15:36:13 RRSAgent has joined #wpwg 15:36:13 logging to https://www.w3.org/2022/09/12-wpwg-irc 15:36:21 Meeting: Web Payments Working Group 15:36:33 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022 15:36:37 Chair: Nick 15:36:39 Scribe: Ian 15:36:41 present+ NickTR 15:37:11 present+ Rose_Robertson 15:37:15 present+ Ian_Jacobs 15:37:19 present+ Sameer_Tare 15:40:10 present+ Javad_Chamanara 15:43:42 present+ Bastien_Latge 15:44:11 present+ Magda_Sypulla 15:44:19 present- Magda_Sypulla 15:44:21 present+ Magda_Sypula 15:46:06 Hari_ has joined #wpwg 15:48:37 present+ Nako_Siskov 15:49:18 present+ Devin_Rousso 15:52:01 present+ Erhard_Brand 15:52:34 present+ Adam_Kelly 15:53:53 present+ Vanitha_Balusamy 15:54:03 SameerT has joined #wpwg 15:55:49 present+ Stephen+McGruer 15:55:56 present+ Etienne+Noel 15:55:59 present- Etienne+Noel 15:56:03 present+ Etienne_Noel 15:57:09 bkardell_ has joined #wpwg 15:58:24 present+ Takashi_Minamii 15:59:47 present+ Brant+Peterson 15:59:50 present- Brant+Peterson 15:59:53 present+ Brant_Peterson 16:00:13 Hemnath has joined #wpwg 16:00:23 present+ Renan_Renner 16:00:29 present+ Haribalu 16:00:34 present+ Jayadevi_Natarajan 16:00:40 present+ Praveena_SSubrahmanyam 16:00:48 present+ Peter_Cselenko 16:00:58 present- Praveena_SSubrahmanyam 16:01:03 present+ Praveena_Subrahmanyam 16:01:25 present+ Fahad_Saleem 16:01:31 present+ Solai 16:01:55 present+ Hemnath_Dhananjayan 16:02:10 present+ Jean-Luc_di_Manno 16:02:14 present+ Carey_Ferro 16:02:18 present+ Doug_Fisher 16:02:21 JeanLuc has joined #WPWG 16:02:22 present+ Clinton_Allen 16:02:38 rbyers has joined #wpwg 16:02:42 present+ Christian_Aabye 16:03:44 present+ Jorge 16:04:02 present+ Soumya_Chakrabarty 16:04:14 present+ Rufus_T 16:04:19 present+ Rick_Byers 16:04:53 present+ Vinoth_Madhavan_Selkan 16:05:35 Takashi has joined #wpwg 16:05:59 present+ Tess 16:06:07 Topic: Welcome 16:06:50 NicK: It's great to be back in the room together. Thanks to those who came to Vancouver and also to those joining us remotely. 16:07:17 [Nick does a quick reminder of health requirements, linked from agenda] 16:08:04 dcrousso has joined #wpwg 16:08:06 praveena has joined #wpwg 16:08:09 ChristianA has joined #wpwg 16:08:09 Magda_Sypula has joined #wpwg 16:08:10 present+ Rolf_Lindemann 16:08:12 etiennenoel_ has joined #wpwg 16:08:59 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 16:09:07 -> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022 Agenda 16:09:14 Rolf has joined #wpwg 16:09:17 -> https://www.w3.org/Consortium/Legal/2017/antitrust-guidance Antitrust reminder 16:10:04 present+ Sue_Koomen 16:10:07 Fahad has joined #wpwg 16:10:08 MattC has joined #wpwg 16:10:45 present+ Marie_Jordan 16:11:23 Clinton has joined #wpwg 16:12:03 Nick: Just want to pause to celebrate PR API => Recommendation last week. 16:12:15 (Ian: We'll hear more tomorrow on this and discuss next features) 16:12:50 [Quick round of introductions, both remote and in person] 16:13:06 present+ Betül_Durak 16:14:08 careyf has joined #wpwg 16:18:00 present+ Matt_Crothers 16:18:20 present+ David_Benoit 16:19:20 benoit has joined #wpwg 16:19:30 present+ Rossen 16:19:39 present+ Rick_Byers 16:19:43 present+ Michael_Horne 16:20:04 Topic: Airbnb/Adyen SPC pilot update 16:20:58 Peter: Thank you. We'll start with an update on the pilot we've been running with Airbnb 16:21:14 ...to start with, why SPC? 16:21:26 ...5-9% drop-off rate with 3DS challenge flow 16:21:56 ...so we are looking for a PSD2-compliant solution that lowers drop-off while keeping low fraud rate. We want a better experience for the consumer. 16:22:29 ...our first year was limited pilot (one issuer, friends and family) 16:22:48 ...starting in Sep we want to open to all Airbnb users for a set of issuers. 16:23:04 ...some challenges: 16:23:08 1) Generic error handling 16:23:23 2) How to distinguish canceling SCA v just an error. 16:23:40 3) Educating shoppers 16:24:17 Renan: Shoppers see a new screen in their checkout flow 16:24:30 ....just as 3DS learned previously, the UX of this screen is very important. 16:24:52 Doug_F has joined #wpwg 16:24:54 ...need to tell shoppers this is easier and faster, and connected to issuer experience 16:25:10 Rossen_ has joined #wpwg 16:25:51 q? 16:27:09 NickTR: In which step are you using the errors? 16:27:16 q+ 16:27:20 q+ 16:27:26 Peter: Those issues were more early on 16:27:47 smcgruer_[EST]: These ambiguities are inherited from the web authn security model 16:28:04 ....we probably can and should do more in the dev tools 16:28:17 ....we can tell developers in the dev tools because it's their own machine. 16:28:23 ...it may not require standardization 16:28:52 ...this would help developers understand "what's going on" during the development process. 16:28:54 ack smcgruer_[EST] 16:29:21 smcgruer_[EST]: I think we can do better for devs but I think we can also do better "in the field" 16:29:25 ack Sam 16:30:00 SameerT: In the 3DS ecosystem, issuers need to know what happened in authentication. If they can't tell what went wrong, they may be less inclined to use this as an authentication method. 16:30:04 benoit__ has joined #wpwg 16:30:10 SameerT: Is the pilot a delegated auth model? 16:30:21 Renan: Yes, Adyen is the RP 16:30:42 SameerT: So for issuer education, are you interested helping them understand the assertion data? 16:31:39 Renan: Adyen collects the assertion, we want issuers to help communicate to users this model 16:31:54 Sameer: We may have to break it down in more detail; the issuer may not know you are trying to enroll the user. 16:32:20 ...suppose issuer sends me a OTP; at that point (pre-SPC enrollment) the issuer does not know that a new enrollment will happen 16:32:33 clinton has joined #wpwg 16:32:35 Renan: Right, we want issuers to help users understand that these delegated flows are not scams. 16:32:50 Q+ 16:32:56 present+ Manish_Garg 16:33:17 Vanitha has joined #wpwg 16:33:27 dcrousso has joined #wpwg 16:33:45 test 16:33:52 nicktr: I assume the trust relationship between issuer and acquirer lies outside of the world of w3c 16:33:57 ...these are commercial relationships. 16:34:36 Sameer: You are mostly right, but see the FIDO white paper on what FIDO data can be consistently sent into 3DS . 16:35:01 ack Doug_F 16:35:31 Doug_F: In the current pilot, the merchant/PSP is the RP. Are there future plans to extend the pilot to when issuers can be RPs. 16:35:43 ...do you at Adyen see the longer term approach being delegated? 