Minutes for Web Payments Workshop - Session 5

The minutes for "Session 5: Front End: Wallets - Initiating Payment and
Digital Receipts" from the Web Payments Workshop are now available.
Thanks to Charles McCathie Nevile for scribing!

https://web-payments.org/minutes/2014-03-25-s5/

Note: These are minutes for an official W3C Workshop event that
  have been cleaned up and reformatted by the Web Payments
  Community Group. The Web Payments Community Group and the W3C are
  two different organizations, and it is the W3C that managed this
  event. These minutes may be handed over to the W3C to become the
  official minutes for the event, but that has not happened yet
  (and may not happen at all). Readers should understand that there
  is a difference between officially sanctioned W3C work, and the
  work done by the Web Payments Community Group (which is not
  officially sanctioned by W3C's membership).

----------------------------------------------------------------
Web Payments Workshop - Session 5 Minutes for 2014-03-25

Agenda:
  http://www.w3.org/2013/10/payments/agenda.html
Topics:
  1. Front End: Wallets - Initiating Payment and Digital Receipts
  2. Creating a Level Playing Field - W3C
  3. Money for the Underbanked - Mahindra Comviva
  4. Mobile Wallets - Gemalto
  5. Privacy Issues Related to Payments - Lyra
  6. Wallets - Deutsche Telekom
  7. Mobile Wallets - GSMA
  8. General Discussion around Payment Initiation and Digital
    Receipts
Chair:
  Daniel Appelquist
Scribe:
  Charles McCathie Nevile
Present:
  Daniel Appelquist, Charles McCathie Nevile, Prakash Hariramani,
  Dave Raggett, Manu Sporny, Bryan Sullivan, Cyril Vignet, Vidya
  Chandy, Philippe Cabos, Gregory Estrade, Jörg Heuer, Joseph
  Potvin, Natasha Rooney, Olivier Maas, Mountie Lee, Stéphane
  Boyera, Ori Eisen, Emil Johansson, Martin Hepp, Erik Anderson,
  Ricardo Varela, Dave Birch, Evgeny Vinogradov, Wendy Seltzer, and
  81 others for a total of 103+ people

Charles McCathie Nevile is scribing.

Note: These are minutes for an official W3C Workshop event that
  have been cleaned up and reformatted by the Web Payments
  Community Group. The Web Payments Community Group and the W3C are
  two different organizations, and it is the W3C that managed this
  event. These minutes may be handed over to the W3C to become the
  official minutes for the event, but that has not happened yet
  (and may not happen at all). Readers should understand that there
  is a difference between officially sanctioned W3C work, and the
  work done by the Web Payments Community Group (which is not
  officially sanctioned by W3C's membership).

Topic: Front End: Wallets - Initiating Payment and Digital Receipts

Prakash Hariramani:  Good news is things are growing in online
  payment.
  ... bad news, the experience is a mess. Repeated repetition of
  terrible steps to go through.
  ... m-commerce rates are < 1% - imagine what it could be
  without such friction.
  ... we've got different stakeholders here and tried to cover
  the world. 2.5 billion are underbanked...
  ... We're focusing on b2c payment.
  ... will consider this a success if we can narrow our focus on
  what needs to be standardised.

Topic: Creating a Level Playing Field - W3C

Slides for Dave Ragget's talk:
  http://www.w3.org/2013/10/payments/front-end.pdf
Dave Raggett:  The goal here is to create a level playing field
  for providers through standards.
  ... I want to be able to get a digital receipt from a
  part-payment for a group meal like last night.
Dave Raggett:  We have web app to browser transition, and then
  browser to wallet conversation, and wallets talking to individual
  providers, as possible points of standardisation.
  ... and we can have multiple wallets, like in the real world.
  ... standards should be minimal, enabling competition
  ... information needed (slide 5)
  ... amount, currency, jurisdiction, acceptable settlement
  solutions, etc.
  ... in current UX we have to repeatedly add too much info.
  Could be done by the wallet
  ... Maybe you need DRM for virtual goods?
  ... What about value-added services - what is compelling enough
  to get people to switch. Loyalty coupons (seemed very US-centric
  idea), where does escrow fit?
[Slide 6]
Dave Raggett:  Wallet can keep receipts etc. Where does the
  receipt get held?
Charles McCathie Nevile:  That was my question about receipts
  helping EME yesterday.
Manu Sporny:  Oh, I had it the other way around, I thought you
  were saying that EME would help digital receipts... not that
  digital receipts could help EME. Totally agree w/ you wrt.
  digital receipts helping EME not create such closed solutions.
Dave Raggett:  It's about improving the experience. Less data
  entry. This just depends on the risk model for provider/customer
  - the merchant just wants the money
[Slide 7]

USE CASE: The wallet as an expert system - decide the best mode
  of operation for the purchase, make wallet providers compete on
  that metric.

