Re: Seeking input on agenda for 2 October Card Payment Security Task Force from Rouslan Solomakhin on 2019-10-02 (public-payments-wg@w3.org from October 2019)

From: Rouslan Solomakhin <rouslan@google.com>
Date: Wed, 2 Oct 2019 10:24:48 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Ian Jacobs <ij@w3.org>, "Blachowicz, Tomasz" <Tomasz.Blachowicz@mastercard.com>, "Chitalia, Jalpesh" <jchitali@visa.com>, David Benoit <benoit@withreach.com>, "<Dean.Ezra@barclays.com>" <Dean.Ezra@barclays.com>, "Vokes, Jonathan" <Jonathan.Vokes@worldpay.com>, Payments WG <public-payments-wg@w3.org>
Message-ID: <CAMMzaWGvz0LjC1B6JK-5WnXaM+pWd+xV9hnki_y0pgk+_EqwDA@mail.gmail.com>

On Wed, Oct 2, 2019 at 2:25 AM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> You might be interested in looking into
> https://cyberphone.github.io/doc/saturn/saturn-authorization.pdf
> since it:
> - Uses PaymentRequest (native mode payment handlers)


Thank you for using this technology! :-D


> for the Web and other solutions for non-Web channels, while protocol and
> security remain identical
> - Uses the same cryptography as WebAuthn but integrated in the actual
> payment process
> - Supports risk-based/step-up authentication by carrying client related
> data to the authorizing point
> - Uses TEEs (Trusted Execution Environments) for storing authorization keys
> - Also supports non-direct payment scenarios, including Gas Stations,
> Bookings and Recurring payments
> - Also supports A2A (Account to Account) payments and refunds
>
> Obvious limitations which I hope to remedy include:
> 1. Crucial: Reusing the client architecture for supporting P2P (Person to
> Person) payments
> 2. Important: Loyalty cards
> 3. Nice and currently generally missing feature: Receipts
>
> #2 and #3 is is currently outside of my competence, while #1 may be able
> to exploit EPC's SPL (SEPA Proxy Lookup) scheme.
>
>
> Since https://www.w3.org/TR/payment-handler/ does not appear to support a
> "wallet" concept or P2P payments, I didn't consider that part of the W3C
> specifications.
>
> thanx,
> Anders
>
>
> On 2019-10-01 23:19, Ian Jacobs wrote:
> > Dear Card Payment Security Task Force participants,
> >
> > I don’t have a concrete agenda for our 2 October task force call. I am
> happy to meet, but I have not been able to make
> > time to review the TPAC discussions and build an agenda for the meeting.
> Off the top of my head, I think our next steps are:
> >
> >   - Review what’s missing from the data model description based on the
> Mastercard demo
> >   - Review the identity management flows [1]
> >   - Enumerate the flows that raise “multiple authentication”
> possibilities and determine what actions are needed to address those
> >   - Any other topics on people’s mind.
>

I would love to show off https://rsolomakhin.github.io/pr/apps/src2/ demo,
which shows individual cards in the Chrome's payment sheet without
modifications to the existing APIs or implementations.


> >
> > [1] https://www.w3.org/2018/12/src-prapi/#id-management
> >
> > Please let me know whether you’d like to meet, or wait until 9 October,
> or 16 October (our next scheduled call after tomorrow).
> >
> > Thank you,
> >
> > Ian
> >
> > --
> > Ian Jacobs <ij@w3.org>
> > https://www.w3.org/People/Jacobs/
> > Tel: +1 718 260 9447 <(718)%20260-9447>
> >
> >
> >
> >
> >
>
>
>

Received on Wednesday, 2 October 2019 14:25:22 UTC