16:35:50 Renan: We envision that we will be the RP 16:36:03 q+ 16:36:57 Renan: We see this similar to liability shift patterns we've seen previously 16:37:06 ack clinton 16:37:30 clinton: I've heard people comment that they'd like to have help from issuers on X, Y, Z. Could we summarize those points? 16:38:13 Renan: We can show some of this in the demo 16:38:30 [Demo] 16:39:51 present+ Dean_Jordaan 16:40:03 q? 16:40:28 q+ 16:40:39 Renan: Issuers can let cardholders know that this sort of enrollment UX can occur to minimize surprise 16:40:48 ...they can tell cardholders that this is a possible flow. 16:41:33 q+ 16:41:57 Praveena: People are used to OTP and need to be educated that biometrics can happen, and that they are secure. 16:43:25 Renan: This week are are rolling out an updated pilot to expand it. 16:43:30 ...will include more issuers 16:43:40 q? 16:43:46 ack smcgruer_[EST] 16:44:27 smcgruer_[EST]: Note that the enrollment UX never shipped (this is an old video) 16:44:40 ...the reason was that PSPs wanted to control the content. 16:44:58 ...but if there is value to educating users through consistent language and UX, is there value adding it back? 16:45:11 ack SameerT 16:45:39 SameerT: In registration, do you envision that you can provide enrollment as an out-of-band feature (not during the transaction)? 16:46:04 Renan: Do you mean that they user did not opt-in during flow but we can prompt them later? 16:46:50 SameerT: I'm thinking instead that the transaction completes, and then the user sees an optional button to enroll. And at that time the PSP has full control over the language presented to the user. 16:46:50 q+ 16:46:53 Renan: That's an interesting idea. 16:47:47 Sameer: There are a couple of benefits (1) user has no concerns about their actual transaction (2) it's a separate journey that could be made clear to the user. 16:48:05 Renan: Yes, that makes sense 16:48:30 Sameer: 3DS 1.0 had "enrollment during shopping" which was considered bad. The transaction took too long and errors messed with the transaction. 16:48:36 ....so we dropped that flow. 16:48:56 Bastien has joined #WPWG 16:49:02 ...if you enroll outside the transaction you are clear of 3DS limitations today 16:49:03 +1 to sameer's point 16:49:03 q? 16:49:03 q? 16:49:09 ack nick 16:50:00 nicktr: Another SPC registration moment could be at the moment that the user provides a card-on-file to Airbnb? 16:50:13 Renan: We do need some ID&V [with the issuer] 16:50:22 ....so we leverage the 3DS challenge for that 16:50:31 ....before that we cannot trust the card with this device 16:50:56 ...we use 3DS2 for device binding 16:53:27 q+ 16:53:31 q+ 16:54:08 Nick: Any more to say on trust model between PSP and issuers? 16:54:26 SameerT: Some of the trust comes through standardization in 3DS. 16:55:22 NickTR: There are fewer risk providers than issuers. 16:55:24 ack clin 16:55:34 q+ 16:55:45 clinton: Regarding delegation, are your questions related to SPD2? 16:56:08 Nick: Yes, that's where I'm heading. At the moment we have provided a strong signal to issuers where they don't have to do a step-up 16:56:32 ...what I'm hoping to do is achieve a technical link between assertions signed by delegated RPs and the issuers. 16:56:41 ...can there be cryptographically established delegation 16:57:04 zakim, close the queue 16:57:04 ok, Ian, the speaker queue is closed 16:57:17 ack jean 16:57:45 JeanLuc: In 3DS there is a place to tell the issuer not to do a challenge. 16:57:53 ...so there is a place for the merchant to share information 16:58:16 ...but there is no place to share the SPC attestation 16:58:20 ...could that be useful? 16:59:28 Ian: I think that's available in the FIDO/EMVCo model 16:59:36 Sameer: The question is whether the data could be made available. 16:59:47 smcgruer_[EST]: If WebAuthn has it, it would be available 16:59:58 ACTION: smcgruer_[EST] to check whether the attestation is available during SPC flow 17:00:24 JeanLuc: I think there is no way to carry the information in SPC context. 17:00:37 q? 17:00:44 ack careyf 17:00:56 careyf: In the pilot, does Adyen own the issuer relationship? 17:01:01 q+ : EMV 3DSWG will consider this for future enhancement if SPC/WebAuthn allows collection of this data 17:01:34 ChristianA has joined #wpwg 17:01:34 jyrossi has joined #wpwg 17:01:35 Renan: We as a RP have to fulfill scheme requirements 17:02:02 SameerT: Regarding attestation, we can consider that in future 3DS revision 17:02:13 smcgruer_[EST]: For delegated auth today with 3DS is there a field for attestation? 17:02:21 SameerT: You have a place for attestation and/or assertion 17:02:39 Doug: In the case where the issuer is the RP, the issuer already has it. If the merchant in the RP, then I think there is a gap. 17:03:06 q+ : just want to make sure the action is minuted 17:03:31 3DS threeDSReqAuthData field could contains SPC attestation from merchant delegation flow. therefore, issuer could perform risk analysis and recognized the authenticator behind 17:03:48 ACTION: Sameer to see about enhancing 3DS flow to include attestation if available in SPC context. 17:04:42 [Peter, Renan leave] 17:04:52 Topic: Airbnb/Adyen SPC pilot update 17:05:00 Topic: SPC on Android 17:05:25 smcgruer_[EST]: I'm the primary editor of SPC spec and lead this work in Chrome. Here's an update on implementation. 17:05:42 NakjoShishkov has joined #wpwg 17:05:54 NakjoShishkov has joined #wpwg 17:08:00 etiennenoel has joined #wpwg 17:08:06 -> http://www.w3.org/2022/Talks/spc-google-20220912.pdf Stephen's slides 17:08:50 smcgruer_[EST]: the thirdPartyPayment extension has landed in CTAP2 17:08:58 ...no immediate impact but good foundation 17:09:00 q+ to ask about remote authenticators 17:09:05 ...still work needed to figure out the story for remote authenticators 17:09:06 zakim, open the queue 17:09:06 ok, nicktr, the speaker queue is open 17:09:09 q+ to ask about remote authenticators 17:09:38 smcgruer_[EST]: We also renamed rp->rpid and we'll do both fields for some period of time (3 milestones) 17:10:04 smcgruer_[EST]: We started origin trial with opt-out (optional) feature 17:10:23 ...the opt-out relates to RP storage 17:10:30 ...this relates to interpretations of GDPR 17:11:09 ...the payment request error indicates opt-out, and then the caller's responsibility is to share that with the RP 17:11:44 ...we ARE contemplating changing the message to "successful opt-out" instead of Abort 17:12:08 smcgruer_[EST]: We are in discussions with Web Auth about allowing cross-origin create() 17:12:25 ...we want to move this into Web Authn for all credentials. 