Sponsors
Platinum sponsors
Gold sponsor
Silver sponsor
Gift sponsor
Bronze sponsors
Friday Coffee sponsor
Network sponsors
Video hosted by Web Castor on their StreamFizz platform.
Nick Telford-Reed: All right, well good afternoon, everybody. Well done!
Nearly at the end of a long afternoon of AC'ing, but we've saved the best, well we've saved the best till last.
'Cause Wendy is now taking the prime, last slot.
But I am here to talk about the most exciting thing that's happening in the W3C: That's web payments.
And, if you don't believe me, let's have an argument in the corridor afterwards.
I'm really excited to tell you about what we're doing.
We've made some massive progress.
And it's really exciting to just get to talk to you about it.
So I am, I'm gonna take you through a little bit of the history of how we got here.
And I'm gonna talk to you about the products that we've built, the specifications that we've got.
I'm gonna talk about the work that we're doing at the moment and that's when, this gentleman who is very patiently waiting to the side of me, is gonna give you a demo of complete interoperability between different industry partners, showing all the different pieces of our specification family, working for real.
Which is cool.
And then I'm gonna talk about the road ahead and I'm gonna make two asks of you.
Two asks of you as advisory council members.
So, brace yourself.
This is a shopping trip.
I'm trying to get something out of you.
So, just be braced for that.
Okay?
So, let's start.
Let me, let me just do a double check.
Who has heard of the Web Payments Working Group?
But, not everybody.
Okay, so, I'm glad I'm here because I can tell you what it is that we do.
We are trying to fix the way that the world pays online.
So, no small task.
Though, we think that is an important mission.
Paying online is difficult.
It's confusing.
You cross lots of different regulatory environments.
It's hard.
You've gotta be secure but merchants want it to work without very much friction.
But, privacy advocates want it to be private and consumers want it to be easy.
And they want it to work on all platforms.
And they want it to work whether you are in Japan using a local debit scheme or you're, you know, a crypto advocate and you wanna pay with your latest, you know, ERC-20 token.
And, then, you know, the card scheme's acceptance networks are really keen that their products should work online.
And, the central banks are looking at digital currency and thinking how are we going to make all this work?
So, it's a pretty tough, it's a pretty tough call.
We were chartered in 2015.
So, we've been having a go at this now for four and a bit years.
Because, first of all, it was an interest group and then we chartered a working group and we re-chartered in March of last year.
We've got fantastic engagement from the browser vendors.
Which is brilliant.
We're very grateful for that.
So, thank you to all of the, you know, the folk from Apple and Mozilla and Google and Microsoft and Samsung and Brave and Puma who were all in the room over the last couple of, the last few days.
We really value the engineering resource that you've put into this.
This is something that really matters to lots of people and that's why, I think, we've had such good engagement from the browser vendors.
But, not only that, we've actually now really got people coming along from the rest of the payment's industry.
So, we've got the schemes.
We've got Visa.
We've got Mastercard.
We've got American Express.
We've got Diner's.
We've got JCB.
We've had people along from Swift.
We have people along from banks.
We've had people along from payment systems and we've got engagement now from merchants.
And you can see, over the last, even over the last year, there's some fantastic names.
So, Amazon have joined our group.
JCB, who are the Japanese credit card scheme acceptance network.
They've joined.
Netflix have joined.
Yeah!
We've got some real momentum.
So, this is really exciting stuff.
We have 73 member organizations which Alan is very pleased about.
We're, you know, on a mission to improve his business development.
And, we're engaging across, this is a, ya know, this is a global problem.
So, what have we built?
Well, there are two core specifications.
There's something called payment request which is actually quite a light API that allows people who wanna get paid to ask for payment.
Then we have another API, which is called payment handler, which creates an extension point that allows people to come along and build applications that give user experiences to the people who are trying to make the payment.
That was really important.
You know, payment request is great.
It creates this tunnel between the browser and the merchant.
That's a critical part of what we're trying to do but, equally critical, we wanted this to be an open ecosystem.
And payment handler API, remember that, remember that name, is something that is really, really important to us.
The browser's need to implement support, of course.
We've got extremely strong support for both pieces from the Chromium team, from Chrome.
We're working with Mozilla and Apple on payment requests.
We're still working to get Apple and Mozilla over the line on supporting payment handler.
But, we feel, in the group, that that extension point is incredibly important.
So, those are the two main specifications.
Then we have a couple of other specifications that kind of allow configuration items manifests.
And then we also have something called basic card, which is a sort of, it's a kind of definition of the data that you need to pass to be able to do card transactions.
But, actually, this is really important, what we're building is agnostic of payment methods.
We're trying to design the architecture so that it'll work with credit transfers, it'll work with crypto, it'll work with card payments.
You know, if you can pay with it, we want to be able to support it.
So, where are we?
Well, number one priority is getting payment requests all the way through the recommendation track.
That's been a bit of a challenge.
We've gone back a couple of times on payment requests.
We had a very important, a very perspicacious challenge, on some privacy elements which we've gone away and fixed.
That's kind of taken us back through the candidate recommendation milestone which, of course, triggered new IP opportunities.
