Minutes for Web Payments Workshop - Session 4

The minutes for "Session 4: Enhancing the Customer and Merchant
Experience" are now available. Thanks to Bryan Sullivan for scribing!

https://web-payments.org/minutes/2014-03-25-s4/

Note: These are minutes for an official W3C Workshop event that
  have been cleaned up and reformatted by the Web Payments
  Community Group. The Web Payments Community Group and the W3C are
  two different organizations, and it is the W3C that managed this
  event. These minutes may be handed over to the W3C to become the
  official minutes for the event, but that has not happened yet
  (and may not happen at all). Readers should understand that there
  is a difference between officially sanctioned W3C work, and the
  work done by the Web Payments Community Group (which is not
  officially sanctioned by W3C's membership).

----------------------------------------------------------------
Web Payments Workshop - Session 4 Minutes for 2014-03-25

Agenda:
  http://www.w3.org/2013/10/payments/agenda.html
Topics:
  1. Enhancing the Customer and Merchant Experience
  2. Merchants and Retailers - NACS
  3. Intent to Pay - Robin Berjon
  4. Hidden Choice can be Anti-Consumer - Joseph Potvin
  5. Last-mile Payments in Africa - Trans-Africa Solutions
  6. General Discussion on Customer/Merchant Experience
Action Items:
  1. Manu to reach out to MCX to try and get them involved in the
    W3C work on payments.
Chair:
  Daniel Appelquist
Scribe:
  Bryan Sullivan
Present:
  Daniel Appelquist, Bryan Sullivan, Dave Birch, Gray Taylor,
  Jeremy King, Mountie Lee, Wendy Seltzer, Ricardo Varela, Robin
  Berjon, Cyril Vignet, Dave Raggett, Joseph Potvin, Neil
  Mason-Jones, Stéphane Boyera, Michel Leger, Eric Tak, Manu
  Sporny, Ori Eisen, David Ezell, Ernesto Jimenez, Virginie
  Galindo, Tobie Langel, Emil Johansson, Alexander Gee, and 81
  others for a total of 103+ people

Bryan Sullivan is scribing.
Note: These are minutes for an official W3C Workshop event that
  have been cleaned up and reformatted by the Web Payments
  Community Group. The Web Payments Community Group and the W3C are
  two different organizations, and it is the W3C that managed this
  event. These minutes may be handed over to the W3C to become the
  official minutes for the event, but that has not happened yet
  (and may not happen at all). Readers should understand that there
  is a difference between officially sanctioned W3C work, and the
  work done by the Web Payments Community Group (which is not
  officially sanctioned by W3C's membership).

Topic: Enhancing the Customer and Merchant Experience

Dave Birch:  Kickoff on consumer and merchant experience with
  focus on the frontend
  ... people have asked why look at this? things work OK
  ... but they dont really work for consumers and merchants,
  basically
  ... how many paid for the dinner last night with cash (a few
  respond)
  ... the paypal payment method did not work, got locked out
  after three tries due to some suspicion
  ... puzzling as my paypal app knows who and where I am.
  ... the app could figure this out, and just do it since its
  only 30 euros. we would be moving to the right experience
  ... I use Hailo in london (taxi service). the app shows you the
  license # and picture of the driver. you tell them where you're
  going, you get there, and walk off. payment is automatic. there
  is no payment experience.
  ... no one looks forward to payment, they look forward to
  buying stuff. payment needs to be transparent, out of the loop
  ... all sorts of clever stuff will enable this experience.
  where is dave, is this activity normal, don't bother him.
  ... we should make the experience vanish, set the bar high.
  ... its not good to make it easy for me to type in a card .
  that's a hack.
  ... cards as the central metaphor for payment is anachronistic.
  we dont want to make cards work better on the web. its 1949 tech,
  and too dangerous now.
  ... knowing that use of cards is risky, and that eventually you
  will be attacked, please imagine further forward.
  ... starting with a merchant perspective now

USE CASE: Automatic payments, transparent to usage (subscriptions
  and safe pay-as-you-go w/o asking/annoying the customer)