17:12:35 ...I hope we'll have robust discussion tomorrow on this 17:13:07 smcgruer_[EST]: Regarding SPC in Android, we changed both spec and implementation to allow resident keys 17:13:17 ...I don't know when Android will support discoverable credentials. 17:13:34 ...we still need to add opt-out and a few other things, but you can try it out today 17:13:57 smcgruer_[EST]: Why did it take so long to ship on Android? 17:14:46 ...the main reason has to do with the browser caching information about credentials as being special for payment 17:14:54 ...(the feature that is moving to CTAP2) 17:16:14 ...this caching approach is per-browser, limiting reuse of credentials 17:17:07 ...several problems including both false negatives and false positive. 17:17:18 ...it also doesn't support the "first party payment" use case for SPC 17:17:31 ...so on android, we added OS-level credential support 17:17:49 ...chrome tells android to mark the credential as a 3p payment credential 17:18:17 praveenas has joined #wpwg 17:18:48 ...some consequences this approach: 17:18:54 a) works for first-party context use case 17:19:04 b) Third party payment is no longer browser-scoped 17:19:29 q? 17:19:59 smcgruer_[EST]: We change the OS API to support thirdPartyPayment bit 17:20:39 ... we have built on top of listCredentials(rp_id); and the browser also gets back the thirdPartyPayment bit. 17:21:07 ...so the browser looks to see whether it's a 1p or 3p context, whether the bit has been set, and after filtering decides whether there are matching credentials 17:21:31 [SPC Demo on Android] 17:22:50 smcgruer_[EST]: You can turn on a flag today and do this yourself. But not yet shipped: opt-out support. 17:23:19 ...also not yet shipped: 1p use case 17:25:10 q+ 17:25:23 [Nick tries out the demo to show that it works on his phone] 17:26:17 smcgruer_[EST]: What's next? 17:26:24 ...should we ship opt-out? 17:26:46 ...we don't love it as a concept; we need to hear clear demand from people who are going to use SPC. 17:27:02 ...we want to use authenticator level APIs on more platforms; we need to engage with Microsoft and Apple 17:27:51 q? 17:27:57 ...there are other UX challenges, and "no matching credential / privacy" tension 17:28:05 q+ later 17:28:10 q- 17:28:13 q- 17:28:17 ack JeanLuc 17:28:37 JeanLuc: Regarding the platform, you said browser would invoke get list. Is there any reason why there is not a parameter to add rpid? 17:28:53 smcgruer_[EST]: We don't need the list credential API fully; it exists for conditional UI. 17:29:21 present+ Tomoya+Horiguchi 17:29:25 present- Tomoya+Horiguchi 17:29:28 present+ Tomoya_Horiguchi 17:29:49 smcgruer_[EST]: We are thinking about moving the API further into Android. We might be able to enable SPC in web views...if we bake it into Android. 17:29:56 q+ 17:29:57 present+ Jean-Yves_Rossi 17:30:17 smcgruer_[EST]: And similarly, if we push this into the OS we could enable SPC for Android Apps 17:30:22 ack NakjoShishkov 17:30:41 Nakko: Great to hear porting to Android. If a browser can access the credentials, could other apps access the credentials? 17:30:50 smcgruer_[EST]: No; we have a list of trusted apps (browsers) 17:31:15 ...we probably could have it work for your own origin (e.g., if you are the app for bank.com) you probably could have the credentials for your own origin 17:31:26 ...but if we wanted to do this cross-origin, we'd need to build it into the OS 17:31:35 q? 17:31:40 q+ 17:31:54 Nakko: I am thinking about merchant app accessing credentials from the 3DS SDK 17:32:07 smcgruer_[EST]: Yep, we'd need to build into the underlying OS 17:32:27 ack SameerT 17:32:52 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 17:33:56 q+ javad 17:34:02 zakim, close the queue 17:34:02 ok, nicktr, the speaker queue is closed 17:34:15 ack J 17:34:33 javad: What is the retention policy for user database? 17:34:37 smcgruer_[EST]: User can clear it 17:34:53 ...I don't think there's a retention policy. But the data we are storing is non-sensitive data (e.g., the public key) 17:35:17 Javad: If you put the data in the db, how do you sync for multi-device scenarios? 17:35:52 smcgruer_[EST]: That is what passkeys address. there are ongoing discussions about device public keys 17:36:06 q? 17:36:16 RRSAGENT, make minutes 17:36:16 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 17:46:26 magda_sypula has joined #wpwg 18:04:43 careyf has joined #wpwg 18:09:04 Sue has joined #wpwg 18:11:47 Topic: FIS/Worldpay use cases 18:12:31 [Brant introduces himself] 18:12:56 Brant: Want to talk about payments use cases and also broader reach within this community 18:13:16 ...one goal is to re-introduce FIS to W3C community 18:13:50 q? 18:13:53 clinton has joined #wpwg 18:14:22 Brant: FIS has a merchant processing channel, issuance channel, and user-facing wallet 18:15:22 praveena has joined #wpwg 18:15:24 ChristianA has joined #wpwg 18:15:41 ...represent 4000 financial institutions (some smaller, medium) 18:15:56 ...we have a consumer-facing wallet (GoCart) 18:16:19 ...we have a growing network of consumers using this wallet 18:16:32 ...branded GoCart, which is integrated into FIS merchant processing 18:16:43 ...we are also planning to expose to non-FIS acquirers 18:17:08 q? 18:17:39 MattC has joined #wpwg 18:17:48 Brant: We hear a lot about three main use cases. 18:18:00 ...first I will call the post-pandemic reinvents 18:18:07 s/reinvents/reinventors/ 18:18:38 ...these are shops that want to transition from shopfront to digital first 18:19:06 ...key to their strategy is about using their brand as their key strength for their digital strategy (e.g., expansion of subscription options) 18:19:12 present+ Marcos_Caceres 18:19:29 q+ to ask about geographic coverage of these personas 18:19:34 zakim, open the queue 18:19:34 ok, nicktr, the speaker queue is open 18:19:35 zakim, open the queue 18:19:35 ok, nicktr, the speaker queue is open 18:19:38 q+ to ask about geographic coverage of these personas 18:19:40 present+ Sami_Tikkala 18:19:50 ack Nick 18:19:50 nicktr, you wanted to ask about geographic coverage of these personas 18:20:05 nicktr: Is this global or US-focused? 18:20:11 Brant: This one is particularly US-focused 18:20:11 q+ 18:20:24 Brant: Most of our customers use multiple PSPs globally 18:20:42 ...I am mostly focused on US here. 18:21:03 ...Vantiv (our original brand here) was historically focused on big box retailers 18:21:06 ack clinton 18:21:07 ack clinton 18:21:26 clinton: Regarding identification of shoppers, you said people wanted to identify their customers pre-authorization; how far in advance? 