Re: Thanks to all and next steps

Personally I am weary of this obsession with ISO20022. In practice this
standard is predominantly used in interbank and corporate treasury
payments. The use cases and pain points we are attempting to address are
predominantly in the retail payments space (at least for v1) and yet I see
nobody clambering to have ISO8583 considered despite this being the
underpinning of almost all retail payment networks today.

The use of a messaging standard is a scheme and jurisdictional preference.
I believe that we are in consensus that for v1 of the work we are doing we
are not attempting to find ways to bridge schemes simply ways to find a
common scheme between payer and payee and an architecture that will promote
competition between schemes and wallets.

Erik is absolutely right that there is a world of regulatory pressure
coming down on the system but my personal view is that this will pressure
the schemes themselves to define better ways to deal with security,
identity, credentials etc.

To illustrate, VISA may decide tomorrow that they want participants in
their network and scheme to communicate using ISO20022 messages and also
define mechanisms to secure and sign those communications. If there exists
a standard way for payments to be initiated, instruments negotiated and
payments data exchanged (as defined by us at the W3C) on the Web then it
would follow that they will design their scheme to fit into the standard
flow that all schemes use for payments on the Web, will define mechanisms
for their payment instruments to be included in wallets that follow the W3C
standard and further will design mechanisms for their acquiring
institutions to integrate into this architecture.

There will be value in the schemes standardising on how these other things
are done (auth, security etc) and there is some value in the W3C defining
some of these standards (such as credentials) as it allows more of the
payment flow to happen within the Web context but I personally see it as
essential that we define an open standard that allows payments schemes to
fit themselves into with minimal changes but that is open to new and
exciting schemes that can leverage the greater competition to get some
market share.

On 26 June 2015 at 15:28, Erik Anderson <eanders@pobox.com> wrote:

> From my brief exchange with some in the F2F, I interpreted the
>> "reservation"
>> or skepticism was more along the lines of ISO Standards being made
>> mandatory.
>>
>
> US hasnt taken a mandatory approach yet. Other countries have but not the
> US.
>
> This is true in the financial services world but for security, not for
> something like ISO 20022 nor ISO 12812.
>
> Obama executive order on cybersecurity issued a recommendation for a
> "Security Framework" that would be a NIST + ISO standard.
>
> Short term incentive was
> 1) Firms who implement the Framework, in good faith, will not be punished
> for weaknesses identified during vulnerability assessments in their programs
> 2) A shift in liability if fraud/data breaches/personal information was
> stolen and the Framework was not followed.
>
> The long term was to turn the Framework into a mandatory compliance
> mechanism that included end-to-end data security, enhanced key management
> mechanisms, and constant risk assessment of
> security/vulnerability/penetration scanning.
>
> This will effect the W3C Web Payments. I will be pushing that the Web
> Payments standards go through this Government/NIST risk assessment, both at
> the W3C level and IETF level. This is happening and will be the hot topic
> within the Federal Reserve Security Taskforce.
>
> I covered this on my presentation.
>
> W3C Web Payment standard mandatory? ISO? X9? Not likely.
> Identity/Credentials = maybe. End-to-end security = absolutely.
>
> Erik Anderson
> Bloomberg R&D
>
>
>