Dave Raggett:  Trusted customers can have expert wallets as user
  agents. Shouldn't offer solutions that won't match the acceptable
  mechanisms fora  transaction.
  ... wallets need to provide information, options for payment
  (use debit, or pay with coupons, ...)
  ... and of course transparency in eventual cost.
[Slide 8]
Dave Raggett:  Standardisation needs to be unbiased, we need to
  be held to that. Effective competition is critical for
  improvement, so we need hooks in browsers for multiple wallets to
  be used / dropped.
  ... these could be in the cloud, or not...
  ... And should be movable between my devices.
  ... What about offline payments? That's a complexity we should
  bear in mind for the future.
[Slide 9]
Bryan Sullivan: Offline payments is a current capability, not
  only something for the future
Dave Raggett:  Sysapps is working on APIs for trusted
  applications, allowing web apps to create device side part of
  wallet is a possibility.
  ... need to move away from username/password as the base of
  authentication.

USE CASE: Identity solution must not rely on passwords for
  primary functionality.

Dave Raggett:  What happens when I give someone else my device?
  ... privacy friendly "Know Your Customer"?
Bryan Sullivan: Identity of all parties is essential for trust -
  Know Your Provider (KYP)
  ... related - NFC, and upcoming bluetooth work at W3C
[Slide 10]
Dave Raggett:  Loyalty schemes as value-adding services for a
  wallet. coupons, vouchers, etc - how does this fit. Maybe a
  question for the future.
  ... Merchants want repeat customers, want to know how users
  arrived.
Bryan Sullivan: I use a Safeway app that provides me discounts on
  things that I typically buy, and alerts me when they're on sale,
  and uses barcodes so that I can "like" products right in the
  store - all key parts of the new retail experience.
Cyril Vignet: Careful of loyality coupons : the business model is
  that the customer value them but don't uses them ;-)

Topic: Money for the Underbanked - Mahindra Comviva

Slides for Vidya's talk:
  http://www.w3.org/2013/10/payments/slides/session5_comviva.pdf
Vidya Chandy:  Money for the un/derbanked
  ... who is familiar with mobile money? [almost everyone raises
  their hand]
[Slide 2, recaps yesterday points]
Vidya Chandy:  2.5B underbanked, big opportunity
  ... growing industry increasingly competitive. dominated by
  telcos.
Bryan Sullivan: Just like the payment experience - make the
  couponing experience transparent/effortless and usage will
  increase and churn will decrease
  ... very lightly regulated, no interoperability.
[Slide 4 - stats]
Vidya Chandy:  1.2B users in 9 months. 2.5B un/derbanked people
  online in 3 years
[Slide 5 - africa research]
Vidya Chandy:  Huge growth in everything - 100's of % CAGR
  ... Kenya 5th fastest towards cashless society because of
  M-Pesa
Bryan Sullivan:  What's the Y axis?
Someone shouts from the audience: It's just a marketing slide!
  (laughter)
Vidya Chandy:  It's a calculated metric to show adoption
  velocity.
Vidya Chandy:  Shows M-pesa changes the way a country deals with
  cash, which is a surprise
  ... Money systems don't interoperate, no public API. That will
  change soon to have an ecosystem building around it. There is
  already a mini-industry offering integration, bridging, etc.
  ... Strong growth trajectory, time to leverage the synergy with
  standardisation.
  ... otherwise experience will be siloed.
  ... Where will mobile money fit in a layered appraoch?
[Slide - Standardisation Considerations]
Vidya Chandy:  Different from cards, this is a stored value
  system on a phone not card.
  ... mobile number is account nuber, but portability signals a
  coming need to change that.
  ... low tech literacy means UX needs to be simple, smooth.
  ... 2-factor auth is inherent in mobile money.
Chaals wonders why 2-factor is inherent in mobile money.
Vidya Chandy:  Category of goods that can be purchased could be
  limited by account type.
  ... consumer demographics include multiple languages, multiple
  currencies, low literacy, ...
  ...P2P transfer is big in mobile money, that's where the
  traction has been.
  ... what is relevant for merchants is proximity not online
  payment.
  ... Mobile payments are done on mobiles, not cards, and that's
  what's different about it.