Topic: Merchants and Retailers - NACS

Slides for this presentation:
  http://www.w3.org/2013/10/payments/slides/session4_nacs.pdf
Dave Birch introduces Gray Taylor of National Association of
  Convenience Stores (NACS) - @grayotaylor
Gray Taylor:  Represent PCATS & NACS, attached to convenience
  stores in the US, involved in system data exchange
  ... payments is 30% of our effort. mobile commerce will
  increase that, so we are focused on this work today
  ... where are we? the system is broken. in the 70s there was no
  need for data visibility, data was static, magstripe based
  ... a lot of people are being hacked. 1.6B cards, 1.5B have
  been reissued.
  ... this is about a 10$B problem in the US, just the cost of
  fraud to banks
Gray Taylor:  Fraud cost is 6 basis points... that's just due to
  fraud. [scribe assist by Manu Sporny]
  ... another problem is segmentation of the customer to the
  merchant. knowing your customer is important.
  ... e.g. walmart needs to know who is buying what, and they
  don't want to get that data from mastercard
  ... due to data security, we are moving to EMV
  ... we are last getting on this tech, and it's not a good
  feeling.
  ... what can we do? we wish that mobile was ready, because we
  feel like a real late comer to an old tech
  ... major oil companies have no plans to implement EMV, due to
  poor ROI
  ... incrementalism in the card business creates heartburn.
  todays system is based upon the account, more important than the
  person.
  ... the system is moving toward the person, who can select the
  card. card companies don't like that, banks are ambivalent
  ... W3C's job is to boil this ocean. this is a critical subset
  of global commerce, and shouldn't be a walled garden for the web
  ... tech has the ability to overturn monopolies
  ... US Payments SOI 2016 slide
  ... debit is the single largest thing going forward, driven by
  the banking crisis in 2008
  ... people are living in their means more now
  ... 2006-7 we hit equilibrium with paper on the way out
  ... cstore profile vs card fees graph shows fees pulling away
  from pretax profit
  ... the fees are passed onto consumers, $1B of subsidization
  ... the only higher cost is labor
Gray Taylor:  If you pay cash, you pay over $400 a year to
  subsidize the card industry. [scribe assist by Manu Sporny]
  ... re cost/liter, 2/3 of margin is gross profit
  ... much is cost of unauthenticated card use
  ... focusing on business and consumer in the payments ecosystem
  ... customers get steered to where discounts are offered
  ... re method of payment, they are changing, polluting the card
  handling environment
  ... we have to enable these methods but not have them affect
  the card vendor environment, PCI has not really dont anything to
  address our number one issue in fraud.
Jeremy King:  Oh come on, that's not fair! To say that it has
  done nothing is going to far!
Gray Taylor:  It's helped a little, but didn't affect one of our
  biggest problems.
  ... we are turning a battleship here. PCI has helped re a
  finite set of things to look at
Mountie Lee: PCI === Payment Card Industry
Mountie Lee: They do DSS === Data Security Standard
Gray Taylor:  Becoming PCI compliant is a huge science project.
  Our #1 threat vector (dispenser skimming) was excluded from PCI,
  it didn't really help us.
Wendy Seltzer: More on PCI here -
  https://www.pcisecuritystandards.org/
Gray Taylor:  Now, in defense of PCI, it provided a clearinghouse
  to mitigate risk
  ... when it comes to trust, banks are #1, the crisis dipped
  that, but they are still #1 going forward
  ... payments in flux - the perfect storm
  ... for profit without competition is bad
  ... bank brick and mortar infratstructure is a cost holding
  them back
  ... it will be difficult to get the profit margin from the
  banks
Ricardo Varela:  To clarify - Dave asked Gray about how much
  fraud had gone down since the PCI implementation. Gray said not
  much. Jeremy complained about this being out of order. Dave
  responded that he wanted the data point to know what did
  merchants get back from this investment and there was discussion
  about which other areas this helped on. There was admission that
  they were slightly better off with it but not sure if it wasn't
  worth it to redo the whole security model. [scribe assist by
  Ricardo Varela]
Ricardo Varela:  For reference, PCI DSS docs are at
  https://www.pcisecuritystandards.org/security_standards/ [scribe
  assist by Ricardo Varela]
  ... a consumer focus will be required, mobile and online
  banking will be changed by focus on the consumer
Gray Taylor:  We need to re-think how we do digital identities
  and security. [scribe assist by Manu Sporny]
  ... mobilization will rise, mobile wallets are will become the
  mobile briefcase. Digital identities and megabit encrypted PINs
  are where we need to get to
Dave Birch:  Digital ID problem is underlying many of these
  problems
Gray Taylor:  With trust credentials, we can take ACH from
  Zimbabwe and be reasonably assured for it

