system(s) using the user identity. If the SRC systems have enrolled cards, they are displayed in the payment handler 02:33:30 ..when a select a card, I get information about the card (and the token payload) 02:34:00 ...so in this demo the user chooses a card and the token payload is returned through PR API to the merchant 02:34:07 q+ 02:34:16 ..there was no need to authenticate the user to give access to the src-enrolled cards 02:34:23 ...and no need in this demo to authenticate the user for this transaction 02:34:34 ...3DS may have been invoked behind the scene 02:35:15 Vishal-Expedia: Can the merchant say what information they want. 02:35:54 Ian: PR API has shipping address as optional (for the merchant) 02:35:59 Tomasz: SRC functions similarly 02:36:02 q+ 02:36:13 ack Vish 02:36:27 present+ Lawrence_Cheng 02:36:31 ack Vishal-Expedia 02:37:31 Lawrence: Payment doesn't happen yet when the user pushes "continue" 02:37:32 Giulio has joined #wpwg 02:37:50 Jonathan: Correct; auth etc can happen at that stage 02:37:54 ....e.g., 3DS or other 02:38:21 ...3DS invocation could happen from within the payment handler if the merchant asks for the payment handler to do it on the merchant's behalf. 02:38:39 Lawrence: How do you see this experience compared to Apple Pay and Google Pay? 02:38:43 q+ 02:38:47 Jonathan: That's the next demo 02:38:56 ..we do some device auth as part of the payload you submit 02:39:45 Sophie: Thanks, these demos are really helpful ! 02:40:01 ...the question I have is - how does the handoff happen between PR API and SRC system 02:40:08 ...you could also do this without PR PAI 02:40:14 s/PAI/API 02:40:23 Jonathan: I am starting with the font end, then Tomasz will show backend work 02:40:40 ace giu 02:40:46 ack Sophie 02:40:46 s/ace giu// 02:40:50 ack Giulio 02:41:03 maxh has joined #wpwg 02:41:30 jfontana has joined #wpwg 02:41:33 Giulio: My understanding is that if the user had only once card enrolled (or 2 enrolled but 1 as a default) that you could skip a screen and go straight to the next screen. 02:41:38 maxh has joined #wpwg 02:42:03 jezza has joined #wpwg 02:42:31 q? 02:42:58 [IJ: Skip the sheet is a browser thing; once a payment handler has been launched, it's up to the payment handler to do optimizations in user experience] 02:43:32 wonsuk has joined #wpwg 02:43:37 q? 02:43:38 jalpesh has joined #wpwg 02:43:38 q+ 02:44:07 Gerhard: In the flows you have ,you already say "welcome back Allison"...you could show a default card but allow the user to choose a different card. 02:44:17 ...that's just an example of a streamlined flow optimization 02:44:34 urata_ has joined #wpwg 02:44:35 jezza has joined #wpwg 02:45:13 q- 02:45:19 (Consensus that payment handlers can optimize the UX) 02:45:28 Giulio: You could also have the option of adding a card in the same way 02:45:30 Joanthan: Agreed 02:45:45 ...the real idea here is that when I click the "checkout" button I see my cards (however optimized() 02:45:48 q? 02:47:24 [Demo: Returning user on same device] 02:47:36 Jonathan: Suppose I don't trust the device (eg., a shared device) 02:47:54 ...in previous example, for example, a cookie might have been used once the user has been recognized. 02:48:03 ...we can use web authentication to access the card list 02:48:20 ...so I pick the payment handler, authenticate with my thumbprint, then I see the list of card. 02:49:34 jezza has joined #wpwg 02:49:46 ...one question is the user experience on a device with multiple web authn identifies 02:50:03 jezza has joined #wpwg 02:50:03 ...we did some demos and it worked with Chrome on Desktop but not on Chrome 02:50:16 q? 02:50:48 @@: When you showed the UI, was the content bound to the signature that FIDO gave? 02:51:08 Jonathan: The WebAuthn here is to get access to card metadata. 02:51:19 ...for that I need an identity that I can use with different SRC systems 02:51:29 ...there is an assumption that the user had already enrolled previously (with FIDO keys) 02:51:40 ...so that key is bound to the card list 02:51:51 bryanluo has joined #wpwg 02:53:44 [Discussion of how this works] 02:54:16 JeffHodges: This is not yet specified but could occur as follows: the SRC system would say "the user is not authenticated; you're asking me to return info about a card but I don't yet know the user" 02:54:23 ...there was no ambient authentication passed in. 02:54:25 q+ 02:54:55 ....so if the SRC system wants to authenticate the user, it would make a request to the device, and that's where WebAuthentication would occur 02:55:12 ...how WebAuthn is woven into SRC needs to be part of the SRC spec (If I am correct) 02:55:26 q+ 02:55:47 ack jalpesh 02:56:18 Jalpesh: I didn't quite follow that. But I agree with Jonathan's perspective. We are saying the relying party is the payment handler. The payment handler talks to the SRC system. 02:56:59 Tony: The registration would have to happen to the SRC system at some point. The SRC system would then have the public key of the client. It would be up to the SRC system to look up the key to find out what key ids are related and then those are displayed accordingly. 02:57:09 +q 02:57:30 q+ 02:58:08 q- 02:58:13 [We touch on the delegation of TLD+1...a topic for tomorrow] 02:59:09 Rouslan: It's possible that SRC will invoke the authentication. But it's also possible that the payment handler does the WebAuthn and the backend trusts the payment handler. 02:59:20 q? 02:59:22 ack rouslan 02:59:53 Jonathan: SRC system may decide to trust SOME payment handlers who do Web Authn for access to cards 03:00:25 ...I agree there are two approaches: SRC does auth (for access to cards) or SRC trusts payment handler 03:01:02 ...again here we are discussing access to card list, not cardholder authenticfation 03:01:09 s/authenticfation/authentication 03:01:41 q+ Lawrence 03:01:44 ack jezza 03:02:22 jezza: I want to clarify something around authentication. In the demo, the user authenticated with the SRC system. If my user is in Europe and the transaction is not exempted for SCA, then the user will need to re-authenticate with the issuer. 03:02:31 ...so now we are in the scenario where the user has to authenticate twice 03:02:48 Jonathan: Before trying to answer this question, let me show you another flow 03:03:21 ...if we assume that I am a recognized user on a device and I can access the cards, and we merge the two together. ... 03:03:39 ...when I select a card, because of PSD2 regulation or a risk decision, I may have to authenticate the consumer. 03:03:53 ...it could be the merchant invoking 3DS or the merchant could delegate to the payment handler 03:04:07 ..the payment handler could invoke 3DS OR the payment handler could authenticate with WebAuthn..... 03:04:22 ..that means previously you had an enrollment for that card, where the user then authenticates the user with normal SCA 03:04:58 q? 03:05:24 ...it is possible for the first Web Authentication used to access the card could be reused as input to a 3DS process. 03:05:57 ...the strong signal would then reduce the odds of step-up under 3DS. 03:06:47 IJ: So the payment handler reuses the blob from the first Web Authentication as input to the subsequent 3DS flow initiated by the payment handler 03:07:12 Lawrence: What's in the payment method payload? 03:07:22 Jonathan: Can include token and cryptogram. 03:07:39 ...that is then used by the merchant or PSP for authorization 03:08:01 +q 03:08:17 norie has joined #wpwg 03:08:21 ack LAwrence 03:09:12 Lawrence: If the payload contains the token which is uniquely identified to the consumer, would the issuing bank have to do the SCA? 03:09:38 Jonathan: That's separate from the token. We are talking about authentication for the transaction. There are multiple options including merchant calling 3DS once they have the payload. 03:09:51 ...or if it's the payment handler who has been doing this on the merchant's behalf. 03:09:52 vkuntz has joined #wpwg 03:09:55 present+ 03:09:56 q? 03:11:09 Jonathan:The issuer is always responsible for the SCA. But the issuer can delegate this function, and the issuer can (based on WebAuthn data) can make a choice not to do SCA. That would still be compliant with SCA either through delegation or step-up if needed. 03:11:21 norie has joined #wpwg 03:11:25 Nick: The issuer is definitely responsible. But that doesn't mean that they actually have to perform the task. 03:11:28 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:12:12 Tomasz: The SRC-I role is the actor that invokes payment request on behalf of the merchant. (The merchant could also be the SRC-I). The SRC-I receives the credentials. 03:12:39 ...the SRC-I can only receive displayable data (which merchant can display to the user) 03:13:02 ...the merchant's PSP could receive the part of the data that is just for payments 03:13:24 zino has joined #wpwg 03:13:49 [Tomasz shows data model] 03:14:45 -> https://github.com/w3c/src/wiki DRAFT SRC Payment method 03:14:46 jonathan has joined #wpwg 03:16:19 q? 03:16:27 ack tomasz 03:16:35 q+ to ask about conformance to draft data model 03:17:32 q+ to ask about SRCI role 03:18:13 thx 03:18:46 Tomasz: Note that we have some redundancy between booleans in PR API to request some data and the draft SRC payment method; we need to look into simplifying that 03:19:26 q? 03:21:11 jezza has joined #wpwg 03:23:07 tomazs: [talking through slides] 03:24:15 ian: our goal is to define a datamodel for SRC and PR API that is common between networks 03:25:03 ... next question will be whether or not we take this up as WG deliverable 03:25:16 ... so next question is, can you make a tx using the data model? 03:25:19 ack Ian 03:25:19 Ian, you wanted to ask about conformance to draft data model 03:25:23 tomasz: not yet 03:25:35 tomasz: More work needed to complete the data model 03:25:50 scribe_nick: adrianhb 03:25:57 Jonathan: If we want the data model to be totally complete, the question is who works on that, and how do we ensure it works with EMVCo. 03:26:03 +q 03:26:23 Jonathan: So we probably need to invite EMVCo so send more people to the task force 03:26:24 ack nick 03:26:24 nicktr, you wanted to ask about SRCI role 03:26:27 gildas has joined #wpwg 03:26:45 nicktr: The proposal as it stands assumes that the person building the PR API call is the SRC-I 03:27:02 ...or that they are downstream from the SRC-I....but I"m not sure that's the correct assumption. 03:27:13 ...that prevents the payment handler from being the SRC-I. 03:27:28 Ciciley has joined #wpwg 03:27:39 ....there are some things that look like payment handlers today that are aware of the identity of the merchant 03:28:03 Present+ 03:28:04 ...the note I would give at this stage - I'm not sure we want to assume the SRC-I is on the side of the payment requestor. 03:28:23 I had to reload the page 03:28:45 hadleybeeman has joined #wpwg 03:29:22 Jalpesh: There is no reason a company like Stripe couldn't be both the payment handler and the SRC-I 03:29:40 ...payment handler / DCF plays role on behalf of consumer; SRC-I represents merchant (whether merchant or PSP) 03:29:47 michelweksler has joined #wpwg 03:30:16 q? 03:30:27 ...we don't have to call it the SRC-I in the w3c spec. Any developer can call PR API. In EMVCo terms that's called the SRC-I. 03:30:40 Tomasz: I think it's probably important to discuss. 03:30:57 ....if SRC-I does invoke PR API, the SRC-I can provide this information. 03:31:24 q? 03:31:40 ack mar 03:32:45 marcosc: Please avoid "object" in WebIDL if you can due to security issues 03:32:46 q? 03:33:07 Tomasz: Here's why we defined them as Object today - it's due to the EMVCo spec. We don't have specific typed objects in the SRC spec. 03:33:08 ? 03:33:12 q? 03:33:21 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:34:55 q? 03:35:30 question: Can we get the link to the SRC Wiki, pls? 03:36:02 -> https://github.com/w3c/src/wiki SRC WIki 03:38:27 q? 03:39:41 Fawad has joined #wpwg 03:40:18 q+ to ask if any EMV member has published their implementation specifications or a timetable yet? 03:40:40 ian: desire to ensure there is no gap in flow for users that have cards. Some experiments from with Chrome team 03:41:02 ... can we show individual cards in payment sheet? 03:41:34 ... another topic we need to explore is user identity 03:41:45 ... where does it come from, who vouches for it 03:41:45 q? 03:41:48 q+ 03:42:15 AdrianHB: We have something of an entity modeling challenge. 03:42:16 q+ 03:42:38 wonsuk has joined #wpwg 03:42:42 ...when we first designed this architecture, we had the concept of a payment handler which is executable code distributed by a publisher. And inside of that there are instruments. 03:42:55 ...but it doesn't map well to SRC...there is more required in SRC on identity 03:42:56 q- later 03:43:28 AdrianHB: I Think we can generalize some of the things that SRC is showing us 03:43:37 q? 03:43:46 q+ 03:44:31 q? 03:44:34 ack Rouslan 03:45:27 Fawad_ has joined #wpwg 03:45:39 Rouslan: Chrome Team would like to see some SRC experience in the market that is working end-to-end 03:45:56 ....that will enable us to think more about how the browser can optimize the user experience. 03:46:08 jalpesh has joined #wpwg 03:46:08 q+ 03:46:50 Rouslan: Yes, we should continue SRC work. 03:47:20 q+ 03:47:59 q- 03:48:08 ...I am ack Ger 03:48:18 ack Ger 03:48:18 s/...I am ack Ger// 03:48:46 Gerhard: We are wondering (as reps of banks) how to add ourselves to the ecosystem. I have an option of being a payment handler. 03:49:12 ...the ultimate authenticator will want to be the issuer 03:49:29 ...is there a way in which the payment handler can hand off to the issuer for the authentication. 03:49:34 ...I think something's possible 03:49:47 ...so the question is whether there can be delegation 03:50:21 ...we need to be clear about what the issuers need to do..otherwise the issuers are going to try to do too much, and confusion will prevent adoption 03:51:35 NickTR: Have any schemes published SRC implementations or a timetable for such? 03:52:00 Jalpesh: Visa publicly announced that we will migrate our acceptance and our experiences into SRC. We haven't quite published a timetable. 