RE: EMV on the Web - A workable idea? from Joerg.Heuer@telekom.de on 2015-08-03 (public-webpayments-ig@w3.org from August 2015)

From: <Joerg.Heuer@telekom.de>
Date: Mon, 3 Aug 2015 16:56:12 +0200
To: <anders.rundgren.net@gmail.com>, <adrian@hopebailie.com>
CC: <public-webpayments-ig@w3.org>
Message-ID: <FB5E170315856249A4C381355C027E45029489DC31F1@HE100041.emea1.cds.t-internal.com>
Hi again,

Actually I see it as the other side of the medal themed ‘primitives’ as you, Anders, brought them up on Wednesday.

If W3C brought up communication primitives for payment transactions, which stand by themselves but can be combined for more value (like receipts), it should also be open to allow for ‘alien’ protocols to do their jobs within that protocol framework (if I may call it that).

My sneaky strategy would be to add further elements to this ‘framework’ which make it easier and more valuable for implementers to base future functionalities on this framework rather than developing new proprietary solutions. …and of course I wouldn’t call it a ‘sneaky strategy’ for PR reasons – rather an ‘inclusive strategy’ perhaps… ☺

I’d have a problem doing things the other way if it involves us assuming we already know the best way to solve all the specific aspects of this or that payment implementation – plus understanding how loyalty and identity should be included in the future. We won’t be able to think that much ahead and across all the different scenarios and industries, so I’d rather be open for the unknown, but incrementally add standardized primitives for the things we already know.

Cheers,
                Jörg


From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
Sent: Montag, 3. August 2015 13:54
To: Heuer, Jörg; adrian@hopebailie.com
Cc: public-webpayments-ig@w3.org
Subject: Re: EMV on the Web - A workable idea?

On 2015-08-03 12:04, Joerg.Heuer@telekom.de<mailto:Joerg.Heuer@telekom.de> wrote:
Hello guys,

Hi Joerg,



Whether EMVCo protocols as they are – or the EMVCo brand – might be relevant in the future is IMHO a relevant – but not a decisive – question for our work. On the NFC front it’s established for the future, so we better be able to cope with it if we keep to the ‘convergence’ idea. I am, however, confident that other – perhaps proprietary or industry-specific approaches – will be running over the same NFC interfaces and within the same wallet. Simply because there will likely never be a one-size-fits-all solution.

The same kind of modularity should work for online processes. If EMVCo come up with definitions on how to convey their protocol over http and how to secure the transaction flow, I think it’s fine. They might as well decide to come up with something entirely new, calling it EMVCo-Online, based on entirely different technology. If it fits into our work, I’d be happy as well. The consequences for merchants, terminal vendors, services might be immense, though. So I would leave this kind of developments to their industry, to the market, and look forwards to the evolution taking place.

Is there anything really speaking against this degree of ‘neutrality’ to specific implementations?

Yes, there's no timetable for a thing like "EMVCo-Online".

Personally I don't buy into the idea of sending opaque messages through standardized interfaces; it will most likely create poor UIs, divergent security, and questionable interoperability.

If the messages OTOH are not to be considered opaque, you effectively have to duplicate code as well as introducing a lot of dependencies that in the end will make the "standard" very difficult to maintain and comprehend.  It certainly makes the dream of a browser-based wallet unrealistic.

I believe there's an excellent opportunity for a pro-active approach but it surely won't be open forever.

thanx,
Anders



All the best,
                Jörg

From: Adrian Hope-Bailie [mailto:adrian@hopebailie.com]
Sent: Montag, 3. August 2015 10:47
To: Anders Rundgren
Cc: Web Payments IG
Subject: Re: EMV on the Web - A workable idea?

EMVCo's answer to card-not-present is tokenisation.
This is what ApplePay employs.

I expect this will be the same approach of the card-based scheme operators in adopting whatever standard comes out of the Web Payments WG

On 3 August 2015 at 06:33, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>> wrote:
The traditional payment industry have settled on using EMV for POS transactions.
That is, even Apple Pay use EMV by emulating physical cards over an NFC transport.

EMV is a very low-level card protocol which at least historically always depended on a trusted "Payment Terminal" which in turn did the actual talking with other systems including the POS.

Now to the issue...
A merchant Web server indeed function as a virtual POS but does a wallet actually replace the payment terminal?

The answer to this simple question will have dramatic implications on Web Payment WG deliverables.

Although I'm by no means an expert on EMV, my gut feeling is that we need a NEW protocol for the Web in order to achieve comparable security to EMV.

Anders
sending his weekly question/update
Received on Monday, 3 August 2015 14:56:45 UTC