18:21:33 D_fisher has joined #wpwg 18:21:54 Brant: I mean "before the authorization request is submitted"; if the customer can identify the customer before that they can apply discounts, for example. 18:22:02 Clinton: These are shoppers that don't have accounts? 18:22:18 Brant: Right, they could be doing guest payments, or using alternative payments, etc. 18:22:31 ...loyalty is hard to reconcile after auth message. 18:22:32 q? 18:22:33 q? 18:22:54 Brant: The second main use cases is focused on "seamless shopping experience" 18:23:20 ......they want personalized checkout experiences for their shoppers to avoid abandonment 18:23:26 ...these are not focused on their own brand 18:23:31 ...focused on UX 18:23:48 ...so optimizing for mobile browsers, increasing conversions through analytics, etc. 18:24:02 ...e.g., they have data on how latency leads to abandonment. 18:24:22 ...they are interested in things like "one-click" payments. 18:24:37 ...interested in whether they have seen the shopper previously to create a more consistent UX for the user 18:25:18 Brant: Third use cases is those seeking strong control over their checkout experience. 18:25:26 ...they don't want to look like everyone else. 18:25:43 ...they want full control and detailed control. 18:25:56 ...they are not as interested in standards since they want to distinguish themselves. 18:26:13 ...they know their shoppers better than anyone else. 18:26:30 ...many in this top 15 segment have co-branded cards as well 18:27:11 q+ to ask if ebt cards are cobranded 18:27:14 ...they want some optionality to accept, e.g., government-supported (in the US: Snap) cards 18:27:29 ack Nick 18:27:29 nicktr, you wanted to ask if ebt cards are cobranded 18:27:40 nicktr: Are EBT (snap) cards co-branded? 18:27:47 takashi has joined #WPWG 18:27:55 Brant: They are closed-loop pre-paid cards (e.g., issued by FIS or FISERV) 18:28:02 ...they are not co-branded 18:28:25 Nick: Are they EMV-style cards? 18:28:27 Brant: No 18:29:25 ...we started to want to enable EBT for COVID to enable more users to be able to shop without having to go into stores. 18:29:34 q? 18:29:54 q+ 18:30:17 nicktr: There is a connection here between underserved population and the mission of W3C 18:30:27 ack J 18:30:34 ack JeanLuc 18:31:21 JeanLuc: to avoid "declines" is there space here to help merchant understand "declines" and help the merchant to try a second authorization request. 18:31:45 Brant: The one challenge we have is that we get back generic declines. 18:32:10 q? 18:32:11 ...we are starting to look at potentially dozens of decline messages to find more cases. 18:32:31 Brant: Some key customer themes. 18:32:55 q+ 18:32:55 1) Merchants want to know who their customers are prior to authorization 18:33:08 2) Data is not always available based on payment types or implementations 18:33:22 3) Cart abandonment is a problem due to extra friction and payment problems. 18:33:34 ack cli 18:33:34 ack clinton 18:33:58 clinton: Regarding using payment credentials as representation of shopper. Do you see merchants using PAR? 18:34:18 Brant: I think PAR can be effective. But it may not solve all use cases (especially if it only happens post-authorization). 18:34:45 ...PAN is useful today even if not the right thing for the future. 18:35:11 ...for risk mitigation not sure PAR is enough; we've seen up to 50 tokens associated with one PAR. 18:35:30 ...if you are a merchant, I'm not sure they have the same resources to do the sort of AI used for fraud mitigation. 18:35:40 ...I think if we could get PAR before authorization, it could help. 18:36:01 ...could help to get access to PAR outside of payments flow 18:36:12 ...the value is perhaps there, but implementations may need to be enhanced to get us there. 18:36:24 clinton: I don't know that PAR is part of SPC. 18:36:33 smcgruer_[EST]: No. 18:36:51 [Pause to revisit the origins of tokens and PARs] 18:38:20 q? 18:38:22 q+ 18:40:39 ack me 18:41:00 Ian: Not sure this needs to be specified in SPC. I don't know whether 3DS field for SPC would allow use of PAR v. PAN 18:41:16 clinton: I am hearing value in getting the PAR into the ecosystem. 18:41:23 Brant: Yes, that's step one. 18:41:34 clinton: It's not consumer level; it's account level 18:41:44 q? 18:41:49 q? 18:42:19 Brant: One use case I'd like to discuss that's creating some issues for our merchants is using tokens with auto-fill. 18:43:14 q+ to ask about storage 18:44:13 ack me 18:44:13 nicktr, you wanted to ask about storage 18:45:45 Brant: There is clear value to tokens. I want to communicate feedback we are getting, and to discuss whether there are standardization opportunities here. 18:45:55 ...tension here is between security and UX 18:46:12 ....merchants lose ability to create customized experiences. 18:46:33 ...e.g., post-authorization analytics, chargebacks, etc. 18:46:45 ...they all rely today on representations of cards that don't work with tokens 18:46:59 ...and merchants concerned about losing debit routing abilities 18:47:23 q+ to ask about autofill 18:47:25 q+ 18:47:31 ...merchants will resist some of the capabilities if they are unable to adapt 18:47:39 ack nick 18:47:41 nicktr, you wanted to ask about autofill 18:48:01 nicktr: Is there a web standard for autofill? 18:48:02 (No) 18:48:08 q+ 18:48:28 Devin: You can turn off autofill in HTML, but how it works is implementation dependent. 18:48:58 Brant: Our merchant community can take a scorched earth approach, but it degrades the shopping experience. 18:49:35 Devin: I would happily see autofill be standardized, but even better is when web sites do the right thing 18:49:39 smcgruer_[EST]: +1 to Devin. 18:49:57 ...there may be some more work over next few years to do more work on autofill. 18:50:15 ...but work is stymied by wrong use of html attributes 18:50:33 ChristianA has joined #wpwg 18:50:35 Devin: Although HTML has a decent level of semantic information, more would help. 18:50:47 ...but also don't want to large of a set of input types. 18:50:58 q? 18:51:01 q- 18:51:09 ack clinton 18:51:10 ack clinton 18:52:36 nick: My understanding is at least google and possibly apple are becoming token requestors. 18:52:47 ...they get back a token pan scoped to the device and the browser (I am speculating) 18:53:04 smcgruer_[EST]: I think it's browser-scoped, not device scoped 18:53:11 nicktr: You could get PAR on that token request 18:53:13 clinton: Yes 18:53:15 q? 18:53:17 Fahad has joined #wpwg 18:53:46 q? 18:54:39 Brant: Also here would like to ask -- what can FIS/Worldpay do more to take an active role within W3C? 18:55:02 q? 18:55:42 Ian: Does it make sense to work on an experiment to get pre-Auth PAR by working with browsers and TSPs? 18:55:46 Brant: Yes, that would be a good action. 