Topic: Mobile Wallets - Gemalto

Philippe Cabos:  Who uses a mobile wallet daily?
Only a few people raise their hands.
Philippe Cabos:  That's why I am here. Think this is really key
  to help adoption of payment technology. Will focus mostly on UX.
  ... key aspect is that the wallets should be multi-scheme
  multi-technology from the start.
  ... acccept MNO billing, alternates, ...
  ... Why is user expecting so much? There is a lack of control
  for the end user on what payment to use, clear reward for doing
  so, and feeling secure about the payment
  ... Giving my data to multiple websites doesn't feel secure, I
  want a wallet to keep them in.
  ... I don't know the balances on my cards, want to see them (or
  info about the differences in different cards at merchants) at
  purchase time.
  ... I don't have a central point to store receipts.

USE CASE: Enable people to transfer tokens of value between their
  wallets (digital cash equivalent).

USE CASE: Realtime checks on account balances in wallets to help
  decide how to pay.

Philippe Cabos:  Payment process can be very painful. To secure
  it with 2-factor can bring problems e.g. trying to use CAPTCHA on
  mobiles.
  ... login is painful across multiple sites. Wallet can help
  here.
  ... Today there are lots of loyalty cards, but don't see a
  reward. Wallet could show you that

USE CASE: Show added/stored value from things you already do
  (discounts on gas purchases associated with a grocery store you
  shop at regularly).

Philippe Cabos:  Blockers to having this lovely wallet?
  ... need more implementations to be availble, more ways to
  deploy wallets.
  ... ability to port wallet to various platforms is key.

USE CASE: Wallet is synced with loyalty coupons and digital
  receipts as they are collected. Data is synced to cloud or local
  wallet seamlessly.

Manu Sporny: How about this: You should be able to store your
  digital receipts wherever you want - whether it  be in a wallet
  or in the cloud.
Philippe Cabos:  W3C can help abstract and standardise these
  interfaces to reduce the cost of deployment.
  ... Unfortunately, wallet issuers are too eager for user data,
  so seems like a privacy threat.
  ... end user should be able to choose what info to share with
  whom. Think this will be key.
  ... of course need to standardise interations with merchant
  website - coupons, sharing shipping addresses, etc
  ... smartphone is a good way to allow users to select payments.
  ... Need to make sure wallets are widespread and available,
  believe W3C is the right place to make sure there will be an open
  garden type of wallet
Bryan Sullivan: I agree, a wallet issuer should not have access
  to my data just because they provided the wallet

USE CASE: Wallet data should be separate from wallet provider,
  data should be owned by the customer.