USE CASE: Digital credentials that can be used for financial
  transactions, that provide plausible deniability to payment
  processors ("we vetted the customer and they lied to us in a
  sophisticated way, here's proof").

Gray Taylor:  With the appropriate trust credentials floating
  around, I could bank w/ different people and decrease fraud.
  [scribe assist by Manu Sporny]
  ... re tokenization, there are about 6 standsards
  ... we need to kill standards as readily as we create standards
  - look at what's out there to leverage it, that will ease
  globalization
  ... Digital Identity
  ... counterfit IDs are easily obtained. transaction auth is
  similar to the boarding process
  ... all of the financial system is depending upon
  authentication of the individual
Gray Taylor:  Digital identity will preserve our freedom online,
  not take it away. [scribe assist by Manu Sporny]
  ... this is something that will preserve freedom
Gray Taylor:  There is still no way to digitally sign any
  contract, how dumb is that? [scribe assist by Manu Sporny]
  ... guiding access, medical records, etc...

USE CASE: Digitally signed contacts that are born and executed
  digitally.

Erik Anderson: +1 Passport is one of the weakest areas in need of
  security enhancements and digital ID's
Gray Taylor:  I believe in standards - that's the way forward.
  [scribe assist by Manu Sporny]
  ... i believe in standards, you need to come up with building
  blocks. any safe system has not reached volume yet
  ... we need plausible deniability of risk
  ... what are the best practices systems should be following?
  consumers are just kicking the tires, and hacks can take wind out
  of the sales
  ... uniform datasets; at the end of the day, moving money is
  not rocket science; datasets need to be flexible and amended per
  the payment type
  ... re digital receipt standards, look to fiscal receipt
  standards
Gray Taylor:  Important to bring more data into the digital
  receipts, look to people that need fiscal reporting in their
  receipts. [scribe assist by Manu Sporny]
  ... "out of the box" use cases; data security is about
  minimizing value and maximizing effort; hacking ROI needs to be
  low
  ... we need to look to how we can keep credentials in a small
  ecosystem and use tokens outside it

USE CASE: Theft of payment details results in very low return on
  investment.

Gray Taylor:  We should keep credentials in a small ecosystem,
  use tokens/intermediaries. [scribe assist by Manu Sporny]

Topic: Intent to Pay - Robin Berjon

Slides for Robin's talk are here:
  http://berjon.com/presentations/20140325-intent-to-pay/
Robin Berjon:  Hi, my name is Robin and I work for W3C, editing
  the HTML5 specification.
  ... We're in an acronym blizzard ... things are sinking in;
  from the perspective of the web platform, these thoughts are
  about how we can work together for payments on the web
  ... it would be easy to standardize what is done today; APIs
  would be easy. but they would not be conducive to innovation
  ... a better approach is an "intents" based approach; like
  HTTP, when you ask for something you don't know what will result,
  you just  get something back
  ... we can reproduce a similar system for payments, avoiding
  the "nascar" problem, i.e. that user have to choose among a lot
  of logos for providers e.g. socnet "share" buttons; this hurts
  the small players
  ... "intents" on the android platform indicates something the
  user wants to do; the user is allowed to pick among services that
  are available to them
  ... we can include payment in the intents architecture as an
  "intent to pay"
  ... intents can provide a very simple flow for the web
  platform, that is orthogonal to the underlying payment system
Bryan Sullivan:  I think I said the same thing yesterday, and it
  was in the discussion of web intents earlier
Dave Birch:  We didn't test the notion of being able to pay
  without any understanding of the underlying payment system; to
  decouple it sounds great but it is real;
Robin Berjon:  Domain experts need to help us with the mapping to
  the payment level
  ... we need to avoid locking ourselves into what payment is
  today, and move to decoupling at the design level

