- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 20 Feb 2023 07:37:07 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Thanx Manu,
This question that has kept me occupied since almost a decade, with
C2B payments as the primary target.
However, since payments seem to be 99% about politics, basic questions like
Why do merchants need my card number?
never get any attention.
A recent example is W3C's SPC
https://www.w3.org/TR/secure-payment-confirmation/
which indeed require users to type card data. Since this would make SPC
fairly hard to use, SPC (in reality) depends on that payment intermediaries
like Stripe hold such information so that you don't have to repeat it.
This idea obviously works better the fewer payment intermediaries there are.
Voila! CENTRALIZATION is the core of this W3C standard. This also makes SPC
(again in reality) a very powerful tool for USER DATA AGGREGATION.
However, if you study the C2B payment use case a bit deeper it is pretty
clear that merchants rather need a confirmation that they are getting
paid, something only the payment network can provide. But payment
intermediaries need card data, right? Not necessarily; they need to
know to which bank to send the user-authorized payment request.
So how could this standard pass you may [rightfully] wonder? Well, the
SPC API does not handle card data itself; it is supposed to have been
dealt with in a preceding non-standardized step.
A Remaining Issue
-----------------
DECENTRALIZATION is often non-trivial to accomplish from a technical
point of view. For payments though, the core problem is that it
could radically affect business models and that's a BIG NO-NO.
There is a risk that this may turn out to be pretty universal.
Anders
On 2023-02-19 23:15, Manu Sporny wrote:
> Solid paper written by Mark Nottingham (Chair of the HTTP WG and
> recently, Internet Barrister In Training) on what standards can and
> can't do wrt. centralization:
>
> https://www.ietf.org/archive/id/draft-nottingham-avoiding-internet-centralization-09.html
>
> I was randomly looking at recently published IETF drafts and it caught my eye.
>
> It's a thought provoking read... applicable to some of the work we do
> here as a community. Overlaps with what's happening with big tech, ISO
> Mobile Driver's Licenses, and W3C Verifiable Credentials as it relates
> to US, Canadian, and EU published roadmaps wrt. digital wallets,
> privacy, security, and citizen identity. Also relates to the looming
> regulatory pressures over Apple and some of the other big tech vendors
> in the EU.
>
> The various individuals that participate in this group, especially
> related to governments, regulation, and anti-competitive initiatives,
> might want to take a look at the document. It's a fairly quick read
> with some good call outs wrt. centralization, consolidation,
> decentralization, and what standards can do to combat some of the
> problematic power dynamics in the market.
>
> I've BCC'd Mark to save his inbox.
>
> -- manu
>
Received on Monday, 20 February 2023 06:37:21 UTC