18:57:51 q? 18:58:08 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 19:54:59 Hemnath has joined #wpwg 19:59:21 NakjoShishkov has joined #wpwg 20:02:08 benoit has joined #wpwg 20:02:28 takashi_ has joined #WPWG 20:05:41 SameerT has joined #wpwg 20:05:59 present+ Gerhard_Oosthuizen 20:06:13 Topic: Microsoft perspectives 20:06:23 magda_sypula has joined #wpwg 20:06:23 Fahad has joined #wpwg 20:07:06 careyf has joined #wpwg 20:07:38 Dean: I am part of the payments team at Microsoft. I was responsible for the authentication program in Europe 20:09:16 ...Microsoft is a global e-commerce merchant 20:09:29 ...do sales with credit cards, alternative payments, etc. 20:09:35 ...lots of countries and currencies 20:09:38 ...both business and consumers 20:09:43 ...both one-time sales and recurring 20:09:50 ...digital goods and physical goods 20:10:23 ...we implemented 3dS v2 back in 2019 20:10:27 ChristianA has joined #wpwg 20:10:56 ...we have not built support for exemption flagging or soft decline. 20:11:24 [On SCA] 20:11:41 Dean: The frictionless option in 3DS makes a big difference in the UX and business result. 20:12:00 ...the take away in terms of impact is that we've seen a net negative impact at Microsoft 20:12:23 ...because SCA performance is poor. Challenge rates are high; authentication success rates are low 20:13:31 MattC has joined #wpwg 20:13:38 ...the ecosystem was not ready, in our view, to leverage the flexibility allowed by EU rules 20:13:56 [Data on Microsoft authentication] 20:14:43 Dean: We have distinct implementations of 3DS for our web-based scenarios (where a user is visiting an MS storefront from a browser) and MS Console (where we have an SDK) 20:14:55 Q? 20:15:34 Dean: Especially early on we saw a big difference in performance on Consoles (75% success rate) and Web (67% success rate). 20:16:13 q+ 20:16:16 ....performance in the UK was much better than the average. 20:16:22 q+ 20:16:36 ...so the 3DS experience differs depending on the issuer community in a given country 20:16:46 ...the numbers I'm showing are a "first attempt" 20:16:54 q- 20:16:59 ...In EU or UK, 1/4 fails on the Web first time 20:17:37 ...when first attempt fails, users may retry or switch to a new payment method. Success rate does tend to improve with 2nd attempt. 20:18:03 ack careyf 20:18:19 careyf: Did you only implement the additional step-up in the UK and EU? 20:19:03 Dean: We've tested in some other markets (e.g., Mexico) 20:19:08 ...we do 3DS v1 in India 20:19:29 ...but Europe with some experimentation in Australia and Mexico 20:19:35 +q 20:19:38 ...the reasons we are looking at 3DS in the other markets vary 20:20:02 ...in Brazil, if you enable 3DS you can accept debit cards online 20:20:25 q+ 20:20:42 ...in Mexico, we are unable to challenge or re-present chargebacks. Authenticated transactions give us a way to deal with that unusual situation. 20:20:44 ack benoit 20:20:47 ack benoit 20:21:01 benoit: In markets like India and Australia, do you have comparisons with other methods (e.g., UPI) 20:21:09 ...is the issue the buyer or the method? 20:21:46 Dean: What we do in Australia is we randomly enable authentication for a small percentage of transactions (e.g., 5%) 20:22:07 ...in a legitimate experiments, people could compare results with/without authentication. 20:22:19 ...however, in India we have not implemented UPI and don't therefore have a comparison. 20:22:38 ...what we did in Europe (which allowed us to draw conclusions) is compare historical trends for cards with PayPal. 20:23:19 Gerhard has joined #wpwg 20:23:28 ...we lost 2-4% in conversions with SCA 20:23:36 ...that's settled down a bit since the initial measurements. 20:24:03 Fahad: 2-4% at authentication step (rather than authorization)? 20:24:06 Dean: Yes. 20:24:16 Fahad: Do you have any significant changes in authorization? 20:24:36 Dean: With transactions that have been successfully authenticated, the authorization rates go up, which is great. 20:24:46 ...but that has to be balanced against abandonment when authentication fails. 20:24:53 q? 20:24:55 ...when looking at both of those, SCA was a net negative for us. 20:24:57 ack 20:25:01 q? 20:25:04 ack Fahad 20:25:22 Dean: When I talk about authentication success rates being too low, let's look at the components. 20:26:16 ...Authentication Abandonment Rate (which I'll talk about in a moment) is measured in terms of 3DS protocol messages 20:26:44 ...we see 12% abandonment on the Web (for EU + UK) 20:26:48 q+ 20:27:06 ...we see high challenge rates as well: 68% of transactions on Web (EU + UK) 20:27:28 ...in the UK, the banks keep the challenge rates relatively low (28%) compared to the rest of Europe. 20:27:48 s/(EU + UK)/(EU ex UK)/ 20:27:54 q+ Why UK so low on Abandonment? What was different? 20:28:03 q? 20:28:03 q+ 20:28:24 ack Gerhard 20:29:13 Gerhard: SCA is two factor. Many other markets have single factor auth. Do you see differences in abandonment rates between single factor and 2-factor on the challenge itself? 20:29:44 Dean: I don't have any data to share, but I could speculate that there is more success when less friction. 20:30:01 ...this is also part of why you get such a difference for SCA over 3DS 20:30:35 ...different banks use different authentication methods (e.g., banking app opens on user phone; the user just pushes a button to say yes) 20:30:58 ...some banks invested in good authentication experience; others did not 20:31:22 Q? 20:31:28 ...one-time passcodes or security questions tend to lead to more failure. 20:31:49 ....as merchants, it's the variability in issuer UX that can be frustrating. 20:31:51 ack Mag 20:32:03 magda_sypula: Why is the UK doing better (it seems)? 20:32:23 Dean: The main difference is the third column. In the UK, the majority of authentication requests will be approved or declined using the frictionless flow. 20:32:34 q? 20:32:43 ...the customer is not stepped up for a challenge. It's the lower challenge rates that drives greater authentication success. 20:33:04 q+ to ask if the lower challenge rate is due to SCA exemptions, or better risk analysis, or ... 20:33:12 ...if you are a bank with a risk system and you have an incoming authentication request, there's going to be a small set of transactions likely to be fraudulent, so you just say no. 20:33:24 ...and others you are obviously confident to accept 20:33:38 ...so it's the small band in the middle where the bank is not sure where the step-up challenge should occur. 