03:52:55 jezza has joined #wpwg 03:53:07 ...when available the systems will be available for testing by various parties in the ecosystem (including folks here) 03:54:04 Jonathan: We made similar announcements. 03:54:15 ..launch is imminent 03:54:29 q? 03:54:43 ack nicktr 03:54:43 nicktr, you wanted to ask if any EMV member has published their implementation specifications or a timetable yet? 03:54:45 q- 03:55:03 ack tomasz 03:56:51 q? 03:57:09 Tomasz: I agree we should continue; but also have more work on "how" 03:58:19 Ciciley has joined #wpwg 03:58:39 Present+ 03:58:42 Still here 03:59:04 PROPOSED: The card payment task force should continue to work on an SRC payment method and its integration into the PR API ecosystem. 03:59:25 +1 03:59:26 +1 03:59:29 +1 03:59:29 +1 03:59:32 jezza has joined #wpwg 03:59:33 +1 03:59:33 +1 03:59:35 +1 03:59:35 +1 03:59:37 q+ 03:59:38 +1 03:59:41 +1 03:59:41 +1 03:59:44 +1 03:59:44 +1 03:59:44 +1 03:59:46 +1 03:59:50 jonathan has joined #wpwg 03:59:50 ack rouslan 03:59:51 +1 03:59:58 +1 04:00:02 frank has joined #wpwg 04:00:13 +1 04:00:20 +0 04:00:23 +0 04:00:25 +0 04:00:32 +0 04:00:56 present- 04:00:59 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 04:01:17 mweksler has joined #wpwg 04:01:52 alex_liu has joined #wpwg 04:02:54 alex_liu_ has joined #wpwg 04:03:43 bryanluo has joined #wpwg 04:19:30 bryanluo has joined #wpwg 04:21:41 mweksler has joined #wpwg 04:25:19 alex_liu has joined #wpwg 04:25:49 jessie has joined #wpwg 04:34:12 bryanluo has joined #wpwg 04:41:35 rouslan has joined #wpwg 04:45:34 marcosc has joined #wpwg 04:49:43 alex_liu has joined #wpwg 04:50:04 bryanluo has joined #wpwg 04:52:22 alex_liu has joined #wpwg 05:00:17 frank has joined #wpwg 05:01:04 Masa-JCB has joined #wpwg 05:01:24 norie has joined #wpwg 05:01:31 mweksler has joined #wpwg 05:02:04 jezza has joined #wpwg 05:02:04 rouslan has joined #wpwg 05:03:19 alex_liu has joined #wpwg 05:03:31 canton has joined #wpwg 05:03:32 pea13 has joined #wpwg 05:04:34 takashi has joined #wpwg 05:04:48 michelweksler has joined #wpwg 05:04:59 gildas has joined #wpwg 05:05:33 benoit has joined #wpwg 05:05:34 bryanluo has joined #wpwg 05:06:56 AdrianHB has joined #wpwg 05:08:25 marcosc has joined #wpwg 05:09:36 cwarnier has joined #wpwg 05:11:46 takashi: [slides on QR code payments in Japan] 05:11:53 Gerhard has joined #wpwg 05:12:03 urata has joined #wpwg 05:14:20 Jinushi has joined #wpwg 05:16:57 jezza has joined #wpwg 05:17:56 bryanluo has joined #wpwg 05:18:16 q+ to ask about Japanese QR standard 05:18:46 nicktr: Is the new QR standard in Japan aligned with EMV? 05:18:52 takashi: No 05:18:53 ack nicktr 05:18:53 nicktr, you wanted to ask about Japanese QR standard 05:19:21 fawad has joined #wpwg 05:21:53 bryanluo has joined #wpwg 05:22:21 jezza has joined #wpwg 05:22:36 q? 05:22:40 q? 05:23:04 q+ lawrence 05:23:27 AdrianHB: Can QR code be used for online payments? 05:23:45 q+ 05:23:51 ack Lawrence 05:24:02 jv has joined #wpwg 05:24:07 masa-JCB: no, it is focused on in-person 05:24:14 q? 05:24:49 lawrence: [question about UX, missed detail] 05:24:55 jezza has joined #wpwg 05:25:14 masa-JCB: UX is not as good as card but better than cash 05:25:59 lawrence: what is the motivation to switch? 05:26:30 masa-JCB: the merchant is motivated and so offers cash-back to incentivise consumers 05:28:04 motivation from government is anything but cash so cash-back incentives are high 05:28:32 q? 05:28:34 q? 05:29:48 benoit: compared to AliPay, this seems like astatic data generated by the customer. What prevents me from stealing the code and using it somewhere? 05:30:58 masa-JCB: security is dealt with by providers, I'm not familiar with the details. It's not possible to reuse the barcode 05:31:11 jessie_ has joined #wpwg 05:31:13 q? 05:31:17 q+ 05:31:23 q? 05:31:27 ack benoit 05:31:42 jezza has joined #wpwg 05:32:29 ack benoit 05:32:32 ack Gerhard 05:32:32 ack gerhard 05:32:57 gerhard: this looks like tokenization. Why not use the EMVCo standard? 05:33:16 Q? 05:33:33 masa-JCB: I'm not familiar with the design discussions. 05:34:09 gerhard: I see the benefit of the form-preserving token but does it require merchants to add cameras to the terminal? 05:34:18 urata has joined #wpwg 05:34:24 masa-JCB: the majority of terminals already had the camera 05:34:47 gerhard: Which is more common, merchant presented vs consumer presented? 05:34:50 jezza has joined #wpwg 05:35:32 masa-JCB: Providers all support both. The choice is driven by cost. 05:35:37 q? 05:35:44 scribenick: Ian 05:36:12 kimwooglae has joined #wpwg 05:37:01 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:37:23 [Sakiko Suzuki on payments in Asia] 05:37:29 florent has joined #wpwg 05:37:44 masa-jcb has joined #wpwg 05:38:41 Sakiko: Market affected by (1) various instant payment initiatives in Europe and (2) new payment methods from China 05:39:01 [Background on SWIFT] 05:39:07 estes has joined #wpwg 05:39:22 Sakiko: SWIFT covers over 200 countries and multiple currencies. 05:40:03 ...drivers of change: volumes, e-commerce, real-time, regulation, open banking 05:40:17 ....volume is doubling each year 05:41:26 ...in Europe we provide instant payments across multiple countries for cross-border payments 05:41:37 ..in Australia we do so for all sorts of payments including P2P and B2B 05:41:52 ...SWIFT is focusing on cross-border payments; regulation is really important 05:41:57 ...there are issues like AML 05:42:12 rouslan has joined #wpwg 05:42:42 Angel has joined #wpwg 05:42:57 ...APIs help foster development 05:43:06 ...we have three focus areas: modeling, publishing, consumption 05:43:57 ...GPI is a new system to provide instant payments 05:43:57 ll 05:44:01 s/||/ 05:44:07 s/II// 05:44:33 Sakiko: We are trying to connect additional networks as well since we cannot provide all solutions ourselves 05:44:58 ..."NPP" (New Payment Platform) in Australia 05:45:01 ...started in January 2018 05:45:16 ...distributed architecture. 05:46:02 ...allows Australian banks to do real-time clearing and settlement 05:46:17 ...distributed model ensures continuity of payment services 05:46:27 Angel_ has joined #wpwg 05:46:29 ...before NPP, Australian could not do real-time, 24/7 05:46:47 ...based on ISO20022 05:46:59 ....1400 data fields available 05:47:11 ....24/7 real-time 05:47:21 ....PayID or BSB and account number; 05:47:33 q? 05:48:28 Fawad_ has joined #WPWG 05:48:34 ....we provide an API sandbox to facilitate development 05:49:00 ...after 1 year, NPP has 75 Members connected to the network; $75 Billion worth of transactions 05:49:19 ...any type of payment can be supported by the network 05:49:30 Roy has joined #wpwg 05:49:57 ...GPI has been around for 3 years 05:50:08 ....next year, all SWIFT Members will be on this network. 05:50:24 Giulio has joined #wpwg 05:50:38 ...98% of transactions settled in 1 day; 40% in less than 5 minutes 05:50:59 ...most of the advanced banks can settle in 10-20 seconds 05:51:27 ...GPI instant: 20 seconds end to end on average; maximum 60 seconds 05:51:38 rrsagent, draft minutes 05:51:38 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Angel_ 05:53:21 [Trial participants include NAB, ANZ, ICBC, Bank of China, Bangkok Bank, DBS, UOB, Standard Chartered) 05:54:56 wonsuk has joined #wpwg 05:56:26 q? 05:56:27 q? 05:56:59 AdrianHB: If we push for real-time push payments, is the end goal retail? 05:57:20 Sakiko: I think it's possible. SWIFT can provide account-to-account transer 05:57:26 s/transer/transfer 05:58:33 [Demo of GPI with PR API] 06:00:13 Vkuntz: With PR API, merchant can get ask bank to track payment and let the merchant know if not received within 60 seconds. 06:01:28 (Demo shows a gpi-tracked payment method) 06:01:35 ...the user selects an account from which to make the payment 06:01:56 ...selecting "confirm" causes payment information to be sent to the bank. 06:02:13 ...the merchant gets back a tracking idea 06:02:33 ...then we can simulate the bank initiating the transfer 06:02:49 ...then the payment method enables the merchant to know that the payment has been initiated. 06:03:15 q? 06:04:58 ...so the payment handler has closed, and the merchant can monitor the status of the payment. 06:05:33 ...the payment response includes an identifier for the transaction in the GPI system 06:05:37 q? 06:05:45 IJ: What about authentication? 06:06:05 vkuntz: Authentication is in g-link 06:06:09 ...so we have it but have not applied it. 06:06:26 jezza has joined #wpwg 06:06:31 AdrianHB: What data is sent to the payment handler? How does the merchant identify itself? 06:07:02 vkuntz: There's merchant account identifier. 06:07:29 ..it's globally unique 06:07:44 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 06:07:52 q? 06:08:29 norie has joined #wpwg 06:08:30 mweksler has joined #wpwg 06:09:58 jezza has joined #wpwg 06:12:07 jezza has joined #wpwg 06:15:16 alex_liu has joined #wpwg 06:16:35 jezza has joined #wpwg 06:22:18 bryanluo has joined #wpwg 06:27:52 bryanluo has joined #wpwg 06:28:54 mweksler has joined #wpwg 06:29:20 rouslan has joined #wpwg 06:31:08 Ciciley has joined #wpwg 06:31:18 Present+ 06:31:51 jessie has joined #wpwg 06:32:40 michelweksler has joined #wpwg 06:33:30 Topic: Airbnb PR API Experience 06:34:51 -> http://www.w3.org/2019/Talks/airbnb-20190916.pdf Airbnb slides 06:34:56 gildas has joined #wpwg 06:35:10 mweksler: Some points to think about as we go through the presentation 06:35:33 - One goal was a desire to rely on payment request as the only step in a checkout flow 06:35:37 Yaohua_Wu has joined #wpwg 06:35:46 - Guest checkout v. card on file is another theme 06:36:30 frank has joined #wpwg 06:36:31 Fawad has joined #wpwg 06:36:34 Alex: Lots of slides but I will go quickly 06:36:51 Giulio has joined #wpwg 06:37:13 Alex: Airbnb has a number of top-level businesses all leverage the Airbnb platform. 06:37:16 norie has joined #wpwg 06:37:24 vkuntz has joined #wpwg 06:37:24 ...one functionality within that platform is payments 06:37:34 present+ 06:37:36 ...Airbnb has about 200 people working on payments 06:38:00 ...we operate in lots of countries and accept a lot of currencies. 06:38:16 ....we go through multiple PSPs for redundancy 06:38:20 urata_ has joined #wpwg 06:38:47 ...we have our own coupons, credit plans 06:38:52 [Opportunities] 06:39:16 Alex: We wanted to redesign the Web experience; lots of people start from Web (not native) 06:39:26 ...wanted a streamlined first time booking experience 06:39:36 ...and thought we could use PR API to collect information. 06:40:00 ...we have a signup wall and thought we could use PR API to streamline that rocess. 06:40:11 ...we also wanted to use PR API to be able to support more payment methods 06:40:19 ...e.g., access to Apple Pay and Google Pay 06:40:30 ...so PR API gave us access to more payment methods. 06:40:31 Fawad_ has joined #wpwg 06:41:00 Fawad_ has left #wpwg 06:41:08 ...in Brazil we have to collect a lot more information ... 06:41:12 ...forms lead to drop-off 06:41:23 fawad_ has joined #wpwg 06:41:32 ...with PR API we don't have to manage all the form fields, and resizing and display 06:41:47 Fawad_N has joined #wpwg 06:41:55 ...we also thought we could speed up checkout for use cases where users already had *Pay setups 06:41:59 [Exploration] 06:42:13 Alex: We integrated it with desktop web via moweb 06:42:30 masa_jcb has joined #wpwg 06:43:07 (We see a demo using basic card, and a demo using google pay) 06:43:37 Alex: We saw a lot of benefits - no complex forms, use existing wallets, access to more payment methods, no custom billing form, buit-in infrastructure 06:44:25 Alex: For us, we liked the standard API because it was easy to swap in, and have it work across browsers 06:44:30 [Challenges] 06:44:40 jonathan has joined #wpwg 06:44:43 q? 06:45:04 Jonathan: Are you using PR API all the time, or just first time user? 06:45:36 mweksler: PR API remains an option, but previously used cards are available in subsequent checkouts (card on file) 06:46:07 Alex: If you start adding card-on-file, once you have a mix of instruments (card-on-file, card-in-browser, google pay) that can be confusing to the user 06:46:29 Alex: Biggest pain point is lack of official payment handlers. 06:46:35 ...e.g., no PayPal 06:46:52 ...even for the ones that are there (e.g., Google Pay) only there for one browser and not the other 06:47:13 Alex: You should be able to see all the payment methods on all the browsers 06:48:01 Alex: Second point is consistency across browsers. Suppose we use Chrome basic card implementation...experience on mobile not same as experience on desktop 06:49:28 IJ: Do label customizations help? 06:49:32 Alex: Yes, that could help 06:49:39 q? 06:49:53 Alex: so we'd like to see (1) more official payment handlers (2) support across browsers (2) configuration of form fields / labels 06:49:58 ....that is, customization 06:50:22 ...even if the browser does not allow customization, make it possible for us to know the strings that would have been rendered and we can match them 06:50:39 Alex: Second challenge was stored instruments 06:51:06 ....if the user has some cards on file with Airbnb but also cards in browser and so they get a difference experience 06:51:31 ...not obvious to users how to find most up-to-date card information 06:51:43 ....so might be nice to integrate on-platform instruments into the sheet. 06:52:21 Alex: Another topic is "tokenization". If we were to implement PR API, on the back end (e.g., Stripe, Braintree) the backend integrations are different 06:53:31 takashi has joined #wpwg 06:54:08 IJ: Do you want a standardized API on the backend or a standardized payload? 