Wendy and the PAG have struggled valiantly through more than 60 patent disclosures.
Anybody here tried to run a PAG before?
A patent advisory group?
They're fun, aren't they, Charles?
But, you know, this is important and we're, again, we're very grateful for the members that've helped us through that.
And, we've got fantastic traction now in the industry.
So, right now, over there, well they've finished and gone for a cup of tea or a beer probably now.
But, earlier today, we had EMVCo and Fido in a room with members of the Web Payments Working Group and our new Security Interest Group, and those are people who are all participating in our Working Group.
So, this is a real success story.
This is the W3C reaching across industry and having conversations that, actually, other organizations can't have because people want to build payments for the open web architecture.
And nothing demonstrates that better than the demo that Jonathan is now going to show you.
So, Secure Remote Commerce is a new specification from EMVCo.
Jonathan can explain more about what that is in much better detail than I can but, what Mastercard have done is they've built a demontration which, essentially, defines a payment method that's sitting on top of Payment Request and Payment Handler and uses web authentication as the authentication there.
So, I'm going to pass the mic to Jonathan.
Jonathan Grossar: Maybe just a couple of words of background, why we decided to create a prototype.
It's that when we joined a few years ago, the W3C, the idea was that we saw a unique opportunity with the W3C to have, not only improve the user experience in payments, but also improve the level of security for web payments.
And, so, what we, well we have more security, we have less code, we have more approval rates and also we comply with regulation like PAZ2 in Europe.
Right?
So, we've been looking into how the different standards, EMVCo standards, for tokenization EMVCo code standards, for authentication, Fido authentication and the W3C can work together to provide this additional security for Work Payments.
And so this demo is an attempt to see how those different specs can integrate together.
And so we have been building a NSC which is the standard for tokenization at EMVCo.
NSC Payment method that is implemented by, supported by a merchant and so you are on the merchant website, you purchase some shoes and when you decide to checkout what happens is that you are going to be redirected to a Payment Handler, that handles the payments, right?
And, so, this Payment Handler is going to reach out to the different networks, Visa, Mastercard and see if there is a card that is talked with the networks.
And, so, then those cards will be displayed and the user will be able to select one of those cards.
Obviously, this is a very happy path.
So, that means that the resourceful way to recognize that this is the same user.
So,instead of cookies, we are looking here so about how Fido and WebAuthn can give access to those cards.
So, we haven't done here the implementation on this particular demo for both of them.
We have used WebAuthn for the authentication of the consumer for the transaction, so that the bank, instead of stepping up the consumer with the ugly OTP or something else, they can simply rely on the fact that the consumer has been authenticated with WebAuthn and Fido instead of those ugly methods.
So, a second consumer, I select one of the card that I have with the networks and, once I'm done, and I did my selection, I'm prompted to authenticate.
And, so, WebAuthn allows to get access to the Fido credentials and, behind the scenes, the EMVCo 3DS protocol, which is a protocol for identification, is used to transport the Fido results that have been captured, right, through this WebAuthn API?
And this protocol EMV 3DS will send those results to the bank so that the bank, that removes the need for the bank for additional authentication of the consumer.
So, that's a simple flow.
Obviously we have additional flows but we are, we have time constraints.
Nick Telford-Reed: Thanks, John. I think that's a successful demo.
But, thank you, yeah!
So, just, so that demo is combining Payment Request, Payment Handler, Payment Method Manifest, Payment Method Identifiers, 3-D Secure, Web Authentication and Basic Card.
So, that is pretty cool.
Oh, no basic card SOC payment method.
Absolutely right!
Right, we're nearly there.
I told you I was going to ask you for something.
So, I've told you where we've come from.
I've told you that we're demonstrating interoperability and we are demonstrating momentum in the market.
We're trying to build something that is of, you know, of use to consumers, to people who are using browsers trying to buy things online.
It's of use to merchants and it's interesting to people who are trying to facilitate those things.
But, we're still not there.
We're still not there.
We haven't got broad adoption in the market yet.
We're getting there.
But, we're not there yet.
And we haven't got broad adoption particularly with payment handlers.
So, ask number 1, of people in this room....
Most of the organizations in this room sell things online or provide services online or have some kind of touch points online, if you have any kind of experience that happens online we would really be interested to talk to you about whether you could build a very lightweight payment handler.
We just wanna see implementations.
We wanna understand what the challenges are.
We wanna understand where development documentation is poor or where there are bugs in the implementation.
So, please, if you, you know, if you go away from this and think, well, you know, where might we do some experimentation?
Payment Handler would be tremendously useful.
The other reality is that we need rechartering.
Our charter runs out at the end of this year.
I think that we should continue.
I think you guys think we should continue.
I'm certain that's the case but, actually, it would be great...
Who thinks that we should continue doing web payments?
C'mon?
(growls) There's some people in the room who don't think we should continue web payments.
What do I have to do to show you interoperability momentum in the market?
C'mon, this is fantastic!
This is the future of payment on the web.
We need your help to continue to do that work.
We really appreciate your attention today.
Really appreciate your attention all through the afternoon.