- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 31 Mar 2014 17:05:56 -0400
- To: Web Payments CG <public-webpayments@w3.org>
The minutes for "Session 4: Enhancing the Customer and Merchant
Experience" are now available. Thanks to Bryan Sullivan for scribing!
https://web-payments.org/minutes/2014-03-25-s4/
Note: These are minutes for an official W3C Workshop event that
have been cleaned up and reformatted by the Web Payments
Community Group. The Web Payments Community Group and the W3C are
two different organizations, and it is the W3C that managed this
event. These minutes may be handed over to the W3C to become the
official minutes for the event, but that has not happened yet
(and may not happen at all). Readers should understand that there
is a difference between officially sanctioned W3C work, and the
work done by the Web Payments Community Group (which is not
officially sanctioned by W3C's membership).
----------------------------------------------------------------
Web Payments Workshop - Session 4 Minutes for 2014-03-25
Agenda:
http://www.w3.org/2013/10/payments/agenda.html
Topics:
1. Enhancing the Customer and Merchant Experience
2. Merchants and Retailers - NACS
3. Intent to Pay - Robin Berjon
4. Hidden Choice can be Anti-Consumer - Joseph Potvin
5. Last-mile Payments in Africa - Trans-Africa Solutions
6. General Discussion on Customer/Merchant Experience
Action Items:
1. Manu to reach out to MCX to try and get them involved in the
W3C work on payments.
Chair:
Daniel Appelquist
Scribe:
Bryan Sullivan
Present:
Daniel Appelquist, Bryan Sullivan, Dave Birch, Gray Taylor,
Jeremy King, Mountie Lee, Wendy Seltzer, Ricardo Varela, Robin
Berjon, Cyril Vignet, Dave Raggett, Joseph Potvin, Neil
Mason-Jones, Stéphane Boyera, Michel Leger, Eric Tak, Manu
Sporny, Ori Eisen, David Ezell, Ernesto Jimenez, Virginie
Galindo, Tobie Langel, Emil Johansson, Alexander Gee, and 81
others for a total of 103+ people
Bryan Sullivan is scribing.
Note: These are minutes for an official W3C Workshop event that
have been cleaned up and reformatted by the Web Payments
Community Group. The Web Payments Community Group and the W3C are
two different organizations, and it is the W3C that managed this
event. These minutes may be handed over to the W3C to become the
official minutes for the event, but that has not happened yet
(and may not happen at all). Readers should understand that there
is a difference between officially sanctioned W3C work, and the
work done by the Web Payments Community Group (which is not
officially sanctioned by W3C's membership).
Topic: Enhancing the Customer and Merchant Experience
Dave Birch: Kickoff on consumer and merchant experience with
focus on the frontend
... people have asked why look at this? things work OK
... but they dont really work for consumers and merchants,
basically
... how many paid for the dinner last night with cash (a few
respond)
... the paypal payment method did not work, got locked out
after three tries due to some suspicion
... puzzling as my paypal app knows who and where I am.
... the app could figure this out, and just do it since its
only 30 euros. we would be moving to the right experience
... I use Hailo in london (taxi service). the app shows you the
license # and picture of the driver. you tell them where you're
going, you get there, and walk off. payment is automatic. there
is no payment experience.
... no one looks forward to payment, they look forward to
buying stuff. payment needs to be transparent, out of the loop
... all sorts of clever stuff will enable this experience.
where is dave, is this activity normal, don't bother him.
... we should make the experience vanish, set the bar high.
... its not good to make it easy for me to type in a card .
that's a hack.
... cards as the central metaphor for payment is anachronistic.
we dont want to make cards work better on the web. its 1949 tech,
and too dangerous now.
... knowing that use of cards is risky, and that eventually you
will be attacked, please imagine further forward.
... starting with a merchant perspective now
USE CASE: Automatic payments, transparent to usage (subscriptions
and safe pay-as-you-go w/o asking/annoying the customer)
Topic: Merchants and Retailers - NACS
Slides for this presentation:
http://www.w3.org/2013/10/payments/slides/session4_nacs.pdf
Dave Birch introduces Gray Taylor of National Association of
Convenience Stores (NACS) - @grayotaylor
Gray Taylor: Represent PCATS & NACS, attached to convenience
stores in the US, involved in system data exchange
... payments is 30% of our effort. mobile commerce will
increase that, so we are focused on this work today
... where are we? the system is broken. in the 70s there was no
need for data visibility, data was static, magstripe based
... a lot of people are being hacked. 1.6B cards, 1.5B have
been reissued.
... this is about a 10$B problem in the US, just the cost of
fraud to banks
Gray Taylor: Fraud cost is 6 basis points... that's just due to
fraud. [scribe assist by Manu Sporny]
... another problem is segmentation of the customer to the
merchant. knowing your customer is important.