Topic: Privacy Issues Related to Payments - Lyra

Gregory Estrade:  What do we need to standardise on front end for
  wallets to integrate?
  ... What merchant wants isn't always what customer wants.
  ... Purchase: There is a cart. Some providers require the cart
  contents to be passed to the payment provider.
  ... There are some advantages - if customer goes to another
  website, will be pleased to see the cart is still the same.
  ... Provides valable information for fraud detection, digital
  receipts.
  ... But drawbacks too - consistency has to be achieveed. And
  raises privacy concerns - does the customer want all purchase
  information detail given to the bank?
  ... Then billing and shipping info. Most annoying part of the
  process.
  ... But while cart is temporary, these are related to identity
  (which is its own can of worms)
  ... When it all goes well, everyone wants to skip this and let
  the wallet do it.
  ... But if something goes wrong with the purchase, some privacy
  concerns are raised. Merchant acquires information about a
  non-customer, device fingerprinting them, etc.
  ... like in the physical world. Merchant wants the customerto
  open the wallet, customer doesn't.
Charles McCathie Nevile:  What the merchant really wants is for
  the customer to start buying. and then buy some more.
Gregory Estrade:  There isn't a process to figure out which
  system is the best. Payment schemes have deals with merchants,
  customers have different goals.
  ... for instance a merchant might have a reason (or more) to
  try and sign you up to a new wallet
  ... At payment there are mostly security concerns. Merchants
  shouldn't collect credit card details, but part of these are
  meaningful.
  ... E.g. issuer may determine where the merchant wants to
  process the transaction.
Prakash Hariramani:  Merchants should just get a token, not real
  credentials?
Gregory Estrade:  Partially, but there are parts of the
  information the merchant should get too.
  ... e.g. in PCIDSS you mask middle of the number. But on modern
  POS terminals masking is first 12 digits. Merchant loses
  important information on what kind of card it is.
  ... 3D secure, etc can be involved. This is a real pain point.
  UX is bad, website is mobile-first and often -only, terrible on
  desktop.
  ... SMS auth when you purchase from your phone is no good if
  your phone gets stolen.
  ... But birthday security in a facebooked world is even worse.
  ... We could stepwise propose better integration for most
  common auth schemes.
Charles McCathie Nevile:  This sounds like password management in
  browsers, which is years old.
Gregory Estrade:  We could alternatively enrich the
  authentication process with branding from the merchant website.
  ... Then there is receipts. There are many receipts.
  Merchant-supplied, something from a payment provider. If customer
  uses coupons and loyalty cards, the amount of money will be
  dispatched around the world with tex and handling fees from
  different places coming into play. Standardising this seems
  difficult.
  ... Merchant receipts are a sales facilitator. Lots of the
  receipt is used to offer coupons, advertising, etc.
Cyril Vignet: Standard for receipts should be "cumulative" i.e.
  each actor could add its won information for the receipt during
  the payment life cycle
  ... problem is payment-gateway receipts.
  ... They should be digitally signed, merchant receipts will be
  useable for warranty.
Charles McCathie Nevile:  Cyril, so who "owns" the receipt
  content?
Cyril Vignet: Warranty or tax issues as well

Topic: Wallets - Deutsche Telekom

Slides from Jörg Heuer's talk:
  http://www.w3.org/2013/10/payments/slides/session5_dt.pdf
Jörg Heuer:  This touches everything - identity, privacy, and
  mobile.
[Slide - development history]
Jörg Heuer:  Not talking about a product, just what we think a
  wallet might look like.
  ... started in NFC, infocard. Found that compelling in the
  context of payments.
  ... so we created a wallet - same virtual card can be used on
  payment terminal or web shop.

USE CASE: Customer can receive digital receipts (receipt POSTed
  to user's digital receipt storage vs. an emailed receipt).

Jörg Heuer:  Want a framework independent of implementation, so
  the card is an abstraction, where people can make payments with
  whatever instruments they have.
  ... so far only used in trials. Aspiration to cover tickets and
  identity as well as payments seems feasible
  ... expect any account online becomes a virtual customer card.
[Slide - wallet vision "so abstract it can't be wrong"]
Jörg Heuer:  Providing security and communication needed for
  transaction. The actual transaction happens outside the actual
  wallet, but there are times when it appears. it's mine on my
  system that I can secure.
Joseph Potvin: Wallet architecture needs to be open to any type
  of implementation technology
Jörg Heuer:  This is an agreement between me and a payment
  provider.
  ... maybe I can use NFC, hardware-secured ID management, OAuth,
  ... or not ...
  ... I just need to be told what level of security I am ignoring
  at the moment.
  ... When I join airline program, I get a number on paper - this
  is free to issue. If I get more miles, I may get a card with NFC
  access to lounge, etc.
Jörg Heuer:  The ecosystem needs to be arrange differently from
  what people think.
[Slide - future wallet definition]
Jörg Heuer:  This is user-centric (everyone says that...)
  ... we give the card to the user. Maybe that never holds any
  more data.
  ... can make things more transparent to the end-user.
  ... wallet provider is important role.
  ... better if it isn't a payment provider too.
  ... Operator might be OK for that - or not. Service providers
  need to be differentiated.
[Last slide]
Jörg Heuer:  We already have lots of APIs. Our wallet is
  implemented in HTML5. Could be cloud-based or belong on client
  device.
  ... You could have several wallets doing partial
  synchronisation
  ... we can have wallet responding to auth requests. It can be
  done, but lack of standards makes it a mess.
  ... and then we want all the things people already said - start
  transactions, etc.
Cyril Vignet: I suggest to include along with cards the 3 other
  main payment mechanisms known: credit transfer, direct debit,
  crypto currency
Natasha Rooney:  Jorg covered a lot of the technical detail of
  where we are going.
  ... a long time ago we were working on projects, eg with NFC.
  That has started to change, providing trusted security modules
  around SIMs and wallet has become important to us.
  ... we want a simple approach from customer viewpoint (with
  business things wrapped around it)
  ... Idea is use a wallet to pay, and it has security.
  ... Spec is for operator-led wallets held on the device.
  Sometimes may not need secure elements all the time.
Charles McCathie Nevile:  I love the fact that people can steal
  everything if they take it in $20s...