06:54:16 q+ 06:54:53 mweksler: For a merchant would be great to have a standardized token shape, but PSPs may not want that level of interoperability 06:54:57 q+ 06:55:00 ack nicktr 06:55:38 nicktr: I think this is a live debate within payment providers whether to have tokens that can be moved among payment platforms. 06:55:42 Gerhard has joined #wpwg 06:55:53 ....there is nothing in the ecosystem today that prevents transportable tokens from being built. 06:56:01 ...you can use EMVCo tokens today 06:56:12 ...but the tokenized card payment method could support that 06:57:00 ...I think that if there were 20 large merchants who wanted EMVCo tokens, there might be product managers willing to make a business case in their org. 06:57:00 q? 06:57:13 ack benoit 06:57:24 benoit: Regarding universal tokens - I would personally love that 06:58:02 ...whenever anything changes in the payment chain, you need to gain new authorization from the cardholder (this is a compliance issue 06:58:17 jv has joined #wpwg 06:58:17 ...so seamless backend swapping is technically not allowed 06:58:47 IJ: But at least you could get rid of some technical friction 06:59:30 mweksler: There are multiple ways that we could comply (including user agreement up front) 06:59:32 q? 06:59:37 q? 06:59:53 NickTR: The question is "who is the token requestor"...if the token requestor were the merchant (bound to the merchant) then do-able 07:00:36 mweksler: What we are after is slightly more nuanced - we don't want to put the burden on merchants that is associated with being token requestor. We want the PSPs to do the heavy lifting, and then we want to be able to use the tokens wherever we want. 07:00:46 q+ 07:01:01 Tony: Delegation is tricky (e.g., key exchange) 07:01:06 ...so more tricky than just user consent 07:01:21 AdrianHB: That's probably why our efforts at a tokenized card payment method didn't progress. 07:01:33 ack rous 07:02:03 rouslan: You expressed a sentiment that if more payment handlers on more platforms that would be great; I completely agree 07:02:03 jeff_ has joined #wpwg 07:02:15 ...so the question is: what does Chrome need to do for people to start using payment handler API 07:02:20 present+ 07:03:15 mweksler: Lack of payment handler implementations I think is a big challenge; merchants need to treat it as "yet another payment method" instead of the "single payment method API" 07:03:51 ...another topic is the user experience when there is both card-on-file and card-in-browser 07:04:06 ...some sort of merging of the two worlds would be helpful 07:04:23 ...I refer to this as "on boarding existing users to PR API" 07:04:28 q? 07:04:57 AdrianHB: The second topic is interesting 07:05:18 mweksler: Every large merchant would have to write the same payment handler, which suggests it is a possibility for standardization 07:05:59 ...we don't store the cards (people do that for us) 07:06:09 ...we'd like to merge them into PR API 07:06:28 (Tradeoffs) 07:06:34 - integration with airbnb systems 07:06:40 - customization 07:06:42 - ease 07:06:56 Regarding integration: it works really well today when replacing a single payment method. 07:07:08 ...e.g., PR API with just Apple Pay or just GooglePay 07:07:23 Regarding ux consistency: 07:07:38 - imagine large merchants adopting this - you'd have consistency across sites and that would build trust 07:07:44 - great for device-specific payment methods 07:07:48 BUT: 07:08:00 - not consistent with other Airbnb pages 07:08:03 ...different branding for example 07:08:18 ...also the ux is different across browsers (since different platforms) 07:08:23 Customization: 07:08:36 - would be great to be able to customized display sections, and get label consistency 07:09:12 RRSAGENT, make minutes 07:09:12 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:10:30 Topic: Breakout sessions 07:10:34 - Payment handlers 07:10:41 - Intersection of PR API, guest checkout, sign-up 07:14:33 - Moving billing address from payment method to payment request 07:15:54 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:16:08 Topic: Payment Handlers 07:16:28 Roy_ has joined #wpwg 07:16:43 Justin: What should we be investing in to get more payment handler adoption? 07:16:43 q+ 07:16:51 ack Roy 07:17:25 Roy_: One thing that would be helpful is to know the ecosystem of adoption of PR API 07:18:31 q+ 07:18:46 marcosc has joined #wpwg 07:18:56 Justin: The volume in terms of transactions is growing 07:18:57 +q 07:19:14 q? 07:19:35 mweksler: I think you should encourage people internally that the more info can be shared the more adoption is likely to increase 07:19:37 ack Jeff 07:19:47 q+ 07:19:59 tomasz_ has joined #wpwg 07:20:12 jeff_: I'd like to understand more why the information about adoption is proprietary, or whether we can have some conversations about stripping the proprietary information 07:20:40 ...even reducing to a single figure of merit (e.g., growing x% per year) 07:20:48 ack jv 07:21:12 jv: EMV manages to publish annual maps about card adoption 07:21:22 ....they anonymize data 07:21:38 q? 07:21:44 AdrianHB: So each vendor could provide data to W3C and W3C could anonymize the consolidated data 07:22:00 ACTION: Justin to check internally at Google about what can be shared 07:22:01 Created ACTION-128 - Check internally at google about what can be shared [on Justin Toupin - due 2019-09-23]. 07:22:32 jessie34 has joined #wpwg 07:22:36 vishal: I think from a decision perspective good to know (1) has there been an increase in number of merchants adopting it? 07:22:48 ...so doesn't need to be user numbers, can be merchant numbers. 07:23:13 ...regarding intro - we have examples in the payments industry about branding 07:23:56 ian: we did a lot of study on that topic 07:24:14 ... there was no support because the observation was that PR API is not a payment method 07:24:27 ... users recognize payment method brands 07:25:14 Vishal: I'd like to see a credit card logo without specific brands, to indicate triggering PR API 07:25:31 ....PR API is a payment method from an end-user perspective 07:25:54 Sophie has joined #wpwg 07:26:04 gildas has joined #wpwg 07:26:10 AdrianHB: I think the goal is that users don't think of it as a payment method...ideally we should figure out a way to make the experience fit into the current branding requirements of some of the big payment methods 07:26:21 ...e.g., Apple requires an Apple Logo 07:26:50 ...we have an unsolved problem about exposing the supported payment methods of the user and exposing them as actionnable buttons on the page 07:26:51 q? 07:26:54 ack Vish 07:27:51 Rouslan: What is the biggest obstacle to people writing a payment handler today?A 07:27:57 ..this will help us focus our energy 07:28:07 q? 07:28:25 q+ 07:28:42 issue: https://github.com/w3c/payment-request/issues/870 is one for me, but likely not for many others 07:28:43 Created ISSUE-2 - Https://github.com/w3c/payment-request/issues/870 is one for me, but likely not for many others. Please complete additional details at . 07:28:52 q+ Gerhard 07:28:54 ack bryanluo 07:28:55 q+ 07:29:26 bryanluo: Two things come to mind for us. The first question I will be asked is "What's the business value for doing a payment handler?" 07:29:35 jezza has joined #wpwg 07:29:52 ....it's not exactly clear at this point. The second topic is more technical, but a couple of things come to mind: 07:30:07 ...flexibility and extensibility within the API. As a payment handler there will always be edge cases 07:30:53 ...PSP integration is a big part of the payment handler business model...where does it fit in? 07:31:44 ....industry is moving away from iframe....does this PH approach create another isolated thing 07:31:48 Rouslan: Thanks for this information! 07:32:13 Rouslan: Payment handler is a top-level window, so it does not suffer from cookie restrictions on iframes 07:32:28 bryanluo: So it's like a popup that has a special UI? 07:32:29 Rouslan: Yes 07:32:55 AdrianHB: Regarding data model -the payment method owner owns the data model 07:33:33 Bryanluo: Ah, so there is already an open channel between merchant and payment handler 07:33:35 AdrianHB: Yes 07:34:18 ...also note that OAuth experience in the PH modal happens without losing the merchant context 07:34:29 q? 07:34:42 q+ to ask Google for blog post on handler benefits 07:34:47 ack Gerhard 07:34:51 ack Gerhard 07:35:22 Gerhard: If I get to the checkout page and PR API is the third option, I am likely to pick the first 2, so instrument-level display would be helpful 07:35:44 Gerhard: It could also be useful for merchants to load payment tokens in 07:35:44 q+ 07:35:53 q+ 07:36:05 q? 07:36:44 ian: we do have a long standing request for "instrument level display" on the page 07:36:49 q? 07:36:51 ack Ian 07:36:51 Ian, you wanted to ask Google for blog post on handler benefits 07:36:52 ack Ian 07:37:24 Action: Ian to work with Justin and Google on writing up payment handler benefits 07:37:25 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs). 07:37:47 angel has joined #wpwg 07:37:48 jezza has joined #wpwg 07:38:06 ack jeff_ 07:38:11 Justin: Our thesis is that PH API can improve conversion rates; that's a key data point; we'd like to partner with people to get that data. 07:38:14 ack Jeff_ 07:38:30 alex_liu has joined #wpwg 07:38:53 Jeff_: The question at the beginning was how to get more payment handler adoption. Lots of good pieces "bottom-up" 07:39:06 ..but a different approach is to ask which payment handlers we most need. 07:40:34 ian: My observation is that chrome took that approach and picked the industry leader and continue to work with them. The one blocker is that the potential payment handler will only move forward with more browser support (specifically Safari on iOS) 07:41:15 mweksler: For Airbnb, definitely PayPal would be great 07:41:26 ...I think two that are not as big but also strategic are Alipay and WeChat 07:41:46 q+ to follow-up on Paypal, Alipay, and we-chat 07:42:10 Rouslan: Are you talking about China market or international market? 07:42:34 mweksler: Primary market would be China. When you look at their online payment methods, the most popular ones are the mobile ones that redirect to their app 07:42:44 ...it's not an easy payment handler, but it's interesting 07:43:00 AdrianHB: That integration already exists on some platforms (e.g., Android) 07:43:17 Rouslan: Side-loading apps would not be good for security reasons 07:43:37 Rouslan: Alipay did demos about integration with Chrome on Android 07:43:48 ...signature verification does not happen with legacy redirect 07:43:56 Ciciley has joined #wpwg 07:44:08 wmeksler: If you have a payment handler provided by Alipay you may not need to redirect 07:44:08 q? 07:44:18 s/wmesksler/mweksler 07:44:29 q? 07:44:33 ack Vish 07:45:07 Vishal-Expedia: We have been talking about 3DS 2.0. Entering the OTP is in the payments page, which is great. 07:45:36 ....seeing that flow compared to PR API overlay, its kind of clunky to have an overlay compared to in-page display 07:45:45 ....choosing of the payment method in the page would be nice 07:46:19 ....I don't see many merchants in this meeting; need more exposure to merchants 07:47:04 IJ: Who besides MAG? 07:47:12 Vishsal: MRC 07:47:14 ian: we work with MAG (who are meeting this week so can't be here). Any suggestions for others are appreciated? 07:47:34 ...we have a meeting in January in Singapore 07:47:45 ack Jeff_ 07:47:45 jeff_, you wanted to follow-up on Paypal, Alipay, and we-chat 07:47:53 q? 07:48:05 Ciicley has joined #wpwg 07:48:15 Present+ 07:48:19 Jeff_: If I were running this as a business, I would figure out how the WG should go after each opportunity. PayPal conversations are underway. 07:48:34 ...for Alipay, the head of standards of Alibaba is here this week 07:48:39 angel_ has joined #wpwg 07:48:52 ....it would be good to build a story for Alipay 07:49:05 ...WeChat is Tencent, also a W3C member 07:49:45 ...as far as Merchant outreach, having a meetup between MAG executive council and the WPWG might be a more effective way to drive adoption 07:49:52 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:49:53 q? 07:49:53 q? 07:50:46 Rouslan: Question for browser vendors - should some implementation features of Chrome be "standardized" (even if not in spec): 07:50:50 - Just-in-time installation 07:50:53 - Skip the sheet 07:52:08 jezza has joined #wpwg 07:52:14 -> https://www.w3.org/blog/wpwg/2018/08/20/further-streamlining-the-payment-request-user-experience/ See details on JIT installation and skip-the-sheet 07:53:19 Rouslan: These are user experiences and we've tried to not standardize them as a result 07:53:54 ....my feeling for skip-the-sheet is that should not be normative in the spec, but could be mentioned as an informative note 07:54:13 q? 07:54:36 +q 07:54:46 marcos: Agree that generally we would not put something like this in the spec 07:55:00 ack jv 07:55:10 jv: But having same experience across browsers would help adoption 07:56:23 q+ 07:56:32 q+ 07:56:49 Marcos: Putting this into the spec may not help; browsers will do the right thing in order to provide the right UX 07:57:08 ack rouslan 07:57:14 q+ 07:57:29 Rouslan: We have documented the conditions where Chrome skips the sheet 07:58:31 jessie has joined #wpwg 07:58:35 ack me 08:00:11 AdrianHB: Any changes we need to make to the spec to make it easier to implement as a browser? 