20:33:56 ...the UI systems have optimized their risk systems to behave this way. 20:33:58 ack smcgruer_[EST] 20:33:58 smcgruer_[EST], you wanted to ask if the lower challenge rate is due to SCA exemptions, or better risk analysis, or ... 20:34:00 Q+ 20:34:05 ack smcgruer_[EST] 20:34:20 smcgruer_[EST]: Is the lower challenge rate in the UK because they ask for exemption more frequently? 20:34:32 ...or are purchase patterns different? 20:34:45 Dean: The banks in the UK took a different view of their obligations under PSD2 20:35:17 ...supported by the FCA in the UK (the regulatory body for banks in the UK) they were given permission to take an approach where they could take a more "commonsense" approach to step-up. 20:35:59 ...we spoke with other banks and card networks in 2020, 2021; what we found is that banks in other countries (guided by their regulatory bodies) would take a more black and white approach to PSD2. 20:36:28 ...the UK banks were more willing to grant exemptions from the issuer side. 20:36:34 ...the TRA exemption 20:36:51 q? 20:37:00 ack Fahad 20:37:20 Fahad: @@ 20:38:01 Fahad: For transactions where the issuer requested a challenge, how did countries compare? 20:38:39 Fahad: For the 16% where challenge was requested, how was completion? 20:39:04 Dean: Great question. In my scorecard, cf "CSR" (challenge success rate) 20:39:29 q? 20:39:37 ...a challenge in the UK success rate about same as for France. So the difference in "rate" is due to UK doing fewer challenges. 20:40:43 [Strategies to mitigate PSD2 impact] 20:40:50 q+ to fly the flag for SPC 20:40:50 Dean: I am often asked "so what can we do?" 20:41:05 Dean: We should avoid authentication whenever we can. 20:41:29 ...some transaction types are out of scope (e.g., subscriptions) 20:41:39 ...customer-not-present transactions 20:42:33 ...another strategy that emerged was to attempt authorization first with exemption flagging in the authorization message, and only if authorization declined by the issuer who explicitly asks for authentication, doing authentication. 20:42:45 ...moving customers to alternative payment methods is another way to get around the SCA requirement. 20:43:03 ...we saw an increase in PayPal volume as a result of PSD2 for example. 20:43:08 clinton has joined #wpwg 20:43:13 Dean: The second big strategy is to avoid the challenge. 20:43:33 ...merchants can share additional data during authentication (cf the long list of 3DS fields) 20:43:44 q+ 20:43:47 ...you can also do exemption flagging in the authentication request itself 20:44:23 ...PSD2 also has a "trusted beneficiary" option where customer can opt out of future challenges. 20:44:24 Sue has joined #wpwg 20:44:35 ....e.g., Amazon was interested in that to preserve one-click experience. 20:44:54 ...trusted listing is a good example of a provision under PSD2 that is not widely implemented in the ecosystem. 20:45:09 ...very few issuers implement trusted listing. 20:45:37 Dean: If you can't avoid the challenge, then look to improve challenge outcomes. Delegated authentication fits in well here. 20:46:01 ...as a merchant we've seen that different banks have very different authentication methods. It's the inconsistency that drives a lot of the poor performance I've mentioned here. 20:46:21 ...handing over a piece of the checkout to the issuer is something that merchants hate. 20:47:21 Dean: The final big strategy is to attempt authorization EVEN IF authentication fails. 20:47:35 ...people ask "Don't you think those are fraudsters?" 20:47:51 ...and the answer is "mostly no; it's mostly just customers not getting through authentication." 20:47:51 q? 20:48:10 Dean: So we've got something called SafetyNet to preserve conversion rates. 20:48:41 ...outside of Europe (except for India) you don't have SCA requirements driven by regulation. 20:49:02 ...so as a merchant, we have an opportunity to be a lot smarter on how we do SCA and do it much more in-line with when we think there is risk of fraud. 20:49:08 Rose__ has joined #wpwg 20:49:13 q+ 20:49:14 ...PSD2 has a more heavy-handed approach. 20:50:05 q- nicktr later 20:50:12 SameerT: This was very helpful. One question I have in terms of data being shared with issuers. Do you see much difference between what data is shared in the UK v other markets? 20:50:13 q+ 20:50:18 q+ 20:50:33 Dean: We share the exact data in UK and EU markets. 20:50:43 s/exact/exact same/ 20:51:17 Dean: There are different risk systems for authentication v. authorization. The ACS risk models (for authentication) are not as mature as the card network models (for authorization) 20:51:56 SameerT: This data is very helpful; we are trying to define a roadmap for 3DS to ensure that risk models get enough data to avoid challenges. 20:52:15 ...cf other conversations at W3C about data collection from the browser. 20:52:34 ack SameerT 20:52:42 ack Gerhard 20:53:44 Gerhard: Would SPC be interesting (e.g., because merchant controls UX and issuer can validate assertion)? 20:53:58 Dean: This is a super interesting idea and something that I'm still learning about. 20:54:40 ...the idea is appealing. If we have an approach that can tackle either the fact that, today, customers have a poor experience with their bank, that would be great. 20:54:49 ...and if we have a way to lower the challenge rate, that would be great. 20:55:27 ...so we want both better experience for customer and lower challenge rates. 20:56:24 Gerhard: I perceive a difference in which authentication mechanisms are used between Web and native apps. 20:56:38 ...do you think issuers are concerned about that? 20:57:00 q+ nicktr later 20:57:06 q- later 20:57:19 Dean: It is an important consideration. You have merchants that are fully app-based (e.g., Uber) and so, from an issuer perspective they are going to need to support both. 20:57:44 ...if we are asking issuers to support a standard and that standard only targets web but not native, it lowers the ROI of that solution investment. 20:57:52 q? 20:58:00 queue== JeanLuc, nicktr 20:58:20 zakim, close the queue 20:58:20 ok, nicktr, the speaker queue is closed 20:58:32 Dean: App experience can be the best experience (app-to-app). The SDK flow can't be ignored. 20:58:32 ack JEan 20:59:20 JeanLuc: Regarding "avoid authentication". Regarding MIT/MOTO out-of-scope transactions...this is being re-evaluated and it may be complicated in the future. 20:59:46 ...for "authorization first with exemption flagging" ... we've started to see some penalties from issuers in the fact of soft declines. 