- From: Erik Anderson <eanders@pobox.com>
- Date: Fri, 26 Jun 2015 09:28:02 -0400
- To: Web Payments IG <public-webpayments-ig@w3.org>
> From my brief exchange with some in the F2F, I interpreted the > "reservation" > or skepticism was more along the lines of ISO Standards being made > mandatory. US hasnt taken a mandatory approach yet. Other countries have but not the US. This is true in the financial services world but for security, not for something like ISO 20022 nor ISO 12812. Obama executive order on cybersecurity issued a recommendation for a "Security Framework" that would be a NIST + ISO standard. Short term incentive was 1) Firms who implement the Framework, in good faith, will not be punished for weaknesses identified during vulnerability assessments in their programs 2) A shift in liability if fraud/data breaches/personal information was stolen and the Framework was not followed. The long term was to turn the Framework into a mandatory compliance mechanism that included end-to-end data security, enhanced key management mechanisms, and constant risk assessment of security/vulnerability/penetration scanning. This will effect the W3C Web Payments. I will be pushing that the Web Payments standards go through this Government/NIST risk assessment, both at the W3C level and IETF level. This is happening and will be the hot topic within the Federal Reserve Security Taskforce. I covered this on my presentation. W3C Web Payment standard mandatory? ISO? X9? Not likely. Identity/Credentials = maybe. End-to-end security = absolutely. Erik Anderson Bloomberg R&D
Received on Friday, 26 June 2015 13:28:49 UTC