08:00:23 jezza has joined #wpwg 08:00:25 Marcos: Architecturally we need to do a bunch of things to support the spec. 08:00:44 alex_liu has joined #wpwg 08:00:47 ...so don't want the spec to go too far ahead, but also like the adoption experience so looking for a balance 08:01:11 ack mw 08:01:11 q? 08:01:13 ack mi 08:01:33 mweksler: I wanted to add a comment to the skip-the-sheet discussion 08:01:40 ....I think there are other cases beyond "just one payment hadnler" 08:01:54 ...for example, configuration to allow me to use same payment handler always on same site 08:02:06 ...that info could be stored either by the browser or the site 08:02:26 ...e.g., Airbnb could store the preference and tell the browser to skip the sheet and which payment handler to use 08:02:49 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:02:54 q? 08:03:20 AdrianHB: I think that full delegation is an important piece of this - that the handler can handle shipping address 08:04:14 Sehal: In the demo we did today, if payment handler supports delegation, we do skip up 08:04:18 s/up/UI 08:04:33 Justin: We showed the minimal UI flow 08:05:24 bryanluo has joined #wpwg 08:05:37 q+ to ask about minimal desktop experience 08:05:44 ian: this is getting close to previous Mozilla comments on UI risks 08:06:02 q+ 08:06:04 marcos: there is a lot of UX work around permissions and constraints 08:06:38 q+ 08:07:35 ack nicktr 08:07:35 nicktr, you wanted to ask about minimal desktop experience 08:07:46 bryanluo has joined #wpwg 08:08:02 nicktr: The "minimal UI" is a special case of the special case 08:08:17 ...if I were a Payment Method owner that was struggling to get traction across a huge installed base, 08:08:47 ...you could offer slick 1-click experiences because you'd know, even with guest checkout, that the consumer has a primed payment handler 08:08:51 ..this seems like a great thing 08:09:08 ...have you done work with minimal UI on desktop? 08:09:33 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:09:41 Justin: No not yet 08:09:53 q+ 08:09:58 michelweksler: I like the minimal UI. I am wondering if we can go even further. 08:10:14 alex_liu has joined #wpwg 08:10:28 ...is there a way for the user to say I authorize micropayments up to a certain amount? 08:10:31 ...could be less intrusive 08:10:39 ack michel 08:10:52 ack Gerhard 08:11:11 Gerhard: I have four use cases: 08:11:36 1) The "no user auth" use case. We've already established credibility within a bank context. You flip into it and you flip out 08:11:50 2) FIDO 08:12:04 ..if the FIDO credential is in another domain, you could flip into it, do biometric, and flip back 08:12:50 3) Bank has an issuer wallet (there is a token + cryptogram in the native app)...needs to retrieve the cryptogram from the app 08:13:28 4) External device authentication (eg., browsing on desktop, authenticate via phone) 08:13:36 q? 08:13:52 5) In south africa we've hooked up with mobile operators to use USSD 08:13:57 jezza has joined #wpwg 08:14:28 ...text-based interface; phone wakes up; you type in a number to grant consent 08:14:39 ...we do some sim-card protection 08:14:50 ...it works on feature phones 08:15:33 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:15:45 q? 08:16:26 ack AdrianHB 08:16:37 AdrianHB: I want the minimal UI to be more minimal 08:16:46 ...for Web monetization, the use case is that I enroll up front 08:17:03 ..I have a concept of a balance..and an agent in my browser making decisions about when to pay and how much 08:17:19 ...our idea is that payment handlers are invoked, but the payment handler is not interactive 08:17:44 sakiko has joined #wpwg 08:17:54 present+ 08:18:06 q? 08:18:30 vkuntz has joined #wpwg 08:19:14 ian: the payment sheet + basic-card is a variant of a minimal UI in some sense 08:19:27 jeff_ has left #wpwg 08:20:15 ... i.e. the sheet provides UI to the payment handler 08:20:28 jezza has joined #wpwg 08:20:29 rouslan: that's not how we have done it now 08:20:52 ... we want to support push payments which will have a financial impact each time they are invoked 08:21:30 q+ 08:22:01 ian: it feels like you're doing the same thing so you could move the browser local basic-card payment handler into a "minimal UX payment handler" 08:22:31 tomasz: I like the idea of making the "basic-card" handler behave more like other handlers 08:23:08 ack Alex 08:23:30 Alex: I want to add onto that. Maybe comes back to the question as well for the merchant who has cards on file 08:23:36 q? 08:23:44 ...if we could shove instruments into the sheet, that's a powerful use case for us. 08:24:16 AdrianHB: If we just enhanced basic card so that if you passed in a list of things on file, and if the user picks one, the response data is an index back to the card that the merchant provided 08:24:42 Alex: Passing in reference is interesting 08:25:24 AdrianHB: I think we want to move away from using basic card. I wonder if there's a way to move an instrument into a more secure version. 08:26:11 Tomasz: Airbnb could have its own headless payment handler that registers instruments with the browser. 08:27:13 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:28:14 norie has joined #wpwg 08:28:37 Topic: Connecting guest checkout with signup 08:29:08 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:29:47 michelweksler: Can we unify the guest checkout + website sign-up? 08:30:40 ...can we tie it together with authentication? 08:30:49 q+ 08:30:59 ....info about user, information about credentials, what's needed to use them in the future 08:31:04 ack nicktr 08:31:21 jezza has joined #wpwg 08:31:22 q+ 08:31:40 Giulio has joined #wpwg 08:31:45 on this site" 08:32:01 NickTR: There is a trusted site concept in PSD2 flows 08:32:04 s/on this site"// 08:32:07 q? 08:32:07 q+ 08:32:10 q+ 08:32:35 mweksler: I am thinking more about unifying the flow of identifying yourself with the payment step and future login step 08:33:23 ...maybe merchant says "I also want to create an account for the user" 08:34:20 q+ marcos 08:34:22 q? 08:34:41 AdrianHB: I hear two use cases: 08:34:41 q+ for Marcos 08:34:58 - Sign up and consent to my profile being used for payment later 08:35:17 - When making a payment agree to terms of service as well 08:35:24 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:35:52 jezza has joined #wpwg 08:35:55 agektmr: I think it's interesting to add a password option so user can create account with new password easily 08:36:12 ...important to make clear to user the info is being used for signup 08:36:13 q? 08:36:38 ack agektmr 08:36:47 justin_toupin has joined #wpwg 08:37:06 AdrianHB: Right now PR API allows merchant to request email. The merchant should be able to tell the browser to tell the user that data will be used to create an account as well 08:37:18 ...that is, make it easier to create an account as part of checkout 08:37:44 Tony: In a PSD2 situation, I may want to go to the information provider to get that information 08:38:36 AdrianHB: Question is whether we can enhance API to support authentication and later log-in 08:38:39 q+ 08:38:52 AdrianHB_ has joined #wpwg 08:39:07 Rouslan: Can you tell me what you would do instead of a password? FIDO? Or OAuth into google or facebook? Or password generation? 08:39:28 mweksler: We have building blocks to not do passwords. We could use OAuth or WebAuthn or other 08:39:47 ..what I'm seeing is an opportunity to tie things together 08:40:22 Alex: You could delay password creation to later 08:40:40 Mweksler: There's an opportunity to get rid of passwords and use WebAuthn 08:40:43 q? 08:40:57 zakim, close the queue 08:40:57 ok, Ian, the speaker queue is closed 08:41:34 Rouslan: So I'm imagining that in the sheet has an action button that says "Pay and Create Account" 08:43:33 mweksler: Need also to be able to provide access to terms of service agreed to for sign-up 08:43:36 q- 08:43:41 ack rouslan 08:43:41 ...in short: let's do all things at once rather than serially 08:44:06 Rouslan: If we build this, will you start using this? 08:44:31 mweksler: This is one of the things that the team that evaluated PR API were looking at as a key benefit 08:44:39 ...if they had had this feature they would have used it 08:44:55 Alex: One of the biggest priorities is the guest checkout experience 08:45:43 Alex: The high priority is getting the payment and signup done 08:46:00 ...once the user has paid and has an active reservation, it's easier to ask the user to provide data 08:46:11 ack giulio 08:46:16 ...but if you have to get all the data in advance, it's less likely the user will complete the reservation 08:46:26 Giulio: With Apple Pay we are big pay of guest checkout 08:46:46 ...we have several implementations that can accomplish this goal. 08:46:49 s/big pay/big fans/ 08:46:57 ...get the payment and then use the info to create an account 08:47:08 ....the big question is what's the data: password? birthday? 08:47:46 ...there are several examples of this sort of thing being done 08:48:04 ...we have some examples where at end of payment a "silent account" was created without a password 08:48:14 ...but we've moved away from that. 08:48:44 ...for a while the approach was to add a password after the payment. ... but now we are moving toward "sign in with apple" 08:48:49 q? 08:48:54 ack marcos 08:49:19 Marcos: For Airbnb you may need to send passport photo. 08:49:31 ...at some point we are going to end up at just another browser tab 08:49:59 ...I am concerned that payment handlers become too heavy....we have APIs to achieve some of these things already 08:50:33 ....do we just need an overlay browser context for payment handlers? 08:50:58 ...we want to be able to do logins on the Web....I think we all want to solve that problem 08:51:07 ack Cicely 08:51:10 ack Cilc 08:51:13 ack Cii 08:51:13 Ciicley, you wanted to discuss Marcos 08:51:15 ack Ciicley 08:51:18 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:52:00 alex_liu has joined #wpwg 08:52:45 alex_liu has joined #wpwg 08:53:12 NickTR: Dinner at 7pm. Thanks everyone for concentration today! 08:53:31 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 08:54:25 mweksler has joined #wpwg 09:00:08 bryanluo has joined #wpwg 09:02:53 bryanluo_ has joined #wpwg 09:07:16 benoit has joined #wpwg 09:20:49 AdrianHB has joined #wpwg 09:33:42 jezza has joined #wpwg 09:34:36 alex_liu has joined #wpwg 10:15:34 jessie has joined #wpwg 11:16:23 Zakim has left #wpwg 11:25:43 benoit has joined #wpwg 12:14:20 AdrianHB has joined #wpwg 12:15:33 alex_liu has joined #wpwg 12:17:40 alex_liu has joined #wpwg 13:06:57 bryanluo has joined #wpwg 13:24:36 rouslan has joined #wpwg 14:07:37 rouslan has joined #wpwg 14:20:30 bryanluo has joined #wpwg 14:44:31 rouslan has joined #wpwg 15:04:05 alex_liu has joined #wpwg 16:14:55 stpeter has joined #wpwg 16:30:33 marcosc has joined #wpwg 16:46:46 marcosc has joined #wpwg 16:48:06 marcosc has joined #wpwg 17:22:54 marcosc has joined #wpwg 18:03:00 rouslan has joined #wpwg 18:24:37 marcosc has joined #wpwg 19:30:15 marcosc has joined #wpwg 20:12:22 rouslan has joined #wpwg 20:32:14 marcosc has joined #wpwg 21:08:01 rouslan has joined #wpwg 21:33:06 marcosc has joined #wpwg 21:43:43 marcosc_ has joined #wpwg 22:06:46 rouslan has joined #wpwg 22:38:36 marcosc has joined #wpwg 22:54:20 rouslan has joined #wpwg 23:00:28 justin_toupin has joined #wpwg 23:42:24 bryanluo has joined #wpwg 23:43:13 takashi has joined #wpwg 23:44:02 norie has joined #wpwg 23:44:17 Masa_JCB has joined #wpwg 23:44:40 bryanluo_ has joined #wpwg 23:45:51 alex_liu has joined #wpwg 23:46:58 AdrianHB has joined #wpwg 23:51:33 jezza has joined #wpwg 23:52:31 cwarnier has joined #wpwg 23:52:55 gildas has joined #wpwg 23:54:34 mweksler has joined #wpwg 23:57:00 Fawad has joined #wpwg 23:57:51 Cheryl_M has joined #wpwg 23:57:52 Vishal-Expedia has joined #wpwg 23:57:56 pranjal has joined #wpwg 23:58:49 benoit has joined #wpwg 00:03:05 bryanluo has joined #wpwg 00:03:18 AdrianHB has joined #wpwg 00:03:20 jezza has joined #wpwg 00:03:45 krystosterone has left #wpwg 00:03:47 Masa_JCB has joined #wpwg 00:03:55 krystosterone has joined #wpwg 00:04:07 dave2037 has joined #wpwg 00:05:41 jfontana has joined #wpwg 00:05:41 jeff has joined #wpwg 00:05:44 rouslan has joined #wpwg 00:06:01 present+ 00:06:23 Ciciley has joined #wpwg 00:06:27 Sophie has joined #wpwg 00:06:31 Present+ 00:07:00 frank has joined #wpwg 00:07:04 present + 00:07:29 Zakim has joined #wpwg 00:07:32 RRSAGENT 00:07:34 invite RRSAGENT 00:07:57 Meeting: Web Payments Working Group 00:08:02 Chair: Nick Telford-Ree 00:08:10 vkuntz has joined #wpwg 00:08:18 present+ 00:08:21 Agenda: https://github.com/w3c/webpayments/wiki/FTF-Agenda-201909 00:08:24 present+ jfontana 00:08:26 present+ Ciciley 00:08:29 present+ Fawad 00:08:35 present+ nicktr 00:08:49 present+ 00:09:03 present+ 00:09:09 Topic: Merchant/Consumer Pain Points 00:09:11 jezza has joined #wpwg 00:10:50 present+ 00:10:53 present+ 00:11:04 present+ 00:11:04 heejin has joined #wpwg 00:11:05 present+ 00:11:07 present+ 00:11:09 present+ 00:11:09 present+ 00:11:12 agektmr has joined #wpwg 00:11:12 Roy has joined #wpwg 00:11:13 present+ 00:11:15 jonathan has joined #wpwg 00:11:15 present+ 00:11:15 present+ 00:11:16 present+ 00:11:16 present+ 00:11:16 present+ 00:11:17 present+ 00:11:19 present+ 00:11:19 present+ 00:11:20 present+ 00:11:21 present+ 00:11:25 present+ 00:11:26 rrsagent, this meeting spans midnight 00:11:28 Giulio has joined #wpwg 00:11:31 tomasz has joined #wpwg 00:11:35 florent has joined #wpwg 00:11:35 present+ 00:11:37 wanli has joined #wpwg 00:11:41 present+ 00:11:41 present+ 00:11:47 bryanluo has joined #wpwg 00:11:48 dezell has joined #wpwg 00:11:50 present+ 00:11:53 scribenick: nicktr 00:12:00 present+ 00:12:19 Topic: Consumer and Merchant pain points 00:12:20 present+ 00:12:24 sakiko has joined #wpwg 00:12:31 present+ 00:12:38 JV has joined #WPWG 00:12:57 Ian: Our first session comes after a suggestion from Lawrence Cheng 00:13:23 ...We have collated information about both consumer and merchant painpoints 00:13:38 estes has joined #wpwg 00:13:43 ...Later we will run some mini-breakouts 00:13:45 present+ 00:13:48 present+ 00:13:51 present+ 00:14:13 [Slides] -> https://www.w3.org/2019/Talks/ij-painpoints-201909/#start 00:14:46 [Slide - painpoints at checkout] 00:16:07 Ian - I think we have done pretty well on tackling many of these points 00:16:24 present+ dongwoo 00:16:30 Lawrence - I am sure we can add to these 00:16:55 Lawrence: We should look at these with a "pinch of salt" 00:17:00 vkuntz has joined #wpwg 00:17:08 ...and what is the wider context 00:17:23 ...and does payment request address these? 