Topic: Mobile Wallets - GSMA

Natasha Rooney:  CAPTCHA is painful, wallets will simplify life
  by having your details on your device
  ... Lot of work going on around Identity. Generally there is a
  lot of movement towards identity providers/managers. Who do
  customers choose - my main one now is Google. I made that choice
  (and people gasp) based on what I get...
  ... It's up to you - what country is your data held in, what do
  you get, do you trust the company, ...
  ... not much uptake for identity by interpretive dance yet. But
  we want to do it in the most secure way we can.
  ... The process of buying candy at your local grocery store
  shouldn't involve 2-factor authentication.
  ... There is a heavy business aspect around wallets. Who holds
  the data and what are they getting by doing it?
  ... and can we hold you money for a while too?
  ... We still have to deal with these issues. Which leads to
  merchants. They are losing valuable data to wallets, paymetn
  providers, etc. Merchants have to weigh up the cost benefit
  ... Don't believe it is our choice.
  ... There has been a lot of talk about choosing your payment
  provider on your device. Something that wants to get paid giving
  you a button to click and pay it, backed by whatever you have
  chosen to use, this leads back to tokenisation.
  ... Final point - lose your  phone is a real issue. We'd like
  to see more activity in the cloud - but not sure which cloud.

Topic: General Discussion around Payment Initiation and Digital Receipts

Prakash Hariramani:  Talked of consumers, merchants,
  wallet/payment provider
  ... does everyone agree with Dave's characterisation of the
  three points for standardisation?
Joseph Potvin: "Connect the dots" mobile lock/unlock is an real
  application of finger-based interpretive dance... so perhaps
  interpretive dance isn't so far off.
Olivier Maas:  Reacting to wallet interface. Philippe showed few
  people use them today, retail wallets more success than bank
  wallets but that will lead to us having lots of them. Wonder if
  we will talk about them in 5 years.
  ... surprised nobody has mentioned trend to personal data
  stores, to me describe use cases which fit with the seamless UX
  better than wallets which are repeated one-shot transaction
  interfaces
  ... my point: don't restrict the interface to wallets.
  ... they are just a 'new' way to do payments today.
Sergio Aquero: "Wallet" presupposes an architecture
Sergio Aquero: it's one way of handling the payment request
Dave Raggett:  Agree - wallet is a personal assistant, not a
  container for payment cards. There will be assistants, e.g. help
  manage expenses, tell you not to buy more ice cream. Think those
  value-added services are key
Jörg Heuer:  Should be cautious about putting too much into the
  wallet. But one power of the notion of a mobile wallet is as an
  authorisation agent.
  ... but it needs to be somehow cloud-capable, synchronised, ...
  ... what do we call it? I don't know.
Prakash Hariramani:  Does anyone think P2P payment belongs in the
  primitive set?
Chaals, you wanted to mention that the merchant wants user data
  too.
Charles McCathie Nevile:  Jorg, Yes.
Bryan, you wanted to ask why portability is a concern for use of
  mobile # as account key.
Bryan Sullivan:  You commented on portability as a problem for
  using mobile number as account identifier.
Vidya Chandy:  Mobile money uses the number as an account
  identifier. When the number gets ported to another telephony
  provider, the money account may stay with the original money
  operator, which can become a problem.
Bryan Sullivan:  Not sure if it does, but...
Bryan Sullivan: Re: the last question are use cases equivalent to
  primitives ? "P2P", "B2C" are use cases, not primitives
Bryan Sullivan: A primitive is e.g. "make a payment request",
  "get a receipt", etc
Manu wanted to raise the point that if we store wallet
  information on device, that we're inevitably going to need to
  sync it to the "cloud".
Manu Sporny:  Wallet is best word we have, but isn't really
  ideal. So we will get misunderstanding from that. As we've just
  experienced, everyone thinks that a wallet does something subtly
  different, and this is going to be a problem moving forward. The
  wallet skeumorphism is probably not appropriate in this context.
  ... Growing concern about where the contents of the wallet are
  stored. People have more than one device, so they have to sync.
  ... Wallets are not the only things that get synched these
  days, anyone that uses LastPass can attest to how great it is to
  have all of your data synched across all of the devices and
  browsers you use.
  ... maybe W3C should think about synching in general. We
  probably want this stuff on the web not on the device

