13:49:45 RRSAgent has joined #wpwg 13:49:45 logging to https://www.w3.org/2022/05/03-wpwg-irc 13:49:49 agenda? 13:49:57 zakim, clear agenda 13:49:57 agenda cleared 13:50:02 zakim, bye 13:50:02 leaving. As of this point the attendees have been Ian_Jacobs, Anne_Pouillard, Rolf_Lindemann, Ryan_Watkins, Suzie_Annezo-Sebire, Jean_Emer, Christian_Aabye, Stephen_McGruer, 13:50:02 Zakim has left #wpwg 13:50:04 Zakim has joined #wpwg 13:50:05 ... Steve_Cole, Doug_Fisher, Tomoya_Horiguchi, Chris_Wood, Jean-Michel_Girard, Gerhard_Oosthuizen, Michael_Horne, John_Fontana, Chris_Dee, Gerhard, John_Bradley, Nick_Burris, 13:50:05 ... Jean-Luc_di_Manno 13:50:12 Meeting: Web Payments Working Group 13:50:21 Agenda: https://github.com/w3c/webpayments/wiki/Remote-Agenda-202205 13:50:32 Scribe: Ian 13:51:36 agenda+ Welcome, Antitrust and Competition Guidance reminder. 13:51:45 agenda+ Where we are 13:51:48 agenda+ Airbnb/Adyen pilot update 13:51:54 agenda+ Issue 172: Opt-out update 13:52:00 agenda+ Implementation update 13:52:08 agenda+ SPC Demo by Modirum 13:52:16 agenda+ Next call 13:52:26 I have made the request to generate https://www.w3.org/2022/05/03-wpwg-minutes.html Ian 13:55:00 present+ Ian_Jacobs 13:59:19 present+ Carey_Ferro 13:59:45 present+ Stephen_McGruer 13:59:55 present+ Anwar_Moco 14:00:25 present+ Sami_Takkala 14:00:44 present+ Uno_Veski 14:00:51 present+ Michael_Horne 14:00:53 present+ John_Fontana 14:01:01 present+ Christiaan_Brand 14:01:09 present+ Jean-Michel_Girard 14:01:35 present+ Christian_Aabye 14:01:40 mikehorne has joined #wpwg 14:01:46 present+ Jonathan_Grossar 14:01:52 present+ Haribalu_V 14:01:56 present+ Renan_Renner 14:02:02 present+ Praveena_Subrahmanyam 14:02:08 Carey has joined #wpwg 14:03:08 Anne has joined #wpwg 14:03:08 present+ Anne_Pouillard 14:03:14 Gerhard has joined #wpwg 14:03:15 present+ Tomoya_Horiguchi 14:03:18 present+ 14:03:35 present+ Kenneth(Modirum) 14:04:03 ChristianA has joined #wpwg 14:04:18 Jonathan has joined #wpwg 14:04:34 present+ Nick_Burris 14:04:36 praveena has joined #wpwg 14:04:49 NickBurris has joined #wpwg 14:05:37 Kenneth_Diaz has joined #wpwg 14:05:37 present+ Tomasz_Blachowitz 14:05:43 JMGirard has joined #wpwg 14:05:56 present+ Doug_Fisher 14:06:23 present+ Richard 14:06:39 Chair:Ian 14:06:43 present+ Brian_Costello 14:06:52 present+ Steve_Cole 14:07:08 present+ Bryan_Luo 14:07:13 zakim, take up item 1 14:07:13 agendum 1 -- Welcome, Antitrust and Competition Guidance reminder. -- taken up [from Ian] 14:07:18 https://www.w3.org/Consortium/Legal/2017/antitrust-guidance 14:07:56 present+ Jonathan_Blocksom 14:08:03 present+ Melissa_Sebastian 14:08:37 present+ Carey_Ferro 14:08:43 Tomasz has joined #wpwg 14:08:43 bryanluo has joined #wpwg 14:09:03 present+ 14:09:10 DougFisher has joined #wpwg 14:09:12 uno has joined #wpwg 14:09:33 Steve_C has joined #wpwg 14:14:22 q? 14:14:28 present+ Bart_de_Water 14:14:38 present+ John_Bradley 14:15:12 zakim, close item 2 14:15:12 agendum 2, Where we are, closed 14:15:13 I see 6 items remaining on the agenda; the next one is 14:15:13 1. Welcome, Antitrust and Competition Guidance reminder. [from Ian] 14:15:18 zakim, close item 1 14:15:18 agendum 1, Welcome, Antitrust and Competition Guidance reminder., closed 14:15:20 I see 5 items remaining on the agenda; the next one is 14:15:20 3. Airbnb/Adyen pilot update [from Ian] 14:15:22 zakim, take up item 3 14:15:22 agendum 3 -- Airbnb/Adyen pilot update -- taken up [from Ian] 14:15:41 SameerT has joined #wpwg 14:15:46 present+ Sameer_Tare 14:16:09 praveena: Background of pilot...started mid-2021 14:16:25 ...adyen has helped immensely bring to production 14:16:43 ...have faced multiple topics for a product like this (legal, privacy, etc.) 14:17:02 present+ Adam_Kelly 14:17:09 RRSAGENT, make minutes 14:17:09 I have made the request to generate https://www.w3.org/2022/05/03-wpwg-minutes.html Ian 14:17:22 Praveena: Started employees-only phase end of 2021 14:17:43 ...hit some interesting topics, like "someone didn't have their phone charged." 