Re: Seeking input on agenda for 2 October Card Payment Security Task Force from Anders Rundgren on 2019-10-02 (public-payments-wg@w3.org from October 2019)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 2 Oct 2019 08:23:49 +0200
To: Ian Jacobs <ij@w3.org>, "Blachowicz, Tomasz" <Tomasz.Blachowicz@mastercard.com>, "Chitalia, Jalpesh" <jchitali@visa.com>, David Benoit <benoit@withreach.com>, "<Dean.Ezra@barclays.com>" <Dean.Ezra@barclays.com>, "Vokes, Jonathan" <Jonathan.Vokes@worldpay.com>
Cc: Payments WG <public-payments-wg@w3.org>
Message-ID: <7f52a6a1-ed4b-c6d7-81bb-dbefe479a089@gmail.com>

You might be interested in looking into
https://cyberphone.github.io/doc/saturn/saturn-authorization.pdf
since it:
- Uses PaymentRequest (native mode payment handlers) for the Web and other solutions for non-Web channels, while protocol and security remain identical
- Uses the same cryptography as WebAuthn but integrated in the actual payment process
- Supports risk-based/step-up authentication by carrying client related data to the authorizing point
- Uses TEEs (Trusted Execution Environments) for storing authorization keys
- Also supports non-direct payment scenarios, including Gas Stations, Bookings and Recurring payments
- Also supports A2A (Account to Account) payments and refunds

Obvious limitations which I hope to remedy include:
1. Crucial: Reusing the client architecture for supporting P2P (Person to Person) payments
2. Important: Loyalty cards
3. Nice and currently generally missing feature: Receipts

#2 and #3 is is currently outside of my competence, while #1 may be able to exploit EPC's SPL (SEPA Proxy Lookup) scheme.


Since https://www.w3.org/TR/payment-handler/ does not appear to support a "wallet" concept or P2P payments, I didn't consider that part of the W3C specifications.

thanx,
Anders


On 2019-10-01 23:19, Ian Jacobs wrote:
> Dear Card Payment Security Task Force participants,
> 
> I don’t have a concrete agenda for our 2 October task force call. I am happy to meet, but I have not been able to make
> time to review the TPAC discussions and build an agenda for the meeting. Off the top of my head, I think our next steps are:
> 
>   - Review what’s missing from the data model description based on the Mastercard demo
>   - Review the identity management flows [1]
>   - Enumerate the flows that raise “multiple authentication” possibilities and determine what actions are needed to address those
>   - Any other topics on people’s mind.
> 
> [1] https://www.w3.org/2018/12/src-prapi/#id-management
> 
> Please let me know whether you’d like to meet, or wait until 9 October, or 16 October (our next scheduled call after tomorrow).
> 
> Thank you,
> 
> Ian
> 
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 718 260 9447
> 
> 
> 
> 
>

Received on Wednesday, 2 October 2019 06:24:17 UTC