RE: EMV on the Web - A workable idea? from Joerg.Heuer@telekom.de on 2015-08-03 (public-webpayments-ig@w3.org from August 2015)

From: <Joerg.Heuer@telekom.de>
Date: Mon, 3 Aug 2015 12:04:17 +0200
To: <adrian@hopebailie.com>, <anders.rundgren.net@gmail.com>
CC: <public-webpayments-ig@w3.org>
Message-ID: <FB5E170315856249A4C381355C027E45029489DC2FE2@HE100041.emea1.cds.t-internal.com>

Hello guys,

Whether EMVCo protocols as they are – or the EMVCo brand – might be relevant in the future is IMHO a relevant – but not a decisive – question for our work. On the NFC front it’s established for the future, so we better be able to cope with it if we keep to the ‘convergence’ idea. I am, however, confident that other – perhaps proprietary or industry-specific approaches – will be running over the same NFC interfaces and within the same wallet. Simply because there will likely never be a one-size-fits-all solution.

The same kind of modularity should work for online processes. If EMVCo come up with definitions on how to convey their protocol over http and how to secure the transaction flow, I think it’s fine. They might as well decide to come up with something entirely new, calling it EMVCo-Online, based on entirely different technology. If it fits into our work, I’d be happy as well. The consequences for merchants, terminal vendors, services might be immense, though. So I would leave this kind of developments to their industry, to the market, and look forwards to the evolution taking place.

Is there anything really speaking against this degree of ‘neutrality’ to specific implementations?

All the best,
                Jörg

From: Adrian Hope-Bailie [mailto:adrian@hopebailie.com]
Sent: Montag, 3. August 2015 10:47
To: Anders Rundgren
Cc: Web Payments IG
Subject: Re: EMV on the Web - A workable idea?

EMVCo's answer to card-not-present is tokenisation.
This is what ApplePay employs.

I expect this will be the same approach of the card-based scheme operators in adopting whatever standard comes out of the Web Payments WG

On 3 August 2015 at 06:33, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>> wrote:
The traditional payment industry have settled on using EMV for POS transactions.
That is, even Apple Pay use EMV by emulating physical cards over an NFC transport.

EMV is a very low-level card protocol which at least historically always depended on a trusted "Payment Terminal" which in turn did the actual talking with other systems including the POS.

Now to the issue...
A merchant Web server indeed function as a virtual POS but does a wallet actually replace the payment terminal?

The answer to this simple question will have dramatic implications on Web Payment WG deliverables.

Although I'm by no means an expert on EMV, my gut feeling is that we need a NEW protocol for the Web in order to achieve comparable security to EMV.

Anders
sending his weekly question/update

Received on Monday, 3 August 2015 10:05:42 UTC