14:17:57 ...goal is to open A/B testing over next few weeks with guests 14:17:59 ....demo 14:18:56 ...in the demo, we see a registration dialog , then platform dialog for FIDO 14:19:58 Renan: Really appreciate the collaboration of this project 14:20:17 ...we see transactions being approved in this delegation setup 14:20:21 ...we are the RP 14:20:33 ...we think we will be able to scale our implementation for more merchants 14:20:45 q+ 14:21:00 jblocksom has joined #wpwg 14:21:39 ack me 14:22:00 Ian: What happens after Adyen gets the assertion and validates it? 14:22:08 Renan: We are doing this through network tokens. 14:22:25 ...the token can be further validated by the issuers 14:23:06 ...for first transaction we rely on 3DS. For subsequent ones we rely on tokens. 14:23:14 q+ 14:23:19 ack Carey 14:23:31 Carey: You had mentioned expansion to other merchants. Who might you see next? 14:23:44 Renan: We are discussing with a few merchants. They ask about issuer adoption. 14:23:53 regrets+ NickTR 14:24:02 Renan: One merchant in Germany interested. 14:24:39 Ian: What has made this challenging to deploy? 14:24:55 Praveena: From Airbnb perspective, it's ensuring that users understand what this means. 14:25:15 q+ 14:25:15 ...we need to be sure from Airbnb that we had the right input data and callbacks 14:25:30 Renan: When I joined Adyen, most of the work was already done. :) 14:25:40 q+ 14:26:11 Renan: I think handling legal issues has been a challenge; but we are seeing program evolution so that will help with scale 14:26:17 ack smcgruer_[EST] 14:26:45 smcgruer_[EST]: Have you looked at WebAuthn independently? What made SPC more interesting? 14:27:29 Praveena: From Airbnb perspective, we are trying to use WebAuthn for other things. Having Adyen pick up a lot from the implementation perspective has been helpful. 14:28:07 Renan: From a privacy perspective, and scalability perspective, we see SPC as more future-proof. And seems to be favored by schemes. 14:28:12 ...and security benefits 14:28:32 Jonathan: Regarding the demo, the registration is from an iframe. That's not possible in vanilla WebAuthn. 14:28:35 q? 14:28:37 q+ 14:28:59 Jonathan: the UX in the returning flow, with the transaction UX is also important to display and secure 14:29:07 ...I think those are the two big reasons driving SPC. 14:29:18 bdewater has joined #wpwg 14:29:26 q- 14:29:42 SameerT: +1 that registration in iframe is valuable. 14:30:17 ...clarification, in the demo Adyen is the RP. 14:30:19 ChristiaanBrand has joined #wpwg 14:30:22 Sameer: ...where is the issuer UX? 14:30:43 Renan: AFter the initial ID&V, there is none. It's just Adyen for transactions 2+ 14:30:57 Sameer: And you will do different things depending on network? 14:31:06 Renan: Yes. 3DS is not used in subsequent transactions. 14:31:27 Q+ 14:31:31 ack sam 14:32:11 Renan: We so a 3DS challenge. We create a token with device binding. We know this returning shopper and flag the transaction as a delegated transaction. 14:32:21 ...in the future we also plan to leverage network tokens. 14:32:28 q? 14:32:44 Jonathan: Issuer allows Adyen to perform an authentication on their behalf. 14:33:05 ...issuer still wants to know that the transaction has been fully authenticated; they receive that information in the auth message 14:33:14 ack Doug 14:33:17 q+ anwar 14:33:27 jcemer has joined #wpwg 14:33:33 Doug: I know the pilot is early on; do you have any usability feedback (even if early)? 