USE CASE: Sync wallet data, password data, and credential data to
  the cloud - use the same mechanism for all three.

Mountie Lee:  Mobile is now the megatrend but wasn't always, and
  we're also talking about internet of things, wearable devices,
  vehicles as clients.
  ... wallet is targeting for human interaction based on mobiles
  and brings a risk of adding a layer of activity, with W3C trying
  to take the role of banks and payment service providers. And this
  is too complex.
  ... User and user agent is the centre, and standards need to
  concentrate on the connections between the devices.

USE CASE: Wallet portability to move to a new wallet service
  provider at will.

Stéphane Boyera:  There are different views of the wallet. Could
  be a very light element supporting payment. If we can gather
  payment systems, that's great. If it's another layer that we
  need, I think we will fail - getting everyone to delegate
  everything to a wallet will be a challenge.
  ... how can a mobile provider be a wallet provider, when you
  change operator all the time - from phone to wifi to roaming to
  ...
Jörg Heuer:  I'm here to reduce complexity. Today all platforms
  need different implmentations. standardise this through a layer
  of abstraction - it's feasible and would help to have a good
  identity abstraction layer. We don't have it yet.
  ... Who looks at certificate stores?
Bryan Sullivan: Stephane, the ISP/MNO can be the wallet provider
  just like anyone else. ISPs/MNOs are not limited to serving users
  over specific networks - they can be cloud-based service
  providers just like anyone else. The IdM key that is used is also
  not necessarily tied to specific networks.
  ... If we can brand strong authentication (Walmart security
  anyone) you could sell it.
Stéphane Boyera:  Is it a technical issue? I think that isn't the
  problem, it is about getting agreement to delegate the work.
Ori Eisen: What is "strong authentication"?
Jörg Heuer:  We're missing the motivation to accept the extra
  complexity of security, while for big players it is cheaper to
  just use risk-management. We're pushing toward monopolistic
  tendencies because the large players don't need anything new.
  ... what we do today is nonsense for security, but it works for
  the existing market. I hope the neutral position at W3C can
  enable us to make something usable and attractive enough to get
  adopted
Melvin Carvalho:
  http://en.wikipedia.org/wiki/Strong_authentication
Ori Eisen: My point is that "strong authnetication" is a relative
  term, compared to what are we trying to authenticate
Natasha Rooney:  How can we make this implementable? Everyone
  agrees that mobile number is a bad identifier.
  ... If you have a contract there are a lot of ways to be
  identified. Liked the idea if you're paying to use the name of
  the event not the person.
  ... GSMA standardising a wallet isn't about forcing everyone to
  use it, it is making a business product for operators, so the
  goals are different.
  ... If there is a hook in the wallet to say "now please pay"
  and the standards are agnostic to the wallet chosen, that is
  interesting.
Emil Johansson: I think that a definition of "strong
  authnetication" is needed.
Bryan Sullivan: Not sure I agree that mobile number is a bad
  identifier. It's just an ID like all others, and in fact one that
  everyone understands and uses every day;
  ... comes back to the customer choosing what to do.
Martin Hepp: IMO, security in payment cannot be built into the
  standards. instead, it will be a highly adaptive component that
  permits or declines a transaction based on 100+ signals.
  ... this is achievable in the short term - which isn't always
  the case with a complex set of stakeholders.
  ... It isn't the be-all answer.
Erik Anderson:  Mobile wallets aren't that useful, which explains
  some low usage. Concerned about device storing wallet, being the
  2-factor auth vector and synching to the cloud. It becomes a
  single point of massive failure.

