- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Fri, 26 Jun 2015 15:50:10 +0200
- To: Erik Anderson <eanders@pobox.com>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>
- Message-ID: <CA+eFz_+MK4Q1NKbMOCBNU6BksScqQvD6Txxp_a0m-Ukc9_1Bgw@mail.gmail.com>
Personally I am weary of this obsession with ISO20022. In practice this standard is predominantly used in interbank and corporate treasury payments. The use cases and pain points we are attempting to address are predominantly in the retail payments space (at least for v1) and yet I see nobody clambering to have ISO8583 considered despite this being the underpinning of almost all retail payment networks today. The use of a messaging standard is a scheme and jurisdictional preference. I believe that we are in consensus that for v1 of the work we are doing we are not attempting to find ways to bridge schemes simply ways to find a common scheme between payer and payee and an architecture that will promote competition between schemes and wallets. Erik is absolutely right that there is a world of regulatory pressure coming down on the system but my personal view is that this will pressure the schemes themselves to define better ways to deal with security, identity, credentials etc. To illustrate, VISA may decide tomorrow that they want participants in their network and scheme to communicate using ISO20022 messages and also define mechanisms to secure and sign those communications. If there exists a standard way for payments to be initiated, instruments negotiated and payments data exchanged (as defined by us at the W3C) on the Web then it would follow that they will design their scheme to fit into the standard flow that all schemes use for payments on the Web, will define mechanisms for their payment instruments to be included in wallets that follow the W3C standard and further will design mechanisms for their acquiring institutions to integrate into this architecture. There will be value in the schemes standardising on how these other things are done (auth, security etc) and there is some value in the W3C defining some of these standards (such as credentials) as it allows more of the payment flow to happen within the Web context but I personally see it as essential that we define an open standard that allows payments schemes to fit themselves into with minimal changes but that is open to new and exciting schemes that can leverage the greater competition to get some market share. On 26 June 2015 at 15:28, Erik Anderson <eanders@pobox.com> wrote: > From my brief exchange with some in the F2F, I interpreted the >> "reservation" >> or skepticism was more along the lines of ISO Standards being made >> mandatory. >> > > US hasnt taken a mandatory approach yet. Other countries have but not the > US. > > This is true in the financial services world but for security, not for > something like ISO 20022 nor ISO 12812. > > Obama executive order on cybersecurity issued a recommendation for a > "Security Framework" that would be a NIST + ISO standard. > > Short term incentive was > 1) Firms who implement the Framework, in good faith, will not be punished > for weaknesses identified during vulnerability assessments in their programs > 2) A shift in liability if fraud/data breaches/personal information was > stolen and the Framework was not followed. > > The long term was to turn the Framework into a mandatory compliance > mechanism that included end-to-end data security, enhanced key management > mechanisms, and constant risk assessment of > security/vulnerability/penetration scanning. > > This will effect the W3C Web Payments. I will be pushing that the Web > Payments standards go through this Government/NIST risk assessment, both at > the W3C level and IETF level. This is happening and will be the hot topic > within the Federal Reserve Security Taskforce. > > I covered this on my presentation. > > W3C Web Payment standard mandatory? ISO? X9? Not likely. > Identity/Credentials = maybe. End-to-end security = absolutely. > > Erik Anderson > Bloomberg R&D > > >
Received on Friday, 26 June 2015 13:50:39 UTC