14:33:49 ...how did you communicate to users what it meant when a credential was created and what it would be used for? 14:34:04 ..when additional merchants come on, how do you think it will go educating consumer about where they should expect this experience? 14:35:00 Praveena: I think there may be some challenges about shopping on merchant and seeing authentication dialog for PSP.com 14:35:11 present+ Jean 14:36:02 DougFisher: How will we ensure that consumer understands...will be important. 14:36:11 Renan: yes, that will be very important. 14:36:48 q? 14:37:14 ack anwar 14:38:00 Anwar: I was wondering from a bank point of view (here, BPCE), what are the implications of this model. You are allowing the merchant to register the user. From our POV, we are thinking about using SPC to authenticate users. 14:38:22 ...we would also expect bank to enroll user. 14:40:04 q? 14:40:34 zakim, close item 3 14:40:34 agendum 3, Airbnb/Adyen pilot update, closed 14:40:35 I see 4 items remaining on the agenda; the next one is 14:40:35 4. Issue 172: Opt-out update [from Ian] 14:40:40 zakim, take up item 4 14:40:40 agendum 4 -- Issue 172: Opt-out update -- taken up [from Ian] 14:40:50 -> https://github.com/w3c/secure-payment-confirmation/issues/172 issue 172 14:42:31 Jean: On our side we are still researching this on a legal front. 14:42:52 ...when the user enrolls, we ask the user to opt-in, and we store some Payment information. 14:43:12 ...GDPR requires that we allow you to easily opt-out, and we stop storing information. 14:43:47 ...the chrome concerns (reasonable) were about linking to a potentially malicious page from trusted UX 14:43:54 ...we are exploring some other options 14:44:42 smcgruer_[EST]: From the chrome side, something I wanted to highlight is: I view this as an optional feature that would be OFF by default. 14:44:59 ...but optional features still have overhead. 14:45:43 ===== 14:45:45 1) Upon registration, merchant communicates to user how to opt-out (e.g. via email) 14:45:45 2) Show opt-out information in TX dialog, but no link 14:45:45 3) Opt-out button in TX dialog that the prompts the user to confirm (by 14:45:45 authenticating) and the assertion type says "opt-out" but also is 14:45:46 deleted from authenticator. There is a privacy issue but only one-time. 14:45:47 4) Opt-out button in TX dialog and no need to authenticate. 14:45:49 There is a privacy issue but only one-time. 14:45:51 5) HTTP POST option 14:47:02 Melissa_VS__Modirum_ has joined #wpwg 14:48:13 Renan has joined #wpwg 14:50:16 q+ 14:50:20 Ian: Those are ideas I have heard people voice. 14:50:23 ack Gerhard 14:50:45 user could be educated to use the cancel button to opt out 14:50:52 Gerhard: For me, this should be done where the card is *selected* not authenticated. 14:51:27 ...what makes this complex is that there are three participants: merchant, issuer, PSP who doesn't have a direct relationship with customer. 14:51:46 ...but at a high level, if you want your merchant to forget your card, you ask the merchant. 14:52:05 ...I think that this should be dealt with where card is stored, not at moment of SPC authentication. 14:52:16 q? 14:52:42 +1 to Doug 14:53:13 DougFisher: I agree with Gerhard. I was going to suggest that, for those who cannot do it outside of SPC, perhaps "Cancel" button would work in some cases. But agree that there needs to be an overall opt-out framework 14:53:49 Gerhard: We'll have this important discussion (on 5 May) about privacy and inability to understand what user has done. 14:54:27 Gerhard: Agree that "cancel" could lead to interactions with user about what they want to do next (e.g., opt-out) 14:54:27 q? 14:54:36 canceling an authentication action vs opt-out have different impact so should be treated accordingly 14:55:45 I will say that "forgotten" is a concept that doesn't really apply in all cases. A user certainly can't tell their issuing bank to "forget" them. So if SPC is invoked that way (because their registered with their issuer), I'm not so sure that a "opt-out" would even apply here. But, as stated, there are other use cases with SPC (typically, non-3DS) where it's a bit less certain. 