Warning:
This wiki has been archived and is now read-only.
Main Page/Security2017
From Web Commerce Interest Group
These are some ideas for a security task force scope within the IG. This is a draft in development by Ken Mealey and Ian Jacobs.
Questions? Contact Ian Jacobs <ij@w3.org>.
Contents
Goals
- Consistent with the WPIG Charter, help assess that deliverables of the Web Payments Working Group may be used to make secure payments.
- Through trusted assessments and review, provide assurances to ecosystem stakeholders about the ability to use the APIs securely.
- Encourage specification implementers to adopt security best practices to protect user data.
Discussion Scope
- Assessment of deliverables of the Web Payments Working Group
Out of Scope
- Digital Offers
- Digital Receipts
- Strong Authentication / FIDO integration
Tactics for Developing Assessments
- Solidify assessment methodology
- Research/leverage how EMVCo, PCI, FIDO and X9 do security reviews.
- Recruit qualified reviewers
- Work with the Web Security IG
- Hire a form to perform a security evaluation
- Encourage review by other organizations with similar interests in security (e.g., PCI, EMV, FIDO)
- Request that W3C Member organizations implementing the specification share their own security evaluations.
Deliverables
- Assessments
- Web Security IG review (first requested January 2017).
- Security Evaluation Report from a firm specializing in security evaluations
- Evaluation / public statement by PCI and other affiliates
- Translation of assessments
- Into concrete comments on WPWG deliverables
- Into best practices in the developer portal
Candidate Topics
- Digital Signatures on PaymentRequest or PaymentResponse
- End-to-End Encryption for Payment Instrument Details
- Tokenization for Payment Instruments
- Relation to PCI scope (and whether we can do better than status quo)