USE CASE: Decouple payments as much as possible. Base on an
  intent-to-pay mechanism

Slides for this talk are available here:
  http://www.w3.org/2013/10/payments/slides/session4_bpce.pdf
Cyril Vignet:  I work for BPCE, a bank in France; I have worked
  in payment systems for 25 years
  ... focusing on one point from the paper, the SEPAmail project
  ... we have clients, merchants, cardholders, etc; B2B, B2C...
  there is a lot of savings that could be made, Euro billions, to
  be saved
  ... the idea of SEPAmail was to define not only a protocol but
  how actors interact
Slide 2: Trusted Third Party Processors
Cyril Vignet:  TTPP Trusted Third Party Processors
  ... ABC Inc talks to TTPPs in a trapezoid arch to Alice
  ... SEPAmail is based upon web standards, ISO 20022 or XML data
  formats
Tom, on IRC, notes - Intent is nice but might be preventing the
  user to discover new services, no ?
Dave Raggett: SEPAmail uses web/internet standards to encapsulate
  ISO20022 or XML data format for payments via trusted third party
  processors.
Cyril Vignet:  The protocol is mandatory between the TTPPs,
  optional between the endpoints and TTPP
  ... what we want to avoid; one party must be connected to the
  TTPP of the other party (thus the trapezoid arch)
  ... each client can choose their TTPP
  ... we also want to avoid subject-specific protocols, and use
  encapsulation for that
  ... we also want to avoid ACH or CSM; these are not very well
  regulated; ACH is quite expensive; much less than manual but
  still expensive
  ... it was important not to have a central monitoring point,
  enabling freedom to do what you want
  ... experience with SEPAmail; based upon ISO 20022, with
  different layers for bill presentment, direct debit e-mandates,
  IBAN control, data along payments
  ... we will launch this in 2014 a network for TTPPs
Cyril Vignet:  The launching banks are: Crédit Mutuel, Crédit
  Agricole, Société Générale, BPCE, BNP Paribas - all banks in
  France
  ... design is in progress, "families for TTPP than may not be
  PSP" (someone explain if possible...)
  ... SEPAmail is an "overal arch that solves (part) of the auth
  problem"
  ... example of the "SAPPHIRE family", implemented this three
  years ago. it's very simple from the banks' view; self-care for
  the user
  ... the corresponding private keys is in the mobile, in the
  secure element or NFC card
  ... if the payment is low, you may not need very high security
  ... with this generic approach we have demonstrated ability to
  support more things beyond payment
  ... SEPAmail is CC-SA licensed
Ricardo Varela:  Link is wrong in the slide, should be
  http://documentation.sepamail.eu/ [scribe assist by Ricardo
  Varela]

USE CASE: Allow multiple levels of security based on the type of
  transaction being performed. No auth for small amounts, PIN auth
  for medium amounts, Secure Element for large amounts.

Topic: Hidden Choice can be Anti-Consumer - Joseph Potvin

Slides for Joseph's talk:
  http://www.w3.org/2013/10/payments/slides/session4_potvin.pdf
Joseph Potvin:  I am an economist, 15 years in the IT domain
  ... re the UI for digital payments, how many of you paid in
  something other than Euro to get here? How many of you got to
  choose your conversion rate? Put your hand up.
  ... leave it up if you clicked on conversion options in
  paypal's screen (everyone's hands go down)
  ... amounts were quoted in local and Euros; this illustrates
  and underlying assumption, that there is only one exchange rate
  option; this example though showed other options e.g. between
  paypal and mastercard/visa, the diff being whether you know the
  rate at the time of the transaction
  ... I chose the credit card, due to fewer intermidiaries,
  rather than use paypal then intermediaries
  ... re philosophy of money; the tokenization of human
  obligations; a means of accounting them
  ... if we did UML for the payment process, three use cases for
  money
  ... unit of account; medium of exchange (communications); value
  aspect (descriptors or standard of deferred payment, stored value
  - I call it a value benchmark)
  ... doing the use case and relationship diagrams in UML; who
  are the stick figures?; who gets to choose the value benchmark
  etc?
  ... we are used to those choices; but not for this example (the
  exchange rate options showed earlier)
  ... in this paypal example, who got to choose the value
  benchmark? there were two parties in the transaction, did either
  get to choose?
  ... happy that paypal provided this choice, but whose role is
  it?
  ... example of a taxi and porter to the check-in. if the porter
  opens the bags and takes something "it's my business model to
  take something" - it's not the intermediary's role to determine
  aspects of price, rather to define service fees
  ... conversion rate is not a service fee, it's a component of
  the money
  ... there is a lot more to this example choice than is apparent
  ... in the WWW, we need a way to code these things
  ... thinking about this in the UML terms, where do the lines go
  and what roles do the actors have, this is a direct line to the
  theory of money