14:56:01 they're* 14:57:15 Christian: When authentication is driven by bank (e.g., 3DS challenge), the user doesn't really have an option of opting out. 14:57:35 q+ 14:57:43 ack SameerT 14:57:50 SameerT: +1 to Christiaan's comment. 14:58:02 ...opt-out should not happen during the SPC flow. 14:58:11 ...you don't opt out of authentication in 3DS during an authentication. 14:58:17 ...you do that outside of the authentication flow 14:58:31 ..if we decouple, can be more flexible 14:59:14 JohnBradley: This mostly applies to the PSP use case (and not 3DS) 14:59:37 ...deleting the actual credential on the authenticator doesn't seem to be the issue if the payment information itself has not been deleted. 15:00:05 ...from a webauthn POV, the privacy issue is correlation. one argument could be that it's not important because the user has provided a payment instrument. 15:00:26 ...there could be multiple credentials on the authenticator for the PSP. 15:00:43 ...we'd have to know which credential of multiple needs to be decoupled; that's the hard part 15:00:47 the exact text doesn't actually have much to do with privacy as far as I recall: it's more about not giving a merchant the right to be able to charge a customer using a payment card on file in perpetuity. so, in other words, if this credential isn't used for payment, but rather for authentication, I do wonder how much of it actually applies 15:01:25 Christiaan: We looked at this a little bit. I think some clarification is needed. My interpretation of the requirement is to not have information stored in perpetuity. 15:02:02 ..if the information is PURELY for fraud reduction, the question is whether GDPR really applies. We at Google would like to know this; relates to other use cases as well. 15:02:36 Jean: We are trying to reason about all these things. 15:03:46 Jean: You can argue that if the card appears again, the user is already re-sharing the information. 15:04:39 zakim, close this item 15:04:39 agendum 4 closed 15:04:40 I see 3 items remaining on the agenda; the next one is 15:04:40 5. Implementation update [from Ian] 15:04:47 zakim, take up item 5 15:04:48 agendum 5 -- Implementation update -- taken up [from Ian] 15:05:06 Ian: Re 172, please continue to weigh in on GitHub 15:06:14 smcgruer_[EST]: Update today on SPC implementation in chrome 15:07:27 [Stephen walks through timeline of SPC implementation] 15:07:55 smcgruer_[EST]: Android implementation relies on discoverable credentials; more on that in a moment 15:08:04 ...in iOS need to use Webkit so don't have support yet. 15:08:19 ...implementation has been stable recently. 15:08:32 ...here are the recent changes: 15:08:49 * Added RPID as required input 15:09:06 ...this was needed for proper intro with FIDO/WebAutn 15:09:15 * We added iconMustBeShown [optional] 15:09:38 * We added payeeName [optional] to be used with/instead of payeeOrigin 15:09:56 ...the new inputs are part of the signed data in the assertion 15:10:14 ...these should be in M102 stable later in May 15:10:18 [Upcoming changes] 15:10:52 * Currently chrome caches SPC credentials. (local storage specific to one instance) 15:11:05 ...this creates a mismatch with authenticator-stored data. 15:11:25 ...this implementation limits use of a credential to a specific browser, and we can't distinguish 1p and 3p use cases 15:11:51 ...so the plan is to add a cross-origin bit at CTAP level, at creation time 15:12:15 ...and that bit would be available from various APIs (allowing view of credentials 'ahead of time') 15:12:34 ....we have raised this with FIDO; we will also need platform authenticators to expose this bit 15:12:53 * User activation for registration 15:13:18 ....this is being added to improve privacy...the user has somehow interacted with the iframe recently 15:13:43 ...I expect it to land in M103. Technically this is a breaking change, but so far as we know, everyone using SPC today already requires the user to click to create a credential. 