USE CASE: Where is the wallet, how is it protected, is it stored
  on the same device as your 2-factor authentication device?
  Security side-effects of mobile-as-wallet are not
  straightforward.

Cyril Vignet:  When you go to a merchant, we almost know what
  they are. If you go to a certificate chain it gives no
  information. The policy is a nightmare.
  ... I don't know what is going on as a user. Is a problem of
  trust to explain this better -what the certification means?
  ... signed by someone *I* trust, not a chain of trusted trusted
  trusters?
  ... maybe this is part of an extension.
Manu Sporny: +1 To mhepp wrt. security must be modular.
Jörg Heuer:  This transparency needs to be used with care. Users
  need to put a name to the responsibility. If they trust a brand,
  they don't question it.
Martin Hepp: The standards should support interoperability at the
  data (and maybe process) level, but not standardize the
  implementation and internal processes of components.
  ... they allow for trust to be distributed. It needs to be
  transparent, but a lot of real trust comes from trusting on
  particular brands. We can use that to help get acceptance, or
  misunderstand it and build stuff that fails
Daniel Appelquist:  I'm worried about the notion of standardising
  a wallet. feels like the wrong level of abstraction.
  ... some twitter comment said startups should be the
  innovators. Feels like an attempt to create an app, not
  underlying technologies.
Bryan Sullivan: Dave, standardizing interface primitives and data
  formats for browser interface with a wallet is not the same as
  standardizing the wallet - so we are not standardizing the wallet
  really - implementations are free to innovate / differentiate
  ... maybe better takeaway for W3C is to look at use cases in
  the context of existing work - look at synch in the context of
  storage work, ... what are the primitives for multiple wallets?
Dave Raggett:  Idea is to create a space for innovation. Maybe we
  don't need to standardise sync. What are the *minimal* set of
  standards that meet the primary goals - innovation, merchants'
  and users' needs met
Jörg Heuer: Wallet should be seen as a Concept helping us to
  guide standardization in various fields ! (security, identity,
  identity selectors, transaction framing)...
Ricardo Varela: There may be a bit of confusion about what is "a
  wallet" in this context... because for example for
  requestAutocomplete spec it already says you store cc and
  credentials in either "the user agent or other element" (in
  chrome's implementation in google wallet) so that already defines
  that there IS a wallet
Gregory Estrade:  We are focusing on ID and security, losing
  sight of what functions and features a wallet can add to
  payments.
Erik Anderson: Certificate chains are important.  I know firewall
  units and corporate policies at corporations that inject its own
  certificate of authority into your browsers so they can
  "man-in-the-middle" decrypt SSL traffic.  Corporations do this so
  they can read your email, prevent file sharing/uploads, but they
  shouldn't be connected in between the user and what they are
  purchasing.

USE CASE: Prevent corporate man-in-the-middle attacks that are
  commonly used in corporate environments.

Prakash Hariramani:  Need to define wallet, by use of a token....
Joseph Potvin:  I thought that authentication through
  interpretive dance is what a written signature involves. Or the
  dot-connecting to unlock my phone.
  ... drawing a symbol on a tablet can provide an authentication
  mechanism.
Martin Hepp: +1 To Ricardo
Bryan Sullivan: Ricardo, I personally dont like
  requestAutocomplete - it's a crutch to help us deal with with a
  last-gen interaction method (web forms) and is a continual source
  of privacy concern for me (where is all that info backed up? is
  it secure? what if someone gets one of my devices that is synced
  with it?)

USE CASE: Reject the form auto-fill anti-pattern
  (RequestAutoComplete) and move to one that doesn't result in
  security risks if data is stolen at the merchant.

Bryan Sullivan:  Applying WCAG to this, there are people who are
  visual, and people who have e.g. dyslexia and huge problems with
  authentication.
Natasha Rooney:  Identity and how we authenticate will be
  something we choose- retina, password, use a signature?
Ricardo Varela: Whether we like the API or not what I mean is
  that we need a vocabulary that defines "wallet" because different
  people have different interpretations and I think user agents are
  already aiming to behave like at least my interpretation of a
  wallet, whether directly or via things like requestAutocomplete
  ... accessibiltiy comment is important. and this has impact on
  the web of things. Was at a dev conf in London and people were
  talking about accessibility, and there were people who still
  couldn't see that the web might not always be entirely visual.
Chaals, you wanted to ask about shared devies
Charles McCathie Nevile:  What do we do with the family tablet
  that is shared by 4 members in a family? Who's account is used to
  pay?
Prakash Hariramani:  Don't want to bleed into identity session,
  but I'd love to look at identity questions about how we look at
  risk in authentication.
Charles McCathie Nevile:  I think people share devices, we should
  look at those as a use case. [scribe assist by Manu Sporny]
Bryan Sullivan: Phobeo, I agree we need discussions based upon
  actual behaviors/features and functions, and less focus on terms
  at the start - the terms will define themselves through the
  discussion process

USE CASE: Payment systems running on shared devices must be able
  to determine the payer.