00:17:45 jezza has joined #wpwg 00:17:55 Ian: Would be great to collate more point points from the group (invites colleagues to contribute via IRC) 00:17:57 q? 00:18:43 maxh has joined #wpwg 00:19:04 html5cat has joined #wpwg 00:19:04 Vincent: shipping options/addresses for smaller countries are often not well provided for 00:19:27 [Slide - trust, security and privacy] 00:19:27 vkuntz has joined #wpwg 00:20:23 Ian: We may not be able to do so much on these topics 00:21:00 vkuntz: the bigger online sellers are not present in Belgium (for example) and do not ship there 00:21:11 q+ 00:21:26 ...but often the consumer doesn't know about this till the end of checkout 00:21:42 jezza has joined #wpwg 00:21:56 ack rouslan 00:22:04 Pain points: shipping location not indicated upfront - shipping actually not possible to a specific country 00:22:27 rouslan: vkuntz's use case is very interesting 00:22:53 ...I would probably start by geo-locating the IP address of the consumer and display a warning 00:23:44 yyyy: what does best practise look like with payment request? 00:24:00 s/yyyy/ciciley/ 00:24:08 Ian: we have some developer documentation but happy to add that to the list 00:24:39 [group takes moment to pat itself on the back] 00:25:00 ian: next we look at merchant painpoints 00:25:24 [back to slides - payments and checkout] 00:25:44 q+ 00:25:49 ian: redirection to hosted payment page is called out as poor user experience 00:26:21 ack Vishal-Expedia 00:26:52 vishal-expedia: how does Payment Request deal with the hosted payment page challenge? 00:27:21 ian: here's a demo 00:27:39 [demo appears in japanese] 00:28:15 ian: payment handlers solve for this. User doesn't lose the merchant context 00:28:54 Vishal-Expedia: what about 3DS 2.x? 00:28:59 q+ 00:29:07 q+ comment: there are concerns about issuer approval rates as well 00:29:26 marcosc has joined #wpwg 00:29:33 ian: the security task force is looking at this - in short it's tackled by the improved experience of handler 00:30:09 rouslan: payment handleris treated like a full page redirect but appears as an overlay 00:30:21 ack rouslan 00:30:21 q+ 00:30:30 ack Ciciley 00:31:04 Ciciley: the other pain point is that stronger authentication negatively affects approval rates 00:31:35 ...most merchants are frustrated about why transactions are being declined (cards) 00:32:29 jonathan: the point of 3DS2 is to provide better scorer to the issuer but this information may not be known to the merchant 00:32:40 s/scorer/scores/ 00:32:52 ...so the expectation is that approval rates should improve 00:32:56 q? 00:33:47 David: Login while traveling a pain point 00:33:48 benoit: I think the demo showed a good pain point - localisation which might not be appropriate 00:34:22 ...but also if the issuer doesn't step up the authentication and then declines the subsequent tx then that really sucks 00:34:50 ian: on trust/security, payment handler attempts to reduce the complexity/cost of providing more secure experiences 00:35:12 q+ 00:35:16 ack benoit 00:35:35 lawrence: on security, I think the key is "that work for customers" 00:35:41 q+ comment friendly fraud 00:35:52 ...also would be good to talk about firendly fraud 00:35:57 ack nicktr 00:36:03 scribenick: Ian 00:36:24 Ciciley: Lawrence, I was queued up to talk about friendly fraud. 00:36:36 q? 00:36:44 ...I think it's appropriate for this group to figure out during auth to figure out it's the "parent not the child" 00:37:10 ...where issuer thinks parent authorized a transaction, then the bank is liable and they'd like to reduce that 00:37:16 ...too many Fortnite purchases. 00:37:32 ....that's another step in the right direction....ensuring the right person is authorizing the transaction. 00:37:39 q+ 00:37:41 ack Nick 00:37:55 What is "friendly fraud"? 00:37:57 NickTR: People would be shocked at the size of the friendly fraud problem, e.g., on the order or 40% 00:38:03 ...or "buyer regret" 00:38:42 vkuntz_ has joined #wpwg 00:38:54 NickTR: Many children can unlock their parents' phones 00:39:03 ...I think it's something that would be hard for us to trackle. 00:39:08 s/trackle/tackle 00:39:33 ..I note also that some payment mechanisms (non-card) do not include chargeback mechanisms 00:39:37 q? 00:39:54 ack Jonathan 00:39:55 q? 00:40:00 Masa_JCB has joined #wpwg 00:40:02 Jonathan: I think the use of WebAuthn and biometrics helps a lot 00:40:26 ...the problem we have with device biometrics is that there is no way to link to a specific individual 00:40:33 wonsuk has joined #wpwg 00:40:49 present+ Wonsuk_Lee 00:40:55 ...if there were a way for a given transaction to have more specific authentication, that could be interesting 00:40:56 q? 00:40:57 present+ 00:42:00 unlocking a device and authenticating payment should be different things 00:42:05 scribenick: nicktr 00:42:08 q+ 00:42:40 lawrence: if we could crack some of these points, then we could give ourselves a real leg-up in getting merchant adoption 00:42:56 ...so the question is do we see any USPs in payment request 00:43:25 ian: for our webauthn colleagues in the room, are you looking at this issue of more personalised ID? 00:43:43 Unique Selling Point 00:43:53 zzzz: it's something we've looked at - many platforms are missing the ability 00:44:17 (IJ hears: "segmenting biometric templates" raises usability issues) 00:44:37 zzzz: we may end up with a system that is too complex for consumers to use 00:44:58 xxxx: it's the individualistic biometrics that are difficult 00:45:20 zzzz: you could have separate hardware tokens for different users 00:45:33 q+ 00:45:49 zzzz: once you have multiple templates on a single device, it gets very difficult to understand 00:46:39 ack Vishal-Expedia 00:46:41 zzzz: and it's difficult to design biometric systems which are not defeatable 00:47:12 vishal: it's not just kids - also criminals forcing users to biometrically authenticate 00:47:19 Vishal: Netflix does this well - ok to have friction to set up new profile 00:47:28 ...they ensure there's a kids profile 00:47:33 q? 00:48:14 Jonathan: You can have different profiles, but the same biometrics can access the profiles 00:48:39 zzzz: On newest Android, and where not blocked by carriers, templates are available 00:48:41 q? 00:48:44 ack benoit 00:49:00 benoit: Multiple profiles on the phone is a good concept but agree with usability challenge 00:49:02 q+ 00:49:25 ...I think the real solution to this (but not necessarily for this WG)....I could set up a flag on a biometric "this fingerprint cannot be used to authorized payments" 00:49:32 ack de 00:50:20 dezell: Some pain points for us at Conexxus: 00:50:24 - EMV at the pump 00:50:28 jezza has joined #wpwg 00:50:32 q? 00:50:34 - Second generation EMV 00:50:50 +1 for better granularity of control of permissions granted to specific biometrics (but consumers are unlikely to set up) 00:50:59 - SRC seems ok but Conexxus members still waiting to see how works with PR API 00:51:37 +1 for better granularity as well 00:51:51 - Anticipate more remote payments (e.g., barcode based payments) 00:52:25 dezell: I think this group has done a great job, industry has evolved since we started this work; and this group has not done harm! :) 00:53:24 dezell: Merchants need more consumer data; but GPDR and and California rules make it challenging 00:53:31 scribenick: nicktr 00:53:36 ian: back to the slides 00:54:20 ian: integration is complex - we heard yesterday from AirBnB that it would be great to do more (like sign up) with PR 00:54:57 q? 00:55:41 [rules and regulations] 00:56:49 ian: we have a lot of items on our backlog for shipping 00:57:01 sakiko has joined #wpwg 00:57:07 present+ 00:57:21 jezza has joined #wpwg 00:58:17 ian: but we have not looked (to date) at a lot of new features because the consensus was to finish v1 first 00:58:21 present+ 00:58:52 ian: let's organise into 4 groups and prioritise this list of 16 pain points 00:58:52 q 00:58:57 q+ 00:59:08 q? 00:59:37 ack html5cat 01:00:04 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 01:00:40 jezza has joined #wpwg 01:00:45 html5cat: at Puma browser, we would like to see if our browser could be helpful for some of these painpoints - we are not bound by the incumbent user bases of the big browsers 01:00:47 +1 01:00:54 ...we can innovate quickly 01:01:05 jezza has joined #wpwg 01:01:31 [breakouts occur] 01:03:51 jessie has joined #wpwg 01:03:53 my email is yuriy@pumabrowser.com if anything and our site is https://www.pumabrowser.com . I'll be at Coil sponsor booth if you're at TPAC in-person. 01:18:30 bryanluo has joined #wpwg 01:22:25 mweksler has joined #wpwg 01:24:21 marcosc has joined #wpwg 01:27:11 frank has joined #wpwg 01:33:46 rouslan has joined #wpwg 01:34:17 bryanluo has joined #wpwg 01:34:24 jessie has joined #wpwg 01:40:22 pranjal has joined #wpwg 01:45:57 jezza has joined #wpwg 01:46:45 jessie has joined #wpwg 01:47:55 pranjal has joined #wpwg 01:50:04 bryanluo has joined #wpwg 01:52:57 dezell has joined #wpwg 01:54:14 pranjal_ has joined #wpwg 01:54:58 pranjal_ has joined #wpwg 01:55:01 HirokiEndo has joined #wpwg 01:55:19 HirokiEndo has left #wpwg 01:55:25 pranjal has joined #wpwg 01:55:26 bryanluo has joined #wpwg 01:56:25 HirokiEndo has joined #wpwg 01:57:56 mweksler has joined #wpwg 02:00:36 hendo has joined #wpwg 02:01:27 michelweksler has joined #wpwg 02:03:23 frank has joined #wpwg 02:03:47 jonathan has joined #wpwg 02:04:29 AdrianHB has joined #wpwg 02:04:52 Masa-JCB has joined #wpwg 02:04:55 takashi has joined #wpwg 02:05:39 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 02:05:51 Topic: Review of pain point breakout findings 02:05:56 -> https://www.w3.org/2019/09/wpwg-ftf/ Images 02:06:40 scribenick: Ian 02:07:18 Gerhard has joined #wpwg 02:07:20 present+ 02:08:31 -> https://www.w3.org/2019/09/wpwg-ftf/wpwg-pp1.jpg Adrian's group 02:08:43 AdrianHB: We thought everything was important 02:08:48 Fawad has joined #wpwg 02:08:58 ...a common theme was that a lot of pain points could be addressed through more widespread use of payment handlers 02:09:54 jv has joined #wpwg 02:10:07 urata has joined #wpwg 02:10:47 gildas has joined #wpwg 02:11:27 marcosc has joined #wpwg 02:11:37 present+ 02:12:48 -> https://www.w3.org/2019/09/wpwg-ftf/wpwg-pp2.jpg Ian's group 02:12:59 -> https://www.w3.org/2019/09/wpwg-ftf/wpwg-pp3.jpg Lawrence's group 02:13:21 Lawrence: For global players, simplifying cross-border important and difficult 02:13:40 ....for local merchants that do export today, there are not a lot of options for them to do cross-border payments and it can be expensive 02:14:06 ...at the same time, we have situation with wallet players for cross-border payments....the volumes are quite low (e.g., Chinese tourists using Apple Pay today) 02:14:23 ..the other one I want to point out is "optimal speed for checkout"...not too fast/too slow 02:14:39 ...for new-to-merchant consumers we thought it was important but somewhat difficult 02:15:10 ..but for returning customers, as important but not as difficult 02:15:20 Ian: We also talked about not too fast/not too slow 02:15:36 Lawrence: We observed our goal ultimately is imperative conversion and reduce chargebacks. 02:15:56 ....to be able to tick the box that we have succeeded we need to be able to show scale 02:16:11 -> https://www.w3.org/2019/09/wpwg-ftf/wpwg-pp4.jpg Nick's group 02:16:31 Rouslan: We had some challenge figuring out who this was related to (difficult for whom? important to whom?) 02:16:43 ...maybe privacy would be super important to users if more was communicated to them. 02:17:20 ...on the other hand, in terms of difficulty, some things may be difficult for PSPs today, but some things might be shifted to UAs through web payments 02:17:30 ...our process was first to figure out what was important, then we assigned difficulty 02:17:34 [Ian: We did that as well] 02:18:34 ....we had some confusion around "account-free checkout" 02:18:40 ...who is the account with? 02:19:08 ...I think the most difficult things to figure out are things that are product challenges (moreso than engineering challenges) 02:19:28 ...so reduce auth friction and speed up checkout...those are great...it requires a lot of experimentation and user studies to do this well 02:19:37 ...so it's actually quite challenging to do in practice 02:20:00 q? 02:20:33 jezza has joined #wpwg 02:21:01 Ciciley has joined #wpwg 02:21:13 present+ 02:21:17 Ian: Next steps - four of us synthesize and report back 02:21:20 Topic: Rechartering 02:23:11 Topic: Rechartering 02:28:25 q+ to note that Credit Transfers will probably become more relevant with PSD2 in Europe 02:32:17 q+ 02:32:26 q+ 02:33:14 q++++ 02:33:26 q- +++ 02:33:34 lol 02:34:40 Giulio has joined #wpwg 02:35:47 q- ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 02:36:10 q+ 02:36:12 ack vkuntz_ 02:36:12 vkuntz_, you wanted to note that Credit Transfers will probably become more relevant with PSD2 in Europe 02:36:32 Lawrence: can we have a table showing the possible and actual combinations of browsers and payment methods? 02:36:37 lawrence: can we table the combinations of browser and payment method that we expect to work/not work? 02:36:58 ack rouslan 02:37:24 Rouslan: Chrome's position is to support as many options as possible 02:37:52 ...so we'd like to see no tie-in between handler and browser 02:37:59 ...though that isn't the current reality 02:38:04 scribenick: Ian 02:38:18 saschanaz has joined #wpwg 02:38:28 nicktr: Payment handlers can help localize the user experience; there's now way that a browser is going to adapt to all the local requirements 02:38:33 ...so payment handlers are the future 02:38:34 rouslan: we think the future is more payment handlers - especially for edge case 02:38:38 s/nicktr:/rouslan: 02:38:56 rouslan: basic card isn't really implemented anywhere but Chrome 02:38:57 rouslan: We can probably stop working on Basic Card. 02:39:03 w? 02:39:06 q? 02:39:07 ack mar 02:39:11 ...but we could probably stop supporting it 02:39:20 sakiko has joined #wpwg 02:39:25 Sophie_ has joined #wpwg 02:39:28 present+ 02:39:29 marcosc: We think that basic card is "worth it" but it's challenging to do well; we had about 10 people working on it 02:39:47 ...if anyone out there wants to be the Basic Card provider for FF, contact me! 02:39:56 q? 02:40:17 marcosc: I agree that having multiple payment handlers would be ideal 02:40:37 q? 02:40:39 ...FF would need resources to do and maintain Basic Card. 02:40:41 ack Gerhard 02:40:44 ack Gerhard 02:40:48 Gerhard: I think Basic Card is useful. 