USE CASE: Enable the customer and the merchant to choose foreign
  exchange rates and how foreign exchange affect their prices, give
  them the choice, not the financial network/intermediary.

Ricardo Varela: Small highlight over Josephs comments: many
  payment providers, including paypal, do not call this a
  conversion but mention it specifically as "cross border and
  currency conversion fees", as there are both variable and fixed
  costs associated with the networks they use to move money ... so
  yes, they are fees and you accept them as so on the payment terms
  and conditions

Topic: Last-mile Payments in Africa - Trans-Africa Solutions

Neil Mason-Jones:  I represent Trans-Africa Solutions, a South
  Africa startup; bringing the emerging market / unbanked
  perspective
  ... the market is very difficult to authenticate
  ... we are trying to meet them in the way they want to
  transact; mostly cash
  ... in South Africa we have a huge divide in economic
  capability
  ... re the unbanked, in South Africa as much as 80%, scenarios
  such as this occur; in the living in city center, traveling back
  to home is very expensive
  ... outside the city center, you can spend a lot just going to
  buy a ticket
  ... we find that there is a resistance to putting cash
  anywhere, in wallets or savings
  ... we are trying to bridge the last mile, using the mobile
  devices, libraries or cafes to access the product, gain a token
  and make a payment in a physical location
  ... tokens can be barcodes, QR codes, etc
  ... this is slightly different use case; between request and
  receipt, it can take days
  ... its easy to expect all to be online; that the offline are
  not that large a subset; that may be but we need other options
  and fluidity to support them
  ... also there's a large opportunity for tech to help; but in
  Africa charges are obscene re the service bring provided; people
  thus distrust the banks; in the UK it is very different, the cost
  factors are so low
  ... tech talked about in this meeting e.g. crypto currencies
  can have large impact in emerging economies
  ... though banks etc resist on every possible level, we need
  tech competition to bring about change

USE CASE: Allow a physical version of a digital receipt that can
  be verified, perhaps by printing out a QR Code on a slip of paper
  with some additional information.

Dave Birch:  Summing up; Gray established the merchant needs
  ... Robin suggested a web framework for this
  ... Cyril suggested a standard way to move around the data
  ... Joseph pointed out that we have collapsed unit of accounts,
  building upon other work
  ... Neil made the point that the medium of exchange needs to be
  extended into cash
  ... e.e. walmart has a capability to buy online and pay in cash

USE CASE: Allow for a settlement that is based on a cash
  transfer.

Topic: General Discussion on Customer/Merchant Experience

Stéphane Boyera:  You make a good point re the notion of
  decoupling payment systems with intent of payment
  ... this is a critical point; we need layer separation;
  ... having an easy way for merchants to support multiple
  systems and a method for user to select...
Dave Birch:  Between the phone and a payment terminal, there is a
  lot of chance for complex options to take place; standards may
  need to address the complex negotiations that will occur
Cyril Vignet:  Part of standards is to define the value chain of
  payments
Gray Taylor:  Taking into account foreign exchange, what I care
  about in the end is what I will get charged for
  ... quoting the final ticket price will let the user choose
Michel Leger:  There's no breakout that makes it possible to know
  what cut was taken by whom;
  ... re transparency and seamlessness, they don't correlate; the
  more choices are offered, the more complex the UX
Gray Taylor:  Customers will never read those screens
Eric Tak:  What about point-of-sale (POS) terminals, how do we
  integrate what we come up with here?
Gray Taylor:  Fees added happen in the back office, not the POS.
  pricing queues at the POS are philosohically great, but
  impossible
  ... if we can present the final ticket across multiple vendors
  and give choice that would be great
  ... our POS challenge is painting the screen as the user is
  using it; we have to keep it simple for the user
  ... moving the POS screen down to the phone, you can see
  exactly what's going on