Prakash Hariramani:  Shared devices can lead to "friendly fraud".
  For physical goods the main vector is account takeovers. You need
  something other than username/password.
Jörg Heuer:  Adding biometry or behavioural auth, these can be
  solved.
  ... you can do air writing as a secure instrument. But tests
  showed germans didn't like it.
Joseph Potvin: Principles of the  WCAG standard should apply to
  authentication methods (therefore offer various kinds of
  authentication)
Dave Birch:  We mustn't jumble biometrics for authentication
  (good) with identification (bad)
  ... corrupt officials have been selling bogus national id cards
  - these things are of limited reliability
Evgeny Vinogradov:  Dave Ragget says there is a problem about
  where we keep receipts. We need to differentiate notification
  from real receipts for eg warranty. Using phone number as
  identifier - in some countries you need to show ID to have a SIM,
  and the number is linked to a real person, and then may be
  useful. Gregory talks about UI problems for security systems -
  this can be easily solved with a standard by building an API.
  There is one edit field and one button, not too hard.
  ... How deep should the standard go into communication channels
  - totally transport-agnostic, or more detail on
  NFC/bluetooth/whatever?
Erik Anderson: In Indonesia the phone number is locked to a
  particular SIM card.  If the SIM card expires for over xxx time
  period the SIM must be replaced and the user gets a new phone
  number
Jörg Heuer:  We framed this with total payment-agnostic. Could do
  it with EMV, think it works with paypal online, shouldn't matter.
Ori Eisen:  As someone with experience in India, I am shocked
  that ID cards got sold wrongly! :) (laughter)
Ori Eisen:  Where there is value there will be fraud. Take a case
  where people are trying to pay 30p for sweets or 300k for a
  house. standards for communicating what is being paid, who is
  authenticating, the wallet that is being used? What are we trying
  to standardise, many things could be affected.
Erik Anderson: +1 To "Where there is value, there will be fraud"
Prakash Hariramani:  Didn't see Dave say standardise wallet, but
  interface between wallet and browser, and between wallet and
  payment provider.
Dave Raggett:  Right.
Melvin Carvalho: +1 "Where ever there is value there will be
  fraud" or "A certain percentage of fraud is accepted as
  unavoidable" -- Satoshi Nakamoto
Martin Hepp:  To make ground we should separate the work that
  needs to be done as implementation, and the things that we should
  standardize. If we standardize protocols, the decision to decide
  if something is fraudulent will be probabilistic. So what should
  we standardise? Means for interoperability of data. Conceptual
  structures for stages of initiating, archiving, etc, steps that
  can be document. Not IMHO processes that determine whether a
  payment is fraudulent.
  ... standards are slow, bad guys are fast.
Prakash Hariramani:  Focus on parts that are missing. Don't try
  to build a giant end to end standard - no need and too much work
  to get it done.
Daniel Appelquist: +1 On not trying to build end-to-end solution
Wendy Seltzer: An interesting question overall: how do we
  standardize frameworks for risk-based decisions on security?
Martin Hepp: Chaals, I said that bugfixes to security issues in
  standards will likely come much slower than apple's bugfix for
  the #gotofail vulnerability ;-)
Martin Hepp: Thus, we should not standardize processes with a
  binary outcome of "1 - transaction valid" vs. "0 - transaction
  declined". The actual decision will be based on tens of signals
  from the client (e.g. id, geo-location, history), transaction
  (volume, type of goods), merchant, etc.
Martin Hepp: Instead, we should focus on standardizing data
  interchange, so that components can exchange the respective
  signals.
Melvin Carvalho: Mhepp: +1
End of session 5.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Tuesday, 1 April 2014 02:14:54 UTC