W3C

SPC Task Force

12 July 2021

Attendees

Present
Anne Pouillard (Worldline), Bastien Latge (EMVCo), Chris Wood, Christian Aabye (Visa), Clinton Allen (American Express), Doug Fisher (Visa), Ian Jacobs (W3C), Michel Weksler (Airbnb), Praveena Subrahmany (Airbnb), Sameer Tare (Mastercard), Stephen McGruer (Google), Susan Pandy (Discover), Werner Bruinings (American Express)
Chair
Ian
Scribe
Ian

Meeting minutes

Next steps following WPSIG discussion of how to establish SPC’s role in fulfilling PSD2 requirements

Ian: WPSIG had a good chat last week about how to establish and communicate how SPC can be used to fulfill PSD2 requirements. I consider it the first chat of a discussion, but not the end. My sense after the discussion is that it would be useful to (1) write down how SPC can be used, leveraging existing resources like the FIDO whitepaper and EMVCo statement re: 3DS, then (2) communicate with some competent authorities. Seem like a reasonable strategy?

smcgruer_[EST]: I guess really with SPC the main question relates to the dynamic linking functionality. Arguably one could also try to provide a stronger argument for enabling the bank to validate the assertion.

Christian: I think you need to attack from several use cases: delegated auth, 3DS, use of FIDO
… we can help in outlining these details.

Ian: I agree that there is more to do than just a delta from the FIDO white paper. I think need to talk about different trust relationships (e.g., delegated authentication, RP authentication) and illustrate the use of SPC in different authentication protocols (e.g., using 3DS or during open banking flows).

Bastien: We have an EMVCo European Liaison I can reach out to.

Ian: I will follow up with Bastien and Christian on outreach. Thanks!

Issue review

https://github.com/w3c/secure-payment-confirmation/issues

https://github.com/w3c/secure-payment-confirmation/issues/83

Ian: Any additions to what's on that issue thread?

smcgruer_[EST]: This is a basic API question - do we need to select the origin-known-to-the-browser or something provided by the caller?
… but haven't heard enough of "we need to do this."

mweksler: The issuer can verify the merchant identity information.
… it's a bit more complex but may be a better UX

Ian: What about always displaying top-origin and an optional caller-provided argument.

smcgruer_[EST]: Doing that may not be any more helpful in fulfilling the PSD2 requirement.

Christian: I think important to show payee name, not entity that makes the API call.

smcgruer_[EST]: payment industry does this today

IJ: Is merchant identity (for example) known in the 3DS integrations that are being provided.

Christian: We know the merchant identity in the Areq

smcgruer_[EST]: Yes, I think we should make this change. Without it, it doesn't work in a redirect flow.

https://github.com/w3c/secure-payment-confirmation/issues/84

IJ: Is the UX useful?

IJ: (No additional replies on the call.)

Next meeting

26 July

Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).