... e.g. walmart needs to know who is buying what, and they
don't want to get that data from mastercard
... due to data security, we are moving to EMV
... we are last getting on this tech, and it's not a good
feeling.
... what can we do? we wish that mobile was ready, because we
feel like a real late comer to an old tech
... major oil companies have no plans to implement EMV, due to
poor ROI
... incrementalism in the card business creates heartburn.
todays system is based upon the account, more important than the
person.
... the system is moving toward the person, who can select the
card. card companies don't like that, banks are ambivalent
... W3C's job is to boil this ocean. this is a critical subset
of global commerce, and shouldn't be a walled garden for the web
... tech has the ability to overturn monopolies
... US Payments SOI 2016 slide
... debit is the single largest thing going forward, driven by
the banking crisis in 2008
... people are living in their means more now
... 2006-7 we hit equilibrium with paper on the way out
... cstore profile vs card fees graph shows fees pulling away
from pretax profit
... the fees are passed onto consumers, $1B of subsidization
... the only higher cost is labor
Gray Taylor: If you pay cash, you pay over $400 a year to
subsidize the card industry. [scribe assist by Manu Sporny]
... re cost/liter, 2/3 of margin is gross profit
... much is cost of unauthenticated card use
... focusing on business and consumer in the payments ecosystem
... customers get steered to where discounts are offered
... re method of payment, they are changing, polluting the card
handling environment
... we have to enable these methods but not have them affect
the card vendor environment, PCI has not really dont anything to
address our number one issue in fraud.
Jeremy King: Oh come on, that's not fair! To say that it has
done nothing is going to far!
Gray Taylor: It's helped a little, but didn't affect one of our
biggest problems.
... we are turning a battleship here. PCI has helped re a
finite set of things to look at
Mountie Lee: PCI === Payment Card Industry
Mountie Lee: They do DSS === Data Security Standard
Gray Taylor: Becoming PCI compliant is a huge science project.
Our #1 threat vector (dispenser skimming) was excluded from PCI,
it didn't really help us.
Wendy Seltzer: More on PCI here -
https://www.pcisecuritystandards.org/
Gray Taylor: Now, in defense of PCI, it provided a clearinghouse
to mitigate risk
... when it comes to trust, banks are #1, the crisis dipped
that, but they are still #1 going forward
... payments in flux - the perfect storm
... for profit without competition is bad
... bank brick and mortar infratstructure is a cost holding
them back
... it will be difficult to get the profit margin from the
banks
Ricardo Varela: To clarify - Dave asked Gray about how much
fraud had gone down since the PCI implementation. Gray said not
much. Jeremy complained about this being out of order. Dave
responded that he wanted the data point to know what did
merchants get back from this investment and there was discussion
about which other areas this helped on. There was admission that
they were slightly better off with it but not sure if it wasn't
worth it to redo the whole security model. [scribe assist by
Ricardo Varela]
Ricardo Varela: For reference, PCI DSS docs are at
https://www.pcisecuritystandards.org/security_standards/ [scribe
assist by Ricardo Varela]
... a consumer focus will be required, mobile and online
banking will be changed by focus on the consumer
Gray Taylor: We need to re-think how we do digital identities
and security. [scribe assist by Manu Sporny]
... mobilization will rise, mobile wallets are will become the
mobile briefcase. Digital identities and megabit encrypted PINs
are where we need to get to
Dave Birch: Digital ID problem is underlying many of these
problems
Gray Taylor: With trust credentials, we can take ACH from
Zimbabwe and be reasonably assured for it
USE CASE: Digital credentials that can be used for financial
transactions, that provide plausible deniability to payment
processors ("we vetted the customer and they lied to us in a
sophisticated way, here's proof").
Gray Taylor: With the appropriate trust credentials floating
around, I could bank w/ different people and decrease fraud.
[scribe assist by Manu Sporny]
... re tokenization, there are about 6 standsards
... we need to kill standards as readily as we create standards
- look at what's out there to leverage it, that will ease
globalization
... Digital Identity
... counterfit IDs are easily obtained. transaction auth is
similar to the boarding process
... all of the financial system is depending upon
authentication of the individual
Gray Taylor: Digital identity will preserve our freedom online,
not take it away. [scribe assist by Manu Sporny]
... this is something that will preserve freedom
Gray Taylor: There is still no way to digitally sign any
contract, how dumb is that? [scribe assist by Manu Sporny]
... guiding access, medical records, etc...
USE CASE: Digitally signed contacts that are born and executed
digitally.
Erik Anderson: +1 Passport is one of the weakest areas in need of
security enhancements and digital ID's
Gray Taylor: I believe in standards - that's the way forward.
