Re: EMV on the Web - A workable idea?

On 2015-08-03 16:56, Joerg.Heuer@telekom.de wrote:
>
> Hi again,
>
Hello Joerg,

> Actually I see it as the other side of the medal themed ‘primitives’ as you, Anders, brought them up on Wednesday.
>

When I mentioned primitives, I was rather thinking about very low-level, application-neutral stuff like XmlHttpRequest which historically has been the most fruitful area for traditional standardization.

FWIW, this is what I spend my precious cycles on.  My previous attempt (extending WebCrypto), terminated with the outcome "doesn't work" which IMO also is a quite useful result :)  Nowadays, I'm rather plotting with the idea of COMBINING the power of the Web and App worlds which I think it is a considerable better idea than DUPLICATING App functionality into the Web since the latter requires massive standardization and seems to take forever.  The market doesn't appear to be particularly religious when it comes to technology choices ;)

> If W3C brought up communication primitives for payment transactions, which stand by themselves but can be combined for more value (like receipts), it should also be open to allow for ‘alien’ protocols to do their jobs within that protocol framework (if I may call it that).
>

My problem with this is that there's currently nothing tangible on the table which effectively forces the future WG into a research quest to verify that this take on the matter actually is feasible and doesn't suffer from the numerous [potential] shortcomings I listed.

> My sneaky strategy would be to add further elements to this ‘framework’ which make it easier and more valuable for implementers to base future functionalities on this framework rather than developing new proprietary solutions. …and of course I wouldn’t call it a ‘sneaky strategy’ for PR reasons – rather an ‘inclusive strategy’ perhaps… J
>
> I’d have a problem doing things the other way if it involves us assuming we already know the best way to solve all the specific aspects of this or that payment implementation – plus understanding how loyalty and identity should be included in the future. We won’t be able to think that much ahead and across all the different scenarios and industries, so I’d rather be open for the unknown, but incrementally add standardized primitives for the things we already know.
>

I do not see identity as an integral part of a payment scheme. Existing payment systems do not generally provide this factor. Enrollment and KYC is another step preceding payments.  There are a few schemes that mix these things like signing up for automatically paid electricity bills but that's (IMO) not really a payment system, it is rather a mutual 3-party authorization system.

Cheers,
Anders

> Cheers,
>
> Jörg
>
> *From:*Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
> *Sent:* Montag, 3. August 2015 13:54
> *To:* Heuer, Jörg; adrian@hopebailie.com
> *Cc:* public-webpayments-ig@w3.org
> *Subject:* Re: EMV on the Web - A workable idea?
>
> On 2015-08-03 12:04, Joerg.Heuer@telekom.de wrote:
>
>     Hello guys,
>
>
> Hi Joerg,
>
>
> Whether EMVCo protocols as they are – or the EMVCo brand – might be relevant in the future is IMHO a relevant – but not a decisive – question for our work. On the NFC front it’s established for the future, so we better be able to cope with it if we keep to the ‘convergence’ idea. I am, however, confident that other – perhaps proprietary or industry-specific approaches – will be running over the same NFC interfaces and within the same wallet. Simply because there will likely never be a one-size-fits-all solution.
>
> The same kind of modularity should work for online processes. If EMVCo come up with definitions on how to convey their protocol over http and how to secure the transaction flow, I think it’s fine. They might as well decide to come up with something entirely new, calling it EMVCo-Online, based on entirely different technology. If it fits into our work, I’d be happy as well. The consequences for merchants, terminal vendors, services might be immense, though. So I would leave this kind of developments to their industry, to the market, and look forwards to the evolution taking place.
>
> Is there anything really speaking against this degree of ‘neutrality’ to specific implementations?
>
>
> Yes, there's no timetable for a thing like "EMVCo-Online".
>
> Personally I don't buy into the idea of sending opaque messages through standardized interfaces; it will most likely create poor UIs, divergent security, and questionable interoperability.
>
> If the messages OTOH are not to be considered opaque, you effectively have to duplicate code as well as introducing a lot of dependencies that in the end will make the "standard" very difficult to maintain and comprehend.  It certainly makes the dream of a browser-based wallet unrealistic.
>
> I believe there's an excellent opportunity for a pro-active approach but it surely won't be open forever.
>
> thanx,
> Anders
>
>
> All the best,
>
> Jörg
>
> *From:*Adrian Hope-Bailie [mailto:adrian@hopebailie.com]
> *Sent:* Montag, 3. August 2015 10:47
> *To:* Anders Rundgren
> *Cc:* Web Payments IG
> *Subject:* Re: EMV on the Web - A workable idea?
>
> EMVCo's answer to card-not-present is tokenisation.
>
> This is what ApplePay employs.
>
> I expect this will be the same approach of the card-based scheme operators in adopting whatever standard comes out of the Web Payments WG
>
> On 3 August 2015 at 06:33, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
> The traditional payment industry have settled on using EMV for POS transactions.
> That is, even Apple Pay use EMV by emulating physical cards over an NFC transport.
>
> EMV is a very low-level card protocol which at least historically always depended on a trusted "Payment Terminal" which in turn did the actual talking with other systems including the POS.
>
> Now to the issue...
> A merchant Web server indeed function as a virtual POS but does a wallet actually replace the payment terminal?
>
> The answer to this simple question will have dramatic implications on Web Payment WG deliverables.
>
> Although I'm by no means an expert on EMV, my gut feeling is that we need a NEW protocol for the Web in order to achieve comparable security to EMV.
>
> Anders
> sending his weekly question/update
>