USE CASE: Move the point of sales terminal off to the users
  mobile .

Michel Leger:  Need for customer choice may be based upon size of
  the transaction. For small amounts, you probably don't care.
Cyril Vignet:  Is is possible to automate options at the POS, for
  POS with web-based presentation
Dave Birch:  Existing systems do limit us, so we mustn't limit
  our standards efforts to the existing card system, but look to
  more options, with the understanding that one implementation of
  the standard may ultimately be card-based
Michel Leger:  Should a standard be explicit about roles? would
  it be acceptable for intermediaries to propose components of
  price?
  ... in multiple currency transactions, the intermediary does
  define components of price
Manu wanted to ask about entry points for change being merchants
  (MCX, could we deploy web payments in fuel industry?)
Manu Sporny:  It's good to think past cards; who will be the
  early adopters? probably not the banks unless fees are preserved
  ... convincing consumers may also be difficult
Dave Birch:  Successful wallets are from retailers
Manu Sporny:  Exactly; retailers will push this into the market;
  W3C will need to figure out how to work with them
Dave Birch:  We do need to build those bridges
Ori Eisen: What is the problem we are trying to solve?
Michel Leger:  If the banks are changing, they will change with
  the game also if the economics are right
Dave Birch:  Banks also have an interest in driving down costs
Gray Taylor:  The litmus test for retailers will be can they get
  banks to change from the interbank model
  ... retailers want online and POS to work the same

ACTION: Manu to reach out to MCX to try and get them involved in
  the W3C work on payments.

Dave Birch:  Retailers will incentivize customers to opt for MCX
David Ezell: MCX == Merchant Customer Exchange, a movement to
  build a Visa/MasterCard alternative network with far lower
  transaction fees.
Ernesto Jimenez:  Re the point about negotiation on the payment
  process, users may need to choose manually since you can't always
  know what balances are on the different payment methods
  ... availability of options will also depend upon location
Dave Birch:  What I am saying is there can be a wider set of
  possibilities
Virginie Galindo: More about MCX here : http://www.mcx.com/
Ernesto Jimenez:  Range of payment service providers can be
  loaded into the wallet in the short term, but balances may not be
  known
  ... user behavior/preferences can also drive automated choices
Dave Birch:  Policies can be set and downloaded from many sources
  and executed at the POS
Tobie Langel:  This is typically where user agents compete
Ricardo Varela:  API integrations in browsers will likely cause
  Visa/MC to cooperate; so we shouldn't expect them to resist this.
  The standards won't say anything about fees so that will change
  on its own
  ... is we assume that we have to tell intermediaries what they
  have to do we are already making some assumptions
Joseph Potvin:  What I was saying was that the role that
  intermediaries are taking needs to be visible in the standard
Ricardo Varela:  There you are already supposing there will be
  intermediaries, and how many there are is unclear
Emil Johansson:  Question re SEPAmail; trust is important, what
  will be the consumer protections?
Cyril Vignet:  Consumer protection will be provided by the TTPP;
  the payload will define terms etc; the payment request will have
  all the data, the idea is to have all the info at the customer
  side so they can make decisions
Dave Birch:  Under the current systems, these aspects are all
  bundled. A system like SEPAmail will allow unbundling of those
  elements, which can then become part of a negotiation.
  ... Specialist Intermediaries may arise who can provide that
  role; Visa/MC may actually fulfill that role
Alexander Gee:  We have draft legislation that payer should have
  the final word on which payment service should be used
End of session 4.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Monday, 31 March 2014 21:06:20 UTC