[scribe assist by Manu Sporny]
... i believe in standards, you need to come up with building
blocks. any safe system has not reached volume yet
... we need plausible deniability of risk
... what are the best practices systems should be following?
consumers are just kicking the tires, and hacks can take wind out
of the sales
... uniform datasets; at the end of the day, moving money is
not rocket science; datasets need to be flexible and amended per
the payment type
... re digital receipt standards, look to fiscal receipt
standards
Gray Taylor: Important to bring more data into the digital
receipts, look to people that need fiscal reporting in their
receipts. [scribe assist by Manu Sporny]
... "out of the box" use cases; data security is about
minimizing value and maximizing effort; hacking ROI needs to be
low
... we need to look to how we can keep credentials in a small
ecosystem and use tokens outside it
USE CASE: Theft of payment details results in very low return on
investment.
Gray Taylor: We should keep credentials in a small ecosystem,
use tokens/intermediaries. [scribe assist by Manu Sporny]
Topic: Intent to Pay - Robin Berjon
Slides for Robin's talk are here:
http://berjon.com/presentations/20140325-intent-to-pay/
Robin Berjon: Hi, my name is Robin and I work for W3C, editing
the HTML5 specification.
... We're in an acronym blizzard ... things are sinking in;
from the perspective of the web platform, these thoughts are
about how we can work together for payments on the web
... it would be easy to standardize what is done today; APIs
would be easy. but they would not be conducive to innovation
... a better approach is an "intents" based approach; like
HTTP, when you ask for something you don't know what will result,
you just get something back
... we can reproduce a similar system for payments, avoiding
the "nascar" problem, i.e. that user have to choose among a lot
of logos for providers e.g. socnet "share" buttons; this hurts
the small players
... "intents" on the android platform indicates something the
user wants to do; the user is allowed to pick among services that
are available to them
... we can include payment in the intents architecture as an
"intent to pay"
... intents can provide a very simple flow for the web
platform, that is orthogonal to the underlying payment system
Bryan Sullivan: I think I said the same thing yesterday, and it
was in the discussion of web intents earlier
Dave Birch: We didn't test the notion of being able to pay
without any understanding of the underlying payment system; to
decouple it sounds great but it is real;
Robin Berjon: Domain experts need to help us with the mapping to
the payment level
... we need to avoid locking ourselves into what payment is
today, and move to decoupling at the design level
USE CASE: Decouple payments as much as possible. Base on an
intent-to-pay mechanism
Slides for this talk are available here:
http://www.w3.org/2013/10/payments/slides/session4_bpce.pdf
Cyril Vignet: I work for BPCE, a bank in France; I have worked
in payment systems for 25 years
... focusing on one point from the paper, the SEPAmail project
... we have clients, merchants, cardholders, etc; B2B, B2C...
there is a lot of savings that could be made, Euro billions, to
be saved
... the idea of SEPAmail was to define not only a protocol but
how actors interact
Slide 2: Trusted Third Party Processors
Cyril Vignet: TTPP Trusted Third Party Processors
... ABC Inc talks to TTPPs in a trapezoid arch to Alice
... SEPAmail is based upon web standards, ISO 20022 or XML data
formats
Tom, on IRC, notes - Intent is nice but might be preventing the
user to discover new services, no ?
Dave Raggett: SEPAmail uses web/internet standards to encapsulate
ISO20022 or XML data format for payments via trusted third party
processors.
Cyril Vignet: The protocol is mandatory between the TTPPs,
optional between the endpoints and TTPP
... what we want to avoid; one party must be connected to the
TTPP of the other party (thus the trapezoid arch)
... each client can choose their TTPP
... we also want to avoid subject-specific protocols, and use
encapsulation for that
... we also want to avoid ACH or CSM; these are not very well
regulated; ACH is quite expensive; much less than manual but
still expensive
... it was important not to have a central monitoring point,
enabling freedom to do what you want
... experience with SEPAmail; based upon ISO 20022, with
different layers for bill presentment, direct debit e-mandates,
IBAN control, data along payments
... we will launch this in 2014 a network for TTPPs
Cyril Vignet: The launching banks are: Crédit Mutuel, Crédit
Agricole, Société Générale, BPCE, BNP Paribas - all banks in
France
... design is in progress, "families for TTPP than may not be
PSP" (someone explain if possible...)
... SEPAmail is an "overal arch that solves (part) of the auth
problem"
... example of the "SAPPHIRE family", implemented this three
years ago. it's very simple from the banks' view; self-care for
the user
... the corresponding private keys is in the mobile, in the
secure element or NFC card
... if the payment is low, you may not need very high security
... with this generic approach we have demonstrated ability to
support more things beyond payment
... SEPAmail is CC-SA licensed
Ricardo Varela: Link is wrong in the slide, should be
http://documentation.sepamail.eu/ [scribe assist by Ricardo
Varela]
USE CASE: Allow multiple levels of security based on the type of
transaction being performed. No auth for small amounts, PIN auth
for medium amounts, Secure Element for large amounts.