21:00:09 ...you observe that some merchants are reluctant to share info through 3DS due to sensitive data. 21:01:33 Dean: the way I think about your comment...a merchant can't have it both ways. We can't complain about an issuer doing a high challenge rate if we are not giving the issuer information necessary to make a frictionless decision. 21:01:52 ...we would ask the issuer community to make it clear to merchants what the important fields are for issuer risk systems 21:02:03 q? 21:02:09 Bastien has joined #WPWG 21:02:21 q+ 21:02:40 JeanLuc: Maybe requirements in 3DS change based on availability or lack of other fields. 21:03:09 Dean: I don't think that EMVCo as a standards body would likely be that perspective. I anticipate it would be more from the card networks providing guidance on how to get good authentication performance. 21:03:10 q? 21:03:49 Bastien: As much as I love the conversation here, there's plenty of space for providing feedback directly to EMVCo. 21:05:02 NickTR: We'd love for you to implement SPC! 21:05:25 ...thanks again for the great presentation 21:05:32 Topic: EMVCo on SPC / Demo 21:06:08 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 21:06:28 Doug: We're going to provide some EMVCo feedback on SPC. 21:06:43 ...feedback is mostly about how to handle some new category of transactions (e.g., subscriptions) 21:07:08 ...there's a lot of focus (e.g., in EU) on increasing the transparency of payment authentication when it involves asking users to enter a recurring transaction. 21:07:18 ...users may not always be aware of what they are being asked to consent to 21:07:55 -> http://www.w3.org/2022/Talks/emvco-tpac-2022.pptx EMVCo slides 21:08:40 Doug: In the transaction dialog we'd like to see more branding (so user understands context), an explanatory note, a larger icon. 21:08:51 ...we also want to extend SPC to handle non-payment use cases. 21:09:58 clinton has joined #wpwg 21:10:39 [Doug lists some use cases] 21:10:56 Doug: Different parameters that can be set independently: 21:11:01 * Amount (which may vary) 21:11:06 * Frequency 21:12:12 Doug: We'd like to be able to use SPC when recurring transactions occur; we see that segment growing 21:12:45 q? 21:12:48 ...another use case: I order 10 pieces of clothing and have one month to return some of them and I'm only billed for those I keep 21:12:50 q- 21:13:10 Doug: Another use case is variable amount/variable frequency (e.g., travel card) 21:13:19 q+ 21:13:28 zakim, open the queue 21:13:28 ok, nicktr, the speaker queue is open 21:13:31 q? 21:14:17 Ian: Could you create an enumeration rather than arbitrary text? 21:14:33 Doug: That's really hard given use cases as well as other nuances like language differences. 21:14:49 ...in the 2.3.1 specification we have added a freeform text field to support this use case. 21:15:03 q+ 21:15:38 ack Ni 21:15:58 nicktr: How commonly is 3DS2 being used to authenticate these recurring transaction use cases? 21:16:20 q+ 21:16:38 Comment: Open Banking specs and EMV QR has 'codified' some of this variability. Could we perhaps use that? 21:16:59 Nick: Is this a rarely used bit of the spec? I'm not aware of many acquirers or issuers who would use this commonly. 21:17:37 ...is this commonly done today or emerging? 21:17:52 q? 21:18:06 ack Gerhard 21:18:37 q+ 21:18:42 Gerhard: We look at open banking specs and they have a number of parameters around recurrence (as Ian was hinting). And the EMVCo QR spec has some parameters as well. 21:18:45 q+ 21:19:07 Gerhard: I can see this working well for a subscription service. 21:19:13 ...or "would you like to trust this merchant?" 21:19:24 or "Would you like to have your card stored on file with this merchant?" 21:19:48 ...but I would be worried about very open consents ("any amount, any merchant", etc) 21:20:01 ack ChristianA 21:20:14 ChristianA: In the EU they've said "it happens a lot, but it doesn't happen in the right way" 21:20:50 q+ 21:20:53 ...so European Union came to us to find solutions 21:21:09 ack smcgruer_[EST] 21:21:11 q+ 21:21:34 smcgruer_[EST]: I think it is a very unlikely world where we will put arbitrary text in a secure dialog. 21:21:41 ...but I'm excited to hear the appetite for this. 21:22:07 ...if we can codify this in any way to hit 80% of use cases, that's much more palatable. 21:22:30 q+ 21:22:37 q+ to talk about consent functionality in WebAuthn 21:22:40 ack Rose__ 21:23:09 q? 21:23:16 Rose__: Regarding use cases and commonality; this does arise. Prices changing based on tax computations is another use case. 21:23:20 ack SameerT 21:23:35 SameerT: Could we define a set of use cases, e.g., "Travel", "Subscription" 21:23:56 Laka has joined #wpwg 21:24:09 smcgruer_[EST]: Our UX people will want to write the actual text. 21:24:28 ...regarding translation, the Web site and your Chrome UX may not be in the same language. 21:25:28 ack Gerhard 21:25:30 present+ Xu_Lin 21:25:44 Gerhard: I think there are three categories of use case: 21:25:46 1) ID & V 21:25:52 2) Payments 21:26:04 3) Consent about other data 21:26:38 ack me 21:26:38 Ian, you wanted to talk about consent functionality in WebAuthn 21:27:52 Ian: I will add "sign what you see" to tomorrow's joint meeting 21:28:27 q? 21:28:32 [Non-payment transactions] 21:28:40 Doug: What happens if we pass a "0" amount? 21:29:34 (We confirm payment request would allow this.) 21:30:03 Doug: We'd like to allow authentication for future payments. It would be good to suppress the 0 amount in this case. 21:30:27 smcgruer_[EST]: This gets to the point of "scope of SPC"; we've gotten support from the WebAuthn approach for our limited payments use case. 21:30:49 ...I'm not sure whether right vehicle is SPC or something else; we need to coordinate with the WebAuthn folks. 21:31:50 [Branding] 21:32:03 Doug: We think we need more branding so that people understand to whom they are authenticating. 21:32:19 q? 21:32:25 ....to the extent that there could be consistency in branding between the transaction dialog and the 3DS dialog, that would be helpful 21:32:48 smcgruer_[EST]: These are valid observations. There is certainly one verifiable bit of information (RPID) but that's not branded. 21:33:28 Ian: Does it help that images can be validated? 21:33:38 smcgruer_[EST]: No; the RP could be malicious. 