15:13:45 q+ 15:13:57 ack SameerT 15:14:10 SameerT: Regarding that change...is entering something as a challenge the same as clicking? 15:14:21 smcgruer_[EST]: Great question. 15:14:44 SameerT: Suppose user enters some data just before (e.g., OTP)...do they need to re-click? 15:15:01 smcgruer_[EST]: Typically the browser doesn't know what the button said. I will get back to you on whether typing constitutes a user activation 15:15:14 ACTION: smcgruer_[EST] to research whether typing information in a form constitutes user activation 15:15:31 smcgruer_[EST]: Another change upcoming is SPC on Chrome Android. 15:15:43 ...Android doesn't support discoverable credentials today. 15:16:06 ...but we think we have a path for getting SPC on Chrome Android without discoverable credentials; no promises but would love to see a Q3 launch of this. 15:16:18 ...I still don't have any idea about discoverable credentials on Android 15:16:20 Q+ 15:16:43 smcgruer_[EST]: We are still committed to finding an opt-out solution. We do think of this as optional. 15:16:49 ack DougFisher 15:17:17 DougFisher: Regarding an implementation without discoverable credentials; what would a change to the SPC spec look like (with 3DS spec in mind) 15:17:36 smcgruer_[EST]: So far our thinking is that this would not be a breaking change, and most likely not have an impact on the 3DS integration. 15:18:10 ..when you create a credential you have to say "I must have a discoverable credential". So the SPC change could be to allow non-discoverable credentials 15:18:22 ...we might decide to do this differently to smooth over the differences 15:18:33 [The Future] 15:18:50 smcgruer_[EST]: We are thinking about some additional icons in the transaction dialog 15:19:04 ...we have some discussion this week about the experience when no credentials exist 15:19:14 ...we'd like to see support on other platforms 15:19:32 ...at some point we'll come back to the question of the API shape itself (e.g., independent of Payment Request) 15:19:42 smcgruer_[EST]: We do have a concern - status of SPC adoption. 15:19:55 ...state of adoption relates to future work 15:20:14 q+ 15:20:36 Ian: Windows news? 15:20:56 smcgruer_[EST]: I think Microsoft as a platform authenticator have made credential listing APIs available in a dev build. 15:21:08 ...we hope this will be a springboard for our 3p payment bit 15:21:09 ack Gerhard 15:21:26 Gerhard: Exciting journey; would like to see more progress. 15:21:40 Gerhard: I think having Android adoption would push us over the edge to deployment. 15:22:12 Gerhard: We've deployed a FIDO server, but there were challenges with permission flags. I think WebAuthn in iframe would also help drive adoption 15:22:42 ...we see Safari Tech preview should include permission bit in iframe; that's good news 15:22:57 Gerhard: A third thing that we look forward to is shared credentials 15:23:14 smcgruer_[EST]: We appreciate that feedback! Hearing Android support is critical is good to hear. 15:23:40 smcgruer_[EST]: Regarding FIDO and payments; I've been wondering whether we should collect our requirements in one place 15:24:26 https://github.com/w3c/webauthn-pay/wiki 15:25:19 zakim, close this item 15:25:19 agendum 5 closed 15:25:20 I see 2 items remaining on the agenda; the next one is 15:25:20 6. SPC Demo by Modirum [from Ian] 15:25:35 zakim, take up item 6 15:25:36 agendum 6 -- SPC Demo by Modirum -- taken up [from Ian] 15:25:44 q? 15:26:02 Sami: Thanks for inviting me today. 