02:40:59 ...regarding SRC subsuming 3DS and tokenization 02:41:23 ...all three of them are "optional" and "interoperable" but need not be used all together 02:41:41 jezza has joined #wpwg 02:41:47 ...it's important for me and I think the industry that with PR API that the flexibility be maintained 02:42:06 q? 02:42:07 ...I agree that the 3 together would be a beautiful symphony, but don't assume merchants will demand to use all three of them. 02:42:15 q+ 02:42:21 urata_ has joined #wpwg 02:42:22 q+ 02:42:37 Jungkee: I agree with how Ian captured the spec status in Edge. 02:42:53 ...we support the idea of supporting multiple payment handlers. We don't have any plans to disable any payment handlers. 02:43:00 ...regarding Basic Card, Edge already supports it. 02:43:37 ...I see no reason to stop working on Basic Card 02:43:40 q? 02:44:10 q+ to distinguish between basic-card and the need for basic-card handler built into browsers 02:44:38 Jungkee: It's an ongoing discussion with MS about relationship to MS Wallet; but I don't have any updates about MS Pay 02:44:59 q+ 02:45:04 jbarclay has joined #wpwg 02:45:06 q- 02:45:09 q+ justin 02:45:11 Jungkee: So we'd like to figure out how to further promote PR API 02:45:14 dwim has joined #wpwg 02:45:21 ...including more communication with customers, merchants, partners 02:45:41 ...are there good ways to approach merchants let's discuss 02:45:56 q? 02:46:24 dongwoo: Here's a status update from Samsung - we also support Basic Card in Samsung Internet browser. 02:46:37 ...so I think Basic Card remains useful and we should at least maintain this as a solution 02:46:43 ...Samsung Pay also works on Android. 02:46:58 ...and we're happy to work with other browsers and other collaborations with payment handlers 02:47:01 ack benoit 02:47:44 benoit: Will SRC be required for all issuing banks? If the answer is no, then we need another payment method for other cards the are issued 02:48:05 Jonathan: SRC does not require tokens 02:48:24 q+ 02:48:55 [Question about whether SRC would ultimately subsume Basic Card] 02:49:23 benoit: We can't eliminate Basic Card unless we have a replacement that meets the requirements. 02:49:27 q? 02:49:34 q+ 02:49:36 JonathanG: Could you list the requirements you have in mind? 02:50:29 q+ 02:50:29 jv: The basic premise is we need a minimal level of interop; card payments (basic) are the de facto. Seems Basic Card is basically done (but for Safari). 02:50:38 ....we need something that works "most of the time" otherwise PR API won't be adopted. 02:50:45 q? 02:50:58 ....3DS is no longer really optional (cf Europe) 02:51:13 ...tokens are not that hard to do, so I think they will be increasingly used as a trinity 02:51:23 AdrianHB: I think it's important to make the following distinction - 02:51:36 +1 02:51:42 ...merchants should be able to get card details back, but that doesn't necessarily mean that the card details need to be returned by the browser. 02:51:49 (Rouslan gives a +1 to that assertion) 02:51:57 q+ 02:52:01 ack jv 02:52:13 AdrianHB: Today Basic Card is basically replacing autofill....in my opinion, that's the sticking point for the moment 02:52:24 q+ 02:52:35 ...I think it's useful to distinguish the simple ability to return card details, but can we change how that's implement today? 02:52:40 ack Adr 02:52:40 AdrianHB, you wanted to distinguish between basic-card and the need for basic-card handler built into browsers 02:52:48 ack justin 02:52:49 q+ 02:52:59 q? 02:53:09 justin: Chrome ships with an implementation of basic card. There could be third parties that are willing to support basic card (think "Firefox") 02:53:35 jeff_ has joined #wpwg 02:53:35 ...if the browsers are not building support, are there third-party payment handlers willing to step up to support the payment method? 02:53:56 ...we had a lot of conversation yesterday about 3DS....I also challenge the assumption that it's covered by SRC. 02:54:07 ...I think there's some more thinking to do on that 02:54:10 ack nick 02:54:13 ack nicktr 02:54:39 nicktr: As much as I'd like to see Basic Card go away (due to security challenges), the reality is that we need to have basic card 02:54:44 +1 Keep 3DS/Authentication separate from SRC 02:54:50 ...so I think it's difficult for merchants to see the benefit of implementing PR API 02:55:16 ...because there is not a single payment method supported across all browsers, that's a key disincentive to adoption 02:55:24 Fawad_N has joined #WPWG 02:55:29 ...if I could pick one key thing in rechartering, it would be to have one payment method that works across browsers. 02:55:30 q? 02:55:40 ack ciciley 02:55:50 zakim, close the queue 02:55:50 ok, AdrianHB, the speaker queue is closed 02:56:02 Ciciley: There are some payment brands that have landed support for some aspects of SRC 02:56:19 ack Vishal-Expedia 02:56:43 Vishal-Expedia: We've been having SRC conversations for 1 year. There are some use cases within Expedia where Basic Card is absolutely required 02:56:58 ....so not having Basic Card would mean we would not adopt PR API 02:57:08 ack Gerhard 02:57:10 ...I think you need to ask 100 merchants for their views on the importance of Basic Card 02:58:07 Gerhard: Maybe the answer is to extend Basic Card to support an e-commerce token (that merchants are being required to accept) 02:58:36 ack tomasz 02:58:59 ..perhaps useful for merchants to reduce PCI burden via e-commerce token 02:59:25 q+ to talk about the "killing" 02:59:26 Tomasz: What else would we add to Basic Card? We could stop work on Basic Card and it could still be used by the industry. 02:59:28 I'd like to suggest that the security task force looks at Gerhard's suggestion - we were looking at "tokenized" payments before SRC came along. Can we support both? 03:00:01 Rouslan: We are not really talking about killing Basic Card, just no longer working on the spec. 03:01:13 kimwooglae has joined #wpwg 03:02:09 [Andy can you type?] 03:02:13 I don't want to derail the meeting, so it's ok if you can't hear me :) 03:02:15 sure, I'll type 03:02:25 marcosc has joined #wpwg 03:02:30 hendo_ has joined #wpwg 03:02:32 jezza has joined #wpwg 03:04:29 AdrianHB: If we are going to fully embrace payment handlers, shouldn't basic card support be more like other payment handlers? 03:05:20 ...I have some slides for after lunch 03:06:24 justin_toupin has joined #wpwg 03:06:36 jeff__ has joined #wpwg 03:07:06 ian: one question to consider, are there other payment methods we need to consider 03:07:26 ... prioritization of future work 03:07:49 ... we have developed good liasons with FIDO and EMVCo, are there others? 03:08:07 ... we also need to think about how long the new charter should last 03:08:27 [STRAWPOLL] Any objections to recharting? 03:08:31 - None 03:09:01 ian: next steps is for chairs to draft proposed new charter 03:09:07 q? 03:09:12 zakim, open the queue 03:09:12 ok, AdrianHB, the speaker queue is open 03:09:21 ack estes 03:09:26 Ian: I just wanted to agree with AdrianHB 03:10:07 Gerhard: Yesterday we say a presentation on QR codes. EMVCo has a standard. We are seeing more demand for it. Should we explore QR codes in our charter? 03:10:09 +1 03:10:11 +1 for QR 03:10:21 Ian: we didn't see basic card built into safari as a meaningful improvement over autofill 03:10:41 +1 for QR 03:11:01 Ian: and thought it could introduce user confusion to show a payment sheet that might look like Apple Pay but not offer its security benefits 03:11:09 q+ to talk about autofill and basic-card 03:11:46 Ian: Could auto-fill plug into PR API requests for Basic Card 03:11:48 jv has joined #wpwg 03:11:56 Justin: Some issues around user-consent in that model 03:12:19 Rouslan: For auto-fill-to-basic-card...something even more interesting than that is flowing in the other direction... 03:12:33 ...data flows from basic card payment handler to auto-fill fields 03:12:47 ...so the merchant doesn't need to use PR API, but Payment Handlers are still useful to users. 03:12:52 q? 03:12:55 ack rouslan 03:12:55 rouslan, you wanted to talk about autofill and basic-card 03:13:12 AdrianHB: We've had at least one example of a 3rd party payment handler that did Basic Card (this was Klarna) 03:13:30 norie has joined #wpwg 03:13:33 ...are there others who might explore that if Basic Card were the ubiquitous option? 03:14:00 +1 03:14:14 IJ: I recall the value proposition was riding basic card rails without requiring any changes to merchant site 03:14:35 RRSAGENT, make minutes 03:14:35 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:15:20 frank has joined #wpwg 03:15:33 Ian: So next steps is for the Chairs to come up with a draft charter based on your comments and other data from this meeting 03:15:39 Topic: Web Monetization 03:15:42 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:16:02 AdrianHB: This is just a quick-ee intro; we can go listen to Stefan across the hall for more in 30 mins 03:16:29 ...a site that wants to accept streaming micropayments puts a tag in their site 03:16:42 ...the content of the tag is a URL that is a payment pointer 03:16:57 ...the way that the protocol works is that the browser fetches the document at that URL 03:17:09 ...the browser generates a session header (unique) 03:17:21 ...when payments are sent to the address, the address is slightly different for each session 03:17:24 ...to avoid correlation 03:17:39 ...the proposal in the WICG is a monetization object 03:17:55 -> https://interledger.org/rfcs/0028-web-monetization/ Web Monetization spec 03:18:14 q+ to ask whether the web has any other progress type events 03:18:21 q? 03:18:25 ...the event fires every time a payment is sent by the browser 03:18:45 ....in terms of sending the payments, Coil has implemented this as a browser plug-in; Puma has implemented this natively 03:18:59 ..what we are looking for is a new payment method called "monetization" 03:19:16 ..and implicitly there is no user interaction; there is assumed some pre-authorization of an amount 03:19:25 ...and as the user browsers small amounts of value are transmitted 03:19:48 ...a "web monetization agent" is a component in the browser that makes decisions on the user's behalf about how much to spend on each site 03:20:04 ...users need to be able to control their ability to pay on certain sites. 03:20:32 ...a core requirement is privacy - how do we build a client-side component that evaluates how much to pay and how much, but without becoming a tool for parties to track users? 03:21:00 ...the monetization agenda is authorized to make payments out of the user's wallet (which may be the same or different party from the party that does the monetization agent 03:21:04 s/agenda/agent 03:21:21 ...we've decoupled monetization agent from wallet. 03:21:36 ...e.g., use Coil's web monetization agent but pay via google pay 03:21:38 ack rouslan 03:21:38 rouslan, you wanted to ask whether the web has any other progress type events 03:21:47 pranjal has joined #wpwg 03:21:58 dezell has joined #wpwg 03:21:59 Rouslan: This is an interesting idea. A "progress" type event might be tricky to event 03:22:03 s/event/implement 03:22:08 jonathan has joined #wpwg 03:22:16 Rouslan: Marcos, do you know of any progress-type events? 03:22:24 marcosc: There is a progress element that has one 03:22:44 -> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/progress Progress indicator element 03:22:53 AdrianHB: We have been thinking about this as a streaming protocol 03:23:29 q? 03:23:34 rouslan, e.g., progress event from XHR https://xhr.spec.whatwg.org/#interface-progressevent 03:23:58 AdrianHB: On 16 September we (Coil) announced a "Grant for the Web" 03:24:17 -> https://www.grantfortheweb.org/ Grant for the Web 03:24:38 AdrianHB: We've set aside funds for grants to people who are developing content to push this ecosystem forward. 03:24:51 ...joint announcement with Mozilla and Creative Commons 03:25:06 ...the overlap with the WPWG is: 03:25:11 * Definition of a monetization payment method 03:25:15 * Role of payment handlers 03:25:30 ...one idea is web site calls PR API (instead of "meta") and payment handlers respond 03:25:45 ...there are breakouts tomorrow on this topic 03:25:49 q? 03:26:28 jezza has joined #wpwg 03:26:37 IJ: Describe user flow? 03:27:12 AdrianHB: You have money in a wallet. I get an authorization from that wallet in the form of an access token. I give that to the monetization agent. 03:27:24 ...I leave it up to that agent to make decisions about how to pay for content 03:27:36 IJ: What is payment request role? 03:27:38 q+ 03:27:57 AdrianHB: Potentially the merchant could use it to invoke web monetization, but without user interaction 03:28:18 IJ: That would require a change to PR API that requires a user gesture 03:28:25 ack html5cat 03:28:37 Yuri: If you pick up the Coil gift bag, you get some access to a Coil account, etc. etc. 03:29:00 Yuri: Get Puma! 03:29:10 Marcosc: I encourage people to check it out 03:29:29 [The crowd chants for demo!] 03:30:18 bryanluo_ has joined #wpwg 03:32:16 https://flood.enclavegames.com 03:34:25 jezza has joined #wpwg 03:34:29 AdrianHB: It's up to each site to figure out how they reward the monetization offer 03:34:46 ....e.g., in the above demo, the game provider offers free coins. Somebody else might, say, not show ads. 03:35:23 q+ 03:35:42 ack rouslan 03:35:51 Rouslan: Web Monetization based on ILP? 03:35:55 AdrianHB: Yes. 03:36:05 AdrianHB: The way we've done the payments rails is using ILP 03:36:28 ..ILP let's us set up an addressing space. 