21:34:11 q? 21:34:31 q+ 21:35:13 q+ to be sure we are tracking the issues 21:36:05 ack Gerhard 21:36:20 Gerhard: Are there niche industry use cases that are relevant here (e.g., travel, hospitality) 21:36:33 ...I recall extensions for travel and hospitality 21:37:09 SameerT: I don't think those extensions are relevant here. 21:37:15 erhardbrand has joined #wpwg 21:37:48 ack Ian 21:37:48 Ian, you wanted to be sure we are tracking the issues 21:37:50 https://github.com/w3c/secure-payment-confirmation/issues 21:39:53 [We validate that all the issues raised today are in the SPC issues list] 21:39:58 [Demo] 21:47:00 [Demo where there's a timeout in the transaction dialog] 21:49:20 q+ 21:49:21 q? 21:49:23 Dropping off as nearly midnight on my side. Enjoy the rest of the sessions! And thank you to all the presenters. 21:49:33 SameerT: Can you run through the merchant-initiated flow? 21:50:03 SameerT: Does clicking "Confirm purchase" constitute a user activation? 21:50:21 smcgruer_[EST]: If SPC is called from merchant domain, then it suffices. 21:50:46 ...if you were looking at the case where there's an iframe, if you have an issuer button in that case, that would constitute the user activation. 21:50:57 SameerT: What about where adyen takes you to their own domain? 21:51:42 smcgruer_[EST]: You have two options. Suppose Adyen opens an iframe in the airbnb domain. There's a way to delegate the user activation from airbnb to adyen. If this is not done, then Adyen would need to have their own user interaction. 21:52:02 ...I think that's how they are doing it these days. It does allow the PSP to offer alternative authentication approaches as well. 21:52:31 q? 21:52:34 ack smcgruer_[EST] 21:52:40 ack SameerT 21:52:51 SameerT: In 3DS we do well merchants what they need to do; might need to say more to them about user activation. 21:53:03 q? 21:53:33 smcgruer_[EST]: An advisory note might be useful. But in the case of issuer initiation, you probably don't want to recommend that the merchant delegate a user activation to the issuer. 21:53:57 q? 21:54:06 SameerT: The merchant doesn't yet know whether the issuer is prepared to do SPC. So the merchant (which does know it wants to do SPC) may need to do the user activation even if it ends up not being used. 21:57:37 smcgruer_[EST]: The only reason SPC requires a user gesture is that payment request requires it. But WebAuthn.get() does not require a user activation. 21:57:50 ...but I can see a world where people don't require a user activation 21:58:04 q? 21:58:08 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 22:29:59 ChristianA has joined #wpwg 22:30:13 Rose has joined #wpwg 22:34:34 Topic: SPC getting to CR 22:34:48 -> https://github.com/w3c/secure-payment-confirmation/wiki/SPC-Candidate-Recommendation-Vision Vision 22:35:03 careyf has joined #wpwg 22:35:08 Hemnath has joined #wpwg 22:35:20 takashi has joined #WPWG 22:37:19 https://github.com/WebKit/standards-positions/issues/30 22:40:19 q? 22:40:42 https://wpt.fyi/results/secure-payment-confirmation?label=experimental&label=master&aligned 22:41:41 https://github.com/w3c/secure-payment-confirmation/wiki/SPC-Candidate-Recommendation-Vision 22:42:05 https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+-label%3A%22after-v1%22 22:42:15 https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+label%3A%22after-v1%22+ 22:43:00 Ian: It would be great to get feedback from Apple on the standards position, and if there are a small number of suggestions, I expect the WG would like to get them done in V1 22:43:08 [Nick does a review of the W3C process states] 22:45:58 q? 22:46:52 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian 22:47:15 q? 22:47:29 scribenick: nicktr 22:47:43 ian reviews future SPC requirements 22:47:49 https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+-label%3A%22after-v1%22 22:49:00 ian: https://github.com/w3c/secure-payment-confirmation/issues/205 is about given the browser extra information about how to internationalise things like merchant name 22:49:56 Web3 means many things to many people. Some see Web3 as a collection of existing technology that is used to scam many newcomers of their wallet contents. Others see this as a means to a future state where the world's transactions are made on a distributed ledger or blockchain. In this session, we will be exploring what Web3 means to those building in the space and where the intersection of Internet standards might occur, if at all. Think of this as an expl 22:49:56 oratory conversation with participants in the field and those that are curious about the future of this technology. 22:49:56 Web3 means many things to many people. Some see Web3 as a collection of existing technology that is used to scam many newcomers of their wallet contents. Others see this as a means to a future state where the world's transactions are made on a distributed ledger or blockchain. In this session, we will be exploring what Web3 means to those building in the space and where the intersection of Internet standards might occur, if at all. Think of this as an expl 22:50:00 oratory conversation with participants in the field and those that are curious about the future of this technology. 22:50:05 https://github.com/w3c/secure-payment-confirmation/issues/197 22:52:06 ACTION: smcgruer_[EST] to get info on priority of more icons in transaction dialog from design team 22:53:35 ian: issue 187 is about providing clarity about the relationships between the various parties in an SPC authentication 22:54:41 ian: 186 is non-payment use cases including "zero value" authentication 22:56:13 ...so it would be good to understand what we need to display 22:57:00 doug: this steps us into the use case for where the initial payment is zero but the recurring payment is non-zero 22:57:31 https://github.com/w3c/secure-payment-confirmation/issues/186 22:57:40 sameerT: adding a card to a wallet is another good example of this 22:58:29 smcgruer_[EST]: could you do this with your own UI and webauthn? 22:58:39 SameerT: yes 23:00:05 smcgruer_[EST]: SPC enrolment is the same as webauthn - the only difference is the extra payment bit that gets set 23:00:17 ...so my challenge would be that webauthn should be used 23:00:58 clinton: which credential are we talking about? 23:01:19 ..the SPC component is just about giving the merchant additional reassurance 23:02:18 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html nicktr 23:03:00 smcgruer_[EST] use case: re-prove your identity when adding an existing credential to a wallet; is there value with user consent that they added a card? 23:03:37 ACTION: Sameer to work with the 3DS WG to write down in more detail the "non-payment transaction" use case. 23:05:43 [ADJOURNED] 23:05:48 I have made the request to generate https://www.w3.org/2022/09/12-wpwg-minutes.html Ian