15:26:10 ...I'm hearing with Melissa and Kenneth for technical questions 15:26:31 ...Modirum has a test merchant "Coffee House" 15:27:03 ...this is the only "fake" part of the demo....the rest are real (ACS, Directory Server, etc.) 15:27:23 ...this demo shows "merchant-driven SPC" 15:27:53 ...the cardholder challenge happens in the merchant environment 15:28:55 ...the demo has some switches for testing purposes (the cardholder would not see these) 15:29:08 ...demo involves TouchID on a MacBook 15:29:12 ...I have registered previously 15:29:19 ...we'll be using Chrome 100 15:30:37 [sami sets the 3DS version 2.3 and sets the SPC flag] 15:30:52 [The SPC flag tells the 3DS components the user wants to do an SPC authentication] 15:31:32 sami: First AREQ/ARES message pair happens; the merchant receives SPC credentials from the ACS. The merchant then calls SPC and then transaction dialog is shown by Chrome 15:31:58 sami: I timed out since I was talking, and the fallback behavior as you see is OTP 15:32:15 Christiaan: Is the timeout for demo purposes, or production? 15:32:26 sami: My understanding is that is for test enviornment. 15:32:48 that's perfect demo of how ACS initiated SPC can use fall-back 15:32:53 Melissa: This is an open discussion for EMVCo folks; whether implementation specific or standardized 15:34:43 [sami does transaction dialog and TouchID] 15:34:59 Sami: Second dialog briefly shown during second AREQ/ARES pair. 15:35:13 q+ 15:35:37 q+ 15:35:43 ...the ACS does the validation of the assertion 15:35:44 ack me 15:36:03 Sami: We are getting a lot of requests from our issuers to learn more about SPC, and 3DS support, 15:36:35 Sami: Issuers see SPC as "the direction where the world is going" 15:36:48 ...but if the cardholder is unable to do the FIDO authentication, they'll need a backup 15:36:53 ...some way to authenticate 15:37:00 ...the fallback we are using is OTP 15:37:24 ...our implementation supports a fallback flow 15:37:53 ack Sameer 15:38:42 Sami: In case of timeout, we send another AREQ/ARES with transaction status and that leads to usual challenge. 15:38:53 Melissa: Right, we send a flag that says "merchant was unable to perform SPC" 15:39:00 ...the issuer can then trigger the challenge 15:39:38 ...if SPC is successful, merchant passes assertion data (via ARES) and issuer validates 15:39:51 SameerT: I thought that it was CREQ/CRES 15:39:54 q? 15:39:59 q+ 15:40:08 Melissa: CREQ/CRES is for issuer initiated; this is merchant initiated 15:40:13 ack smcgruer_[EST] 15:40:43 smcgruer_[EST]: I was also confused about that point. The iframe that we see is NOT an issuer iframe; it's just an iframe to isolate 3DS processing. 15:41:10 sami: if the transaction is 3DS, my understanding is that the iframe needs to be present; you see the merchant open a box for 3DS transactions. 15:41:54 smcgruer_[EST]: Who is loaded initially in the iframe? 15:42:08 sami: Merchant-side 3DS server shows the logo etc for the first AREQ/ARES 15:42:16 smcgruer_[EST]: And if SPC fails, redirects to an issuer challenge 15:42:55 sami: If it fails, or if cardholder does not have an SPC-registered credential, or, say, it's an older 3DS implementation, then the issuer gives the merchant the relevant URL for the ACS 15:43:39 Melissa: The AREQ/ARES does not have to be in the iframe. Our implementation does that. 15:44:01 ...the requirement is to show the logo and spinner 15:44:34 q? 15:44:47 smcgruer_[EST]: Thank you 15:44:53 SameerT: So, to summarize: 15:46:06 present+ Erhard_Brand 15:46:35 Merchant initiated SPC : 2 AReq, ARes. Iframe is not necessary to be shown 15:46:40 Ian: What's going to happen with issuers? 