03:36:36 ...it's easy for us as Coil to route payments that way 03:36:57 ...it's not a payment network per se...just an addressing overlay on existing payment systems 03:37:03 Rouslan: Is that a hard dependency on ILP 03:37:22 AdrianHB: Not theoretically, but yes practically. There is no other way that is cost-effective for sending such small payments 03:37:56 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:38:14 Rouslan: Is Interledger being done at W3C? 03:38:52 AdrianHB: Work started at the W3C Interledger CG. There is now an Interledger Foundation. The intent is for all the IP to be held by that organization, and to stay open and RF 03:38:52 q+ 03:39:13 AdrianHB: https://tools.ietf.org/html/draft-thomas-interledger-00 is not standards track 03:39:20 ...we've not taken anything on a formal standards track 03:39:32 ..these are community-developed documents. 03:39:36 ack agektmr 03:39:52 agektmr: What is relation to Metamask? 03:40:02 AdrianHB: There are quite a few efforts to do this with cryptocurrencies. 03:40:19 ...if the hard dependency on crypto rather than ILP, that will be the end of the game for them 03:40:27 ..until things are built into browsers, it's not going to take off 03:40:44 ...if they were to do payments with payment systems we already use, they would be more successful 03:40:58 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:41:36 If anyone has a hdmi-> display port adapter I'd really appreciate it 03:41:42 jv has joined #wpwg 03:42:10 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 03:57:06 bryanluo has joined #wpwg 03:58:20 jezza has joined #wpwg 04:01:36 mweksler has joined #wpwg 04:01:45 bryanluo_ has joined #wpwg 04:03:58 jv has joined #wpwg 04:07:52 pranjal has joined #wpwg 04:11:06 rouslan has joined #wpwg 04:18:31 hendo has joined #wpwg 04:21:16 pranjal has joined #wpwg 04:25:41 jv has joined #wpwg 04:25:49 marcosc has joined #wpwg 04:32:53 bryanluo has joined #wpwg 04:34:57 alex_liu has joined #wpwg 04:35:32 alex_liu_ has joined #wpwg 04:42:08 mweksler has joined #wpwg 04:42:21 jezza has joined #wpwg 04:45:40 jezza has joined #wpwg 04:47:52 bryanluo has joined #wpwg 04:50:23 mweksler has joined #wpwg 04:52:41 alex_liu has joined #wpwg 04:54:24 marcosc has joined #wpwg 04:55:07 marcosc has joined #wpwg 04:55:32 jezza has joined #wpwg 04:56:37 alex_liu has joined #wpwg 05:00:01 frank has joined #wpwg 05:00:27 Sorry to distract everyone but am I only one hearing annoying high frequency noise in WP meeting room 05:01:33 cwarnier has joined #wpwg 05:01:46 jessie has joined #wpwg 05:02:57 no, I can hear it too 05:03:32 pea13 has joined #wpwg 05:03:33 canton_ has joined #wpwg 05:03:36 It really distracts me and I want it to be fixed.. Not sure how 05:03:37 bryanluo has joined #wpwg 05:03:46 jv has joined #wpwg 05:04:31 AdrianHB has joined #wpwg 05:04:37 Masa_JCB has joined #wpwg 05:06:15 marcosc has joined #wpwg 05:06:48 norie has joined #wpwg 05:07:11 takashi has joined #wpwg 05:07:12 jonathan has joined #wpwg 05:08:07 jezza has joined #wpwg 05:08:17 Fawad_n has joined #WPWG 05:08:18 Topic: Web Authentication Update 05:08:36 Tony: We're working on WebAuthn2. Also, we'd like to understand better payment handlers. 05:08:48 ...Web Authentication WG is rechartering through 2021 05:09:04 ...some level 2 features include: 05:09:12 - iframe support (for origins other than top-level origins) 05:09:25 ....can be helpful in payment flows you've described. 05:09:27 - some biometric things 05:09:30 - some specification cleanup 05:09:44 Ciciley has joined #wpwg 05:09:49 Gerhard has joined #wpwg 05:09:56 ...We have deployment of WebAuthn1 in Chrome, Edge, Firefox. In development in Safari (desktop) 05:09:57 present+ 05:10:08 ...we'd like for payment handlers to be able to use WebAuthn 05:10:31 ...we don't have delegation yet 05:10:44 ..it takes place between the relying party (the handler) and the client (the browser) 05:10:48 +q 05:10:56 ..we'd like to understand your requirements for authentication beyond the payment handler itself 05:11:09 ack marcosc 05:11:12 q+ 05:11:14 q+ 05:11:17 q+ 05:11:21 ella has joined #wpwg 05:11:52 marcosc: We have a payment sheet that operates as a top-level browsing context. 05:11:58 AdrianHB: We still need to cover delegation 05:12:17 Giulio has joined #wpwg 05:12:23 Tomasz: In the context of 3DS 2.0, there is a challenge flow that is sometimes implemented as an iframe. 05:12:26 jezza has joined #wpwg 05:12:36 q+ 05:12:37 ...it's not possible for the issuer to perform 3DS step-up without an iframe 05:12:44 ack tomasz 05:12:45 Tony: I had pointed to a pull request: 05:13:04 https://github.com/w3c/webauthn/issues/911 05:13:05 -> https://github.com/w3c/webauthn/issues/911 05:13:24 Tony: The group had wanted to go down the feature policy path; there were objections and we are trying to work through them 05:13:39 ...I think it's just feature policy itself. 05:13:42 ack Jonathan 05:14:00 Jonathan: There are a few things we discussed yesterday..."delegation" is one 05:14:10 Tony: We want to understand your use case and determine the best approach. 05:14:30 ...I have the feeling there are use cases where you'd like to carry authentication downstream. 05:14:36 q+ to talk about a delegation use case 05:14:39 bryanluo has joined #wpwg 05:14:51 urata has joined #wpwg 05:14:57 Jonathan: Someone who is not the relying party wants access to FIDO credentials and return signature back to relying party 05:15:25 ...a second use case is something to facilitate 3DS where the issuer has created credentials and the merchants would like to use them 05:15:47 Tony: There is some information we've agreed to with EMVCo about what information will be passed along [to 3DS] 05:15:54 urata has joined #wpwg 05:15:55 jv has joined #wpwg 05:16:08 Jonathan: In that case the relying party is still the merchant. But there are use cases where the relying party is not the merchant. 05:16:25 ...this morning we also discussed that it would be nice to distinguish from among users (that's more FIDO or platform thing) 05:16:36 Tony: Agree that's a platform question. 05:16:40 q? 05:17:00 zzzz: As mentioned earlier, profiles raise usability issues 05:17:25 ...if the wallet is doing the WebAuthn directly on the device, there is no concept currently of segmentation of the use of the credential. 05:17:52 ...it's easy to say "the wallet could do it" but then we'd have to have different enrollments all the way back up 05:18:01 ...the complexity goes up when building up all the things around it 05:18:14 Jonathan: I had in mind that the relying party at enrollment time could create some new things (e.g., templates) 05:18:46 zzzz: That's theoretically possible but the infrastructure parts may not be able to handle the segmentation 05:18:56 q? 05:19:19 jcj_moz has joined #wpwg 05:19:23 Jonathan: Yesterday we also spoke about the use case where the relying party wants to know what key ids belong to it. 05:19:42 ...is that something that is standardized? 05:19:58 zzzz: It's standardized so that the relying party can never know that. 05:20:08 Jonathan: Even if the relying party created the keys? 05:20:26 JohnBradley: We can't create a super cookie that can be returned without user consent 05:20:39 ..if you want to create a cookie to memorize credentials, you can just do that. 05:20:49 jv_ has joined #wpwg 05:20:53 s/zzzz/John Bradley/g 05:20:57 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:21:25 Jonathan: Is there a privacy issue to know what authenticators are on the platform? 05:21:27 JohnBradley: Yes 05:21:52 JohnBradley: There is at least one person on this side of the table who has concerns about adding to browser fingerprinting. 05:22:15 Jonathan: You would like to know whether there is an authenticator on the platform. 05:22:43 JohnBradley: You can learn "there is an authenticator" and for some platforms you know what that is, but you cannot find out what biometrics are supported by that authenticator 05:22:53 q? 05:23:00 justin_toupin has joined #wpwg 05:23:11 Tony: You can ask for user verification, but you can't ask for implementation of that 05:23:22 jezza has joined #wpwg 05:23:32 Gerhard: I want to touch on 2 edges of the spectrum 05:23:48 ...one things mentioned in SCA is secure display 05:24:04 ...right now there are 2 levels: user presence, 2 factor 05:24:14 q- 05:24:15 ...but there's missing a third level - secure display 05:24:31 ...it would be great to combine "secure display" with getting biometric 05:24:54 JohnBradley: That's defined by the spec but supported in no browsers or authenticators...there's no support by browsers 05:25:14 ...the counter-proposal would be to have something that is more generally deployable 05:25:22 frank has joined #wpwg 05:25:26 ...nothing in SCA says the secure display has to be part of the authenticator itself 05:25:36 ...but I would argue if your browser is compromised you have bigger problems. 05:25:50 ...so in WebAuthn we could have info from the payment handler signed as part of the client data 05:26:12 ...I think we could meet SCA requirements across all browsers with existing authenticators...signing the payment handler output in client data 05:26:53 q? 05:26:55 q? 05:27:03 ack Gerhard 05:27:17 florent has joined #wpwg 05:27:40 Gerhard: That is the open banking scenario; you may have registered 5 authenticators and the calling party (the "AISP") might have to reach out to all five, and all five might decide to do their token step-up and that would be a bad UX 05:27:47 q? 05:27:48 vkuntz has joined #wpwg 05:27:58 ...so any way to passively sign to give a lower risk indicator and defer step-up; that would be useful. 05:27:58 present+ 05:28:13 JohnBradley: Silent signatures from relying parties raise the same fingerprinting concerns 05:28:48 dezell has joined #wpwg 05:28:57 Gerhard: I'd like to say "If I can prove who I am ..." 05:29:08 JohnBradley: Should be able to use cookie 05:29:20 ...token binding comes to mind here 05:29:33 Tony: You could do something through cached credentials (somewhat how UAF does this today) 05:29:42 JohnBradley: It would be an interesting privacy discussion 05:29:43 q? 05:29:51 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:30:15 Gerhard: Many rules are based on risk assessments. If I can get more proof of who the person is, I can have less friction, and less abandonment. 05:30:50 JohnBradley: Token binding intended to fulfill that...but token binding is on hold as Google and MS work out issues. 05:31:20 JohnBradley: You can use token binding to ensure a cookie cannot be exfiltrated from browser. 05:31:58 Tony: I propose that we have a task force between our two WGs 05:32:06 ...to ensure that we have the use cases and we do the flows 05:32:13 ...and that can be brought back to the WG for discussion 05:32:37 jezza has joined #wpwg 05:32:50 NickTR: My use case builds on Gerhard's....you were describing account aggregation 05:33:02 ..my vision of payment handlers in the credit transfer space is very similar 05:33:15 ...imagine you have a payment handler that is aware of the user's different current accounts with different banks. 05:33:34 ...in principle there's a use case where you authenticate once to the payment handler, and you don't have to re-authenticate for each bank account. 05:33:59 ...if you read the primary legislation (PSD2), it's the bank's responsibility, but that could be delegated (to the payment handler) 05:34:14 ...so the payment handler should be able to pass auth credentials to a bank without more user interaction 05:34:27 ...nobody is going to use a flow with multiple authentications 05:34:34 ...I'd love to dive into this use case (even if hard) 05:34:52 Jonathan: There is a distinction between "delegation" and "delegation." :) 05:35:16 ...e.g., the bank could delegate to the merchant or payment handler who is the relying party 05:35:28 ...but the second meaning of delegation is that the relying party IS the issuer 05:36:03 ...so you registered with the issuer, and then in another context the bank says "I allow you to use my credentials"; that's a different form of delegation...the bank still owns the credentials, but they provide them to someone else who can return something to the bank 05:36:11 JohnBradley: We are considering the latter form of delegation 05:36:16 ...the iframe could be invisible. 05:36:42 ...you could do an invisible iframe to the bank and using post message and a protocol between merchant and bank for credentials 05:36:48 ..that has some good privacy properties 05:36:52 urata has joined #wpwg 05:37:09 ...essentially if you allow the second model you enable correlated identifier that may be a backdoor tracking mechanism 05:37:22 shu has joined #wpwg 05:37:27 ...we want to figure out how to give equivalent functionality with privacy 05:37:35 NickTR: In my use case, nothing goes back to the merchant 05:37:47 JohnBradley: Replace merchant here with wallet provider; same issue 05:38:07 ..if I had multiple merchants and multiple wallets and they all used the same credentials they could correlate. 05:38:15 shu has joined #wpwg 05:38:37 AdrianHB: Raise your hand if you want to be part of the joint task force: Gerhard, NickTR, Jonathan 05:38:59 shu has joined #wpwg 05:39:00 bryanluo has joined #wpwg 05:39:15 ACTION: Tony to convene a joint task force on payment use cases that involve Web Authentication 05:39:16 Created ACTION-129 - Convene a joint task force on payment use cases that involve web authentication [on Tony England - due 2019-09-24]. 