Agenda FTF2021

This is the agenda of a WPWG meeting: 29 March - 1 April.

• Registration. Please register to help us manage attendance. See attendance below.
• Call in logistics. Requires a W3C Member account.
• Meet on irc.w3.org in #wpwg

Background Reading

• Secure Payment Confirmation (SPC)
• SPC and Open Banking Use Cases
• Stripe presentation

Minutes

• 29 March
• 30 March
• 31 March

Agenda

Please Review Antitrust and Competition Guidance

Times below shown are ET. Other time zone hints: 15h00-17h00 UTC / 8-10am PDT / 4pm-6pm BST.

29 March

• 11:00-11:10: Welcome, IRC, Antitrust reminder (Nick Telford-Reed)
• 11:10-11:30: Background to the agenda / problem statements (slides) (Adrian Hope-Bailie)
• 11:30-12:30: SPC experimental results and discussion (Benjamin Tidor, Stripe)
  • See 18 March presentation and summary blog post on SPC
• 12:30-13:00: EMV® 3DS risk assessment requirements (Sameer Tare, Mastercard)

30 March

• 11:00-12:00: SPC and frictionless flows (slides) (Gerhard Oosthuizen, Entersekt)
• 12:00-12:45: SPC and open banking (slides)(Chris Wood)

31 March

• 11:00-12:15: SPC design considerations and initial API thoughts (slides)(Danyao Wang, Google)
  • 30 mins: Scope and parameters of the design space
  • 10 mins: Crowdsource interest and priority for the use cases
  • 30 mins: Open Discussion
  • Next steps / call for editors for a task force
• 12:15-12:40: Worldline demo (Anne Pouillard, Worldline)
• 12:40-13:00: Second Google origin trial for SPC

1 April

• 11:00-12:00: SRC use cases and requirements (Jonathan Grossar, Mastercard)
• 12:30-13:00:
  • Next meeting: 15 April (agenda)
  • PR API Next Steps
  • Overflow and wrap-up

Postponed:

• Chrome research on browser changes related to privacy / payments (Google)
• Discussion with Web Authentication WG (WebAuthn Chairs)
  • Level 2 status, Level 3 plans, any new payments features needed?

Requirements

This is a list of comments overheard during the meeting that may help us identify future requirements related to SPC.

• Is the core of SPC the transaction confirmation dialog
• Make the enrollment flow a standardized part of SPC.
• Localization requirements of browser-standard displays
• Nature of SPC Credentials and relation to Web Authentication Credentials:
  • RP should be able to upgrade a WebAuthn credential to an SPC credential (SPC as "drop-in" solution)
  • Parties should be able to distinguish the type of credential for a credential id (namely: standard Web Authn v. SPC Credential)
• UX behavior: if you don't have an authenticator, need silent fail to allow for seamless fallback.
• Allow flexibility for no user presence check
  • See Entersekt proposal as starting point
• SPC should be usable in delegated authentication scenario (delegation to the merchant)
• Should SPC be tightly coupled to WebAuthn, or could it be used with other authentication techniques?
• Should be possible to do SPC enrollment outside payment flow
• Allow transaction to be completed (with initial ID&V) while SPC enrollment is happening.
• Should be able to call SPC from an iframe?
• Should be able to call SPC from a payment handler?
• Should roaming authenticators be included in SPC's scope?
• Open banking:
  • What is value proposition to ASPSPs?
  • Does extending the SPC draft to add the consent identifer as a challenge make sense?
  • Is the name "Web Payments Cryptogram" too card-specific? Proposed: Payment Authorization Assertion
  • How does the PISP get access to the public key for assertion verification? (Ian: Might be done out-of-band)
• SRC:
  • SRCi/DCF can invoke FIDO, even as a non-RP origin, and retrieve FIDO assertion.
  • SCRi/DCF has a mechanism to understand whether browser supports SPC
  • SPC can be used with multiple payment methods
  • SPC credential includes card metadata from relying party
  • Transaction confirmation dialog displays card metdata, merchant origin, transaction amount.
  • No requirement to have a FIDO challenge generated by the RP, as long as the party that generates it is an entity trusted within the SRC system.
  • FIDO assertion data includes merchant identifier and transaction amount in the signature.
• What level of flexibility is required for nonce generation? Can browser generate one in some use cases?

Task Force Volunteers

• Benjamin Tidor (Stripe)
• Rolf Lindemann (Nok Nok Labs)
• Gerhard Oosthuizen (Entersekt)
• Adrian Hope-Bailie (Coil)
• Marcos Caceres (W3C)
• Stephen McGruer (Google)
• Michel Weksler (Airbnb)
• Sameer Tare (Mastercard)

Attendance

• Who has registered
• Bastien Latge (EMVCo)
• Christina Hulka (FIDO)
• Sameer Tare (Mastercard)
• Richard Ledain (EMVCo)
• Christian Aabye (Visa)
• James Longstaff (Deutsche Bank)
• Jean-Luc di Manno (FIME)
• Gustavo Kok (Netflix)
• Rafael Cappelletti (Klarna)
• Ulf Leopold (Klarna)
• Daniele Berto (Klarna)
• Remo Fiorentino (Klarna)
• Timo Gmell (Klarna)
• Aleksei Akimov (Adyen)
• Antoine Cathelin (Adyen)
• Deepu K Sasidharan (Adyen)
• Eric Alvarez (Adyen)
• Lucas Bledsoe (Adyen)
• Marc Perez i Ribas (Adyen)
• Nils Brenkman (Adyen)
• Staci Shatsoff (US Federal Reserve Bank of Boston)
• Vish Shastry (PayPal)
• Gargi Sharma (PayPal)
• Ryan Regan (PayPal)
• Jayasaleen Shanmugam (PayPal)
• Kincaid O'Neil (Coil)