Re: EMV on the Web - A workable idea?

On 2015-08-03 12:04, Joerg.Heuer@telekom.de wrote:
>
> Hello guys,
>

Hi Joerg,

> Whether EMVCo protocols as they are – or the EMVCo brand – might be relevant in the future is IMHO a relevant – but not a decisive – question for our work. On the NFC front it’s established for the future, so we better be able to cope with it if we keep to the ‘convergence’ idea. I am, however, confident that other – perhaps proprietary or industry-specific approaches – will be running over the same NFC interfaces and within the same wallet. Simply because there will likely never be a one-size-fits-all solution.
>
> The same kind of modularity should work for online processes. If EMVCo come up with definitions on how to convey their protocol over http and how to secure the transaction flow, I think it’s fine. They might as well decide to come up with something entirely new, calling it EMVCo-Online, based on entirely different technology. If it fits into our work, I’d be happy as well. The consequences for merchants, terminal vendors, services might be immense, though. So I would leave this kind of developments to their industry, to the market, and look forwards to the evolution taking place.
>
> Is there anything really speaking against this degree of ‘neutrality’ to specific implementations?
>

Yes, there's no timetable for a thing like "EMVCo-Online".

Personally I don't buy into the idea of sending opaque messages through standardized interfaces; it will most likely create poor UIs, divergent security, and questionable interoperability.

If the messages OTOH are not to be considered opaque, you effectively have to duplicate code as well as introducing a lot of dependencies that in the end will make the "standard" very difficult to maintain and comprehend.  It certainly makes the dream of a browser-based wallet unrealistic.

I believe there's an excellent opportunity for a pro-active approach but it surely won't be open forever.

thanx,
Anders

> All the best,
>
> Jörg
>
> *From:*Adrian Hope-Bailie [mailto:adrian@hopebailie.com]
> *Sent:* Montag, 3. August 2015 10:47
> *To:* Anders Rundgren
> *Cc:* Web Payments IG
> *Subject:* Re: EMV on the Web - A workable idea?
>
> EMVCo's answer to card-not-present is tokenisation.
>
> This is what ApplePay employs.
>
> I expect this will be the same approach of the card-based scheme operators in adopting whatever standard comes out of the Web Payments WG
>
> On 3 August 2015 at 06:33, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
> The traditional payment industry have settled on using EMV for POS transactions.
> That is, even Apple Pay use EMV by emulating physical cards over an NFC transport.
>
> EMV is a very low-level card protocol which at least historically always depended on a trusted "Payment Terminal" which in turn did the actual talking with other systems including the POS.
>
> Now to the issue...
> A merchant Web server indeed function as a virtual POS but does a wallet actually replace the payment terminal?
>
> The answer to this simple question will have dramatic implications on Web Payment WG deliverables.
>
> Although I'm by no means an expert on EMV, my gut feeling is that we need a NEW protocol for the Web in order to achieve comparable security to EMV.
>
> Anders
> sending his weekly question/update
>

Received on Monday, 3 August 2015 11:54:10 UTC