15:46:58 Sami: We have told issuers that we are waiting to see what happens with other major browsers and operating systems. 15:47:11 issuer initiated SPC: the SPC flow is triggered from the iframe issuer has opened for the challenge part of the flow after initial AReq, ARes 15:47:18 q+ to ask about Android importance for Modirum 15:47:25 Sami: What we have seen is that smaller issuers are in the process of finding new ways to distribute authentication methods to their card holders 15:47:32 ...they are really interested in learning more about SPC. 15:47:49 ...I think we'll see pilots with more browser support 15:48:01 ack smcgruer_[EST] 15:48:01 smcgruer_[EST], you wanted to ask about Android importance for Modirum 15:48:15 smcgruer_[EST]: Regarding "other browsers"; how important is Chrome on Android? 15:48:45 Sami: We've not heard about it from banks about mobile browsers, but we understand that traffic is increasing 15:48:46 q? 15:48:50 q+ 15:48:55 ack SameerT 15:49:08 SameerT: A lot of merchants also use Webview for 3DS authentication. 15:49:24 smcgruer_[EST]: Good to know! 15:49:44 -> https://www.w3.org/community/webview/ Webview CG 15:50:20 Ian: Not sure if Webview includes support for native chrome dialogs 15:51:02 Christiaan: I think that there is some flexibility. WebAuthn has been out of Webviews but there are discussions about being added back in 15:51:19 ...another issue is access to only one origin from an app 15:51:35 ...interesting topic is a native implementation of SPC (pure native) 15:52:24 Sami: Regarding merchant-side and issuer-side SPC: if the merchant is using 3DS pre 2.3, merchant side initiation is not available. 15:52:35 ...that means just one AREQ/ARES pair. 15:53:02 ..and so the UX is to direct the user to the ACS, where the ACS itself can do SPC [we are in the CREQ/CRES challenge phase at this point] 15:53:15 This can help with the adoption (issuer initiated SPC) in near future 15:54:24 q? 15:54:33 not sure what the exact numbers are, but at Shopify we def see a lot of mobile commerce happening. some merchants build custom apps (eg AR to try on shoes virtually) as well 15:55:24 bart: From Shopify's end, we see a lot of mobile commerce happening are "mobile only". From that front we need mobile. 15:55:36 ...webview may or may not be needed 15:56:15 zakim, close this item 15:56:15 agendum 6 closed 15:56:16 I see 1 item remaining on the agenda: 15:56:16 7. Next call [from Ian] 15:56:22 zakim, take up next item 15:56:22 agendum 7 -- Next call -- taken up [from Ian] 15:56:29 26 May 15:56:46 RRSAGENT, make minutes 15:56:46 I have made the request to generate https://www.w3.org/2022/05/03-wpwg-minutes.html Ian 15:56:58 RRSAGENT, set logs public 15:57:10 zakim, bye 15:57:10 leaving. As of this point the attendees have been Ian_Jacobs, Carey_Ferro, Stephen_McGruer, Anwar_Moco, Sami_Takkala, Uno_Veski, Michael_Horne, John_Fontana, Christiaan_Brand, 15:57:10 Zakim has left #wpwg 15:59:13 smcgruer_[EST]: yeah that's a good way of thinking about it 16:00:49 to add some more complication: in some cases merchants are directly selling from Shopify in apps owned by others, eg Instagram 16:04:46 @Ian I was able to find some vetted for external use numbers already! we're seeing about 2/3rd of purchases on mobile 16:22:40 Thanks, Bart! 16:25:29 RRSAGENT, bye 16:25:29 I see 1 open action item saved in https://www.w3.org/2022/05/03-wpwg-actions.rdf : 16:25:29 ACTION: smcgruer_[EST] to research whether typing information in a form constitutes user activation [1] 16:25:29 recorded in https://www.w3.org/2022/05/03-wpwg-irc#T15-15-14