05:39:20 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:40:03 jezza has joined #wpwg 05:40:28 Topic: Handling Payments 05:40:41 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:40:49 jv has joined #wpwg 05:42:45 jezza has joined #wpwg 05:43:18 jezza has joined #wpwg 05:43:35 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 05:43:41 jezza has joined #wpwg 05:44:10 q+100 05:44:17 AdrianHB: The context for my slides here come from a conversation yesterday where Marcos expressed concern that a lot was going into payment handlers that would make it harder for new implementations to catch up 05:44:20 q- 100 05:44:22 q+ 05:44:29 ack nicktr 05:44:29 nicktr, you wanted to talk about a delegation use case 05:44:36 wonsuk has joined #wpwg 05:45:30 AdrianHB: First observation is that Basic Card does not fit well with other things...in sheets there's a mix of payment handlers (wallets) and cards (instruments) 05:45:46 ...but delegation of merchant-requested data to the payment handler changes the game 05:46:00 ...payment handlers should be able to respond to the merchant's request 05:46:30 ...this means that payment handlers end up doing everything done by the sheet 05:46:35 ....so the question is: do we need the payment sheet? 05:46:42 q+ 05:47:04 +q 05:47:12 q+ 05:47:18 AdrianHB: The sheet requires an extra click 05:47:42 ...the payment sheet has been a blocker for implementation in some browsers 05:47:57 Ciciley has joined #wpwg 05:48:01 present+ 05:48:03 ...we've heard from all the browsers that implementing the payment sheet is outside their wheelhouse in terms of localization and because payments are not really the things of browser 05:48:28 ...so what would it look like to ditch the shet? 05:48:40 ...I found some examples of how the Share API works 05:48:59 -> https://web-share.glitch.me/ 05:49:11 AdrianHB: When I hit "pay" I could get a list of payment handlers I could use 05:49:20 ...we could have a number of optimizations like "skip-the-sheet" 05:49:43 q? 05:49:52 pranjal has joined #wpwg 05:49:56 Lawrence: How could a payment handler get in the list? 05:50:03 AdrianHB: Through registration via payment handler API 05:50:16 q- 05:51:17 AdrianHB: Instead of getting mix of instruments and wallets, you just see wallets 05:51:31 jv has joined #wpwg 05:51:59 AdrianHB: Today the payment handler API has a registration flow. Service worker installed. This enables the browser to get a manifest and the browser can do just-in-time install 05:52:04 q? 05:52:17 AdrianHB: As Ian said, how it happens is platform-specific. 05:52:22 ack rouslan 05:52:56 Rouslan: Great idea. I think one comment rubbed me the wrong way - that payment handlers are becoming Frankenstein. 05:53:08 ...the payment handler is just trying to bring all the options in PR API to Payment Handlers 05:53:42 ...we are experimenting. 05:54:21 ...overall as an idea that the sheet should go away...I think it could be strange for w3c to dictate UI...but I think it's an interesting idea. 05:54:37 ack marcosc 05:54:41 jezza has joined #wpwg 05:54:47 marcosc: I want to support what Rouslan said but wants to shift the perspective. 05:54:58 ...PR API on its own and integration with native payment handlers makes a lot of sense 05:55:31 ...but what was shown yesterday was that the handler modal was not suitable for some UI requirements. 05:55:38 ...so it's becoming like an embedded iframe 05:55:50 ...and Airbnb wants to enroll users, too 05:56:01 ...so we end up with a component that can be co-opted to do a lot of things 05:56:24 ...so let's not get rid of the sheet, but instead have a model browsing context that let's you do all these thins 05:56:30 ...we just need a bi-directional channel 05:56:35 s/thins/things 05:57:04 AdrianHB: One of the things that came out of the discussion is that we've built a payments component that is using a lot of web features, but in a way that is only usable in those flows 05:57:18 ...the modal window (of chrome) is special 05:57:37 marcosc has joined #wpwg 05:57:42 ...I think the modal window is a powerful feature for any cross-origin thing you want to do 05:57:46 jv has joined #wpwg 05:58:52 AdrianHB: I think it's a valuable platform in general, and it makes the case for building blocks for payment handlers much stronger. 05:58:57 Roy has joined #wpwg 05:59:01 q+ 05:59:06 ...I'll call this the "modal dialog" feature 05:59:24 "modal browsing context" - fight me 05:59:48 AdrianHB: You could not have popup abuse since only one at a time, and also you only get back to underlying context when you close it 05:59:49 q+ to ask about security model. Does this rely still on the method manifest? 05:59:59 ack roy 06:00:17 roy: My main comment on that is, one value proposition of the payment sheet is that there's a level of trust 06:00:23 q+ 06:00:30 ...I trust the browser vendors to do the right thing with that dialog. 06:00:37 jezza has joined #wpwg 06:00:40 ack nick 06:00:40 nicktr, you wanted to ask about security model. Does this rely still on the method manifest? 06:00:50 Masa_JCB has joined #wpwg 06:01:01 nicktr: My question is similar - and payment handlers have a payment method manifest 06:01:18 marcosc: We are showing arbitrary content in something that people thing is secure, but it's not 06:01:44 ...we won't present a trusted UI where there is arbitrary content. 06:01:55 q? 06:02:01 ack marcosc 06:02:19 q- 06:03:01 Action: AdrianHB to look into a modal dialog spec, organize testing of assumptions about dropping the sheet. 06:03:01 Created ACTION-130 - Look into a modal dialog spec, organize testing of assumptions about dropping the sheet. [on Adrian Hope-Bailie - due 2019-09-24]. 06:03:12 AdrianHB: Some other ideas: drop instruments, drop modifiers, drop OpenWindow 06:03:16 Today, in order to do certain forms of authentication on the web we require either pop-ups, opening a new tab, a redirect, and so on... Payments introduced another UI component that affords OS-level payment integration (particularly for Apple Pay in Safari). When compared to native applications, most of these UI affordances lead to sub-optimal user experiences. 06:03:16 To improve the situation, a common requirement appears to be: 06:03:16 - a top-level browsing context that displays third party content. 06:03:17 jezza has joined #wpwg 06:03:17 - it's modal. 06:03:19 - it should be possible to position this browsing context at least relative to the top or bottom of the container window, and perhaps have the ability to visually expand the context (or let the user expand it) - and the ability to go fullscreen. The browsing context (not the opener) controls the dimensions. 06:03:21 - the opener context needs to set the feature policy (e.g., allow web authn, camera access, credential management). 06:03:23 - the opener context must a means to have by bi-directional communication channel (i.e., message ports or just post message). 06:03:25 - the opener context must have the ability to close the browsing context. 06:03:27 - an ability to indicate the kind of service that's needed (e.g., "payment", "authentication", "share", "mixed?") 06:03:29 - An ability to open a pop-up (normal pop-up rules apply) - but associated with the browsing context... basically a less crappy tab experience on mobile. 06:03:34 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 06:03:45 [Break] 06:04:22 mweksler has joined #wpwg 06:07:56 jv has joined #wpwg 06:08:38 bryanluo has joined #wpwg 06:10:21 jv_ has joined #wpwg 06:11:38 jezza has joined #wpwg 06:12:02 [We note for the minutes that Tomasz is also interested in the Joint task force with WebAuthn] 06:12:10 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 06:14:54 jezza has joined #wpwg 06:21:09 jv has joined #wpwg 06:23:58 AdrianHB has joined #wpwg 06:27:50 jessie has joined #wpwg 06:28:12 bryanluo has joined #wpwg 06:29:58 dave2037 has joined #wpwg 06:31:14 jezza has joined #wpwg 06:32:03 dave2037 has joined #wpwg 06:34:05 alex_liu has joined #wpwg 06:36:28 pranjal has joined #wpwg 06:38:04 Topic: Housekeeping 06:38:22 jezza has joined #wpwg 06:38:35 pranjal_ has joined #wpwg 06:38:43 norie has joined #wpwg 06:39:11 benoit has joined #wpwg 06:40:30 Ian: With chairs we need to review the dense minutes 06:40:42 takashi has joined #wpwg 06:40:45 ...I assume we will recharter so next meeting discussion assumes that 06:40:58 NickTR: Remember when we recharter - your AC reps need to step up to say Please Recharter! 06:41:09 bryanluo has joined #wpwg 06:41:24 jezza has joined #wpwg 06:41:44 Alex: Airbnb could host the next meeting, e.g., in Dublin or Paris 06:41:56 NickTR: +1 to Dublin 06:42:44 Gerhard has joined #wpwg 06:42:50 Action: NIckTR to investigate next FTF meeting options with Ian and Adrian 06:42:51 Created ACTION-131 - Investigate next ftf meeting options with ian and adrian [on Nick Telford-Reed - due 2019-09-24]. 06:42:57 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 06:43:13 jezza has joined #wpwg 06:43:22 Ian: Minutes available next week 06:43:26 NickTR: Do people read minutes? 06:43:32 [Several people say yes] 06:44:47 q+ 06:45:00 NickTR: As Chair it's good to understand what improvements you think we could make in running the group. E.g., who needs to be part of the discussion? We heard yesterday: PayPal, Alipay, WeChatPay 06:45:04 ...so we'll work on that. 06:45:08 ack rouslan 06:45:56 Rouslan: I think once useful thing at each TPAC is to give a clearer picture of where we are with deployment. So I think some framing would be useful. 06:46:32 NickTR: Maybe we need to start main meeting at 10:00am on day one, and have a crash course before that. 06:46:49 Gerhard: Or do a video 06:47:10 https://github.com/w3c/payment-request/wiki 06:48:47 q? 06:48:47 Masa has joined #wpwg 06:48:49 https://github.com/w3c/payment-request-info/wiki/FAQ 06:49:05 https://github.com/w3c/payment-request-info/wiki/Introductions 06:49:17 Invite UPI from india, and OpenBanking UK we need to get more wallets, perhaps from Nordics where they are quite big too. Then south america, berletto? 06:49:18 pranjal has joined #wpwg 06:49:52 (boleto) 06:50:30 q? 06:50:45 justin_toupin has joined #wpwg 06:51:03 alex_liu has joined #wpwg 06:51:03 q+ for consumer involvement? 06:52:32 q+ Some of the authentication conversations would have had more impact if we had drawn out the key use-cases for authentication that we are trying to address / improve 06:52:45 IJ: Another idea is a merchant business group. 06:52:48 +1 from Frank 06:53:03 NickTR: Jeff Jaffe also mentioned a series of meetups (with merchants) 06:53:28 ...could do them around other events like MRC 06:54:24 urata has joined #wpwg 06:54:26 Vishal: Another conf is Payments Ed 06:54:46 David: Have we done anything about consumer involvement (e.g., for the UX)? 06:56:03 q+ 06:56:04 pranjal_ has joined #wpwg 06:56:44 Ian: Implementers do user testing. But we could have a big show-off-a-thon with lots of users and multiple browser vendors to get feedabck 06:57:05 ack Rous 06:57:50 rouslan: Perhaps what we are looking for is a user experience expert. Some people in the room have user experience experience. But we could bring UX experts (e.g., from Google) into a meeting to speak about how they think about those things 06:58:05 Justin: I generally agree with Ian that browser vendors and other implementers are on the front line of UX 06:58:21 vishal has joined #wpwg 06:58:24 ...I think it could be useful to have them before the group here to point out how difficult it is. 06:58:43 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 06:59:08 +q do you use applause for anonymous user testing? that could be a good idea to continuously test user experiences without the UX experts in the group 06:59:15 norie has joined #wpwg 06:59:17 NickTR: We are facing a problem standards efforts share: companies need things to work together but also want to maintain some advantage 06:59:22 ack Vishal 06:59:33 ack ben 06:59:33 benoit, you wanted to discuss consumer involvement? 06:59:47 Vishal: We user Applause for anonymous user testing. 07:00:30 Alex: We use applause as well 07:01:51 Action: Jeremy to see whether Stripe could provide any data about PR API 07:01:51 Error finding 'Jeremy'. You can review and register nicknames at . 07:01:58 Fawad_N has joined #wpwg 07:02:05 jezza has joined #wpwg 07:02:17 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:02:23 [Adjourned] 07:02:26 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:03:55 https://w3c.github.io/tpac-breakouts/sessions.html 07:06:30 marcosc has joined #wpwg 07:07:32 alex_liu has joined #wpwg 07:07:55 rrsagent, make minutes 07:07:55 I have made the request to generate https://www.w3.org/2019/09/15-wpwg-minutes.html Ian 07:07:59 rrsagent, bye 07:07:59 I see 6 open action items saved in https://www.w3.org/2019/09/16-wpwg-actions.rdf : 07:07:59 ACTION: Justin to check internally at Google about what can be shared [1] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T07-22-00 07:07:59 ACTION: Ian to work with Justin and Google on writing up payment handler benefits [2] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T07-37-24 07:07:59 ACTION: Tony to convene a joint task force on payment use cases that involve Web Authentication [3] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T05-39-15 07:07:59 ACTION: AdrianHB to look into a modal dialog spec, organize testing of assumptions about dropping the sheet. [4] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T06-03-01 07:07:59 ACTION: NIckTR to investigate next FTF meeting options with Ian and Adrian [5] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T06-42-50 07:07:59 ACTION: Jeremy to see whether Stripe could provide any data about PR API [6] 07:07:59 recorded in https://www.w3.org/2019/09/15-wpwg-irc#T07-01-51 07:08:04 alex_liu has joined #wpwg 07:08:07 zakim, bye 07:08:07 Zakim has left #wpwg 07:08:09 leaving. As of this point the attendees have been vkuntz, jfontana, Ciciley, Fawad, nicktr, Ian, krystosterone, gildas, alex_liu, benoit, mweksler, jezza, Sophie, frank, heejin, 07:08:09 ... dave, Roy, jungkees, Vishal-Expedia, agektmr, Cheryl_M, cwarnier, jonathan, justin_toupin, rouslan, Giulio, tomasz, florent, wanli, dezell, bryanluo, sakiko, estes, JV, 07:08:09 ... AdrianHB, dongwoo, Wonsuk_Lee, html5cat, Gerhard, tobie