Topic: Hidden Choice can be Anti-Consumer - Joseph Potvin
Slides for Joseph's talk:
http://www.w3.org/2013/10/payments/slides/session4_potvin.pdf
Joseph Potvin: I am an economist, 15 years in the IT domain
... re the UI for digital payments, how many of you paid in
something other than Euro to get here? How many of you got to
choose your conversion rate? Put your hand up.
... leave it up if you clicked on conversion options in
paypal's screen (everyone's hands go down)
... amounts were quoted in local and Euros; this illustrates
and underlying assumption, that there is only one exchange rate
option; this example though showed other options e.g. between
paypal and mastercard/visa, the diff being whether you know the
rate at the time of the transaction
... I chose the credit card, due to fewer intermidiaries,
rather than use paypal then intermediaries
... re philosophy of money; the tokenization of human
obligations; a means of accounting them
... if we did UML for the payment process, three use cases for
money
... unit of account; medium of exchange (communications); value
aspect (descriptors or standard of deferred payment, stored value
- I call it a value benchmark)
... doing the use case and relationship diagrams in UML; who
are the stick figures?; who gets to choose the value benchmark
etc?
... we are used to those choices; but not for this example (the
exchange rate options showed earlier)
... in this paypal example, who got to choose the value
benchmark? there were two parties in the transaction, did either
get to choose?
... happy that paypal provided this choice, but whose role is
it?
... example of a taxi and porter to the check-in. if the porter
opens the bags and takes something "it's my business model to
take something" - it's not the intermediary's role to determine
aspects of price, rather to define service fees
... conversion rate is not a service fee, it's a component of
the money
... there is a lot more to this example choice than is apparent
... in the WWW, we need a way to code these things
... thinking about this in the UML terms, where do the lines go
and what roles do the actors have, this is a direct line to the
theory of money
USE CASE: Enable the customer and the merchant to choose foreign
exchange rates and how foreign exchange affect their prices, give
them the choice, not the financial network/intermediary.
Ricardo Varela: Small highlight over Josephs comments: many
payment providers, including paypal, do not call this a
conversion but mention it specifically as "cross border and
currency conversion fees", as there are both variable and fixed
costs associated with the networks they use to move money ... so
yes, they are fees and you accept them as so on the payment terms
and conditions
Topic: Last-mile Payments in Africa - Trans-Africa Solutions
Neil Mason-Jones: I represent Trans-Africa Solutions, a South
Africa startup; bringing the emerging market / unbanked
perspective
... the market is very difficult to authenticate
... we are trying to meet them in the way they want to
transact; mostly cash
... in South Africa we have a huge divide in economic
capability
... re the unbanked, in South Africa as much as 80%, scenarios
such as this occur; in the living in city center, traveling back
to home is very expensive
... outside the city center, you can spend a lot just going to
buy a ticket
... we find that there is a resistance to putting cash
anywhere, in wallets or savings
... we are trying to bridge the last mile, using the mobile
devices, libraries or cafes to access the product, gain a token
and make a payment in a physical location
... tokens can be barcodes, QR codes, etc
... this is slightly different use case; between request and
receipt, it can take days
... its easy to expect all to be online; that the offline are
not that large a subset; that may be but we need other options
and fluidity to support them
... also there's a large opportunity for tech to help; but in
Africa charges are obscene re the service bring provided; people
thus distrust the banks; in the UK it is very different, the cost
factors are so low
... tech talked about in this meeting e.g. crypto currencies
can have large impact in emerging economies
... though banks etc resist on every possible level, we need
tech competition to bring about change
USE CASE: Allow a physical version of a digital receipt that can
be verified, perhaps by printing out a QR Code on a slip of paper
with some additional information.
Dave Birch: Summing up; Gray established the merchant needs
... Robin suggested a web framework for this
... Cyril suggested a standard way to move around the data
... Joseph pointed out that we have collapsed unit of accounts,
building upon other work
... Neil made the point that the medium of exchange needs to be
extended into cash
... e.e. walmart has a capability to buy online and pay in cash
USE CASE: Allow for a settlement that is based on a cash
transfer.
Topic: General Discussion on Customer/Merchant Experience
Stéphane Boyera: You make a good point re the notion of
decoupling payment systems with intent of payment
... this is a critical point; we need layer separation;
... having an easy way for merchants to support multiple
systems and a method for user to select...
Dave Birch: Between the phone and a payment terminal, there is a
lot of chance for complex options to take place; standards may
need to address the complex negotiations that will occur
Cyril Vignet: Part of standards is to define the value chain of
payments
Gray Taylor: Taking into account foreign exchange, what I care
about in the end is what I will get charged for
... quoting the final ticket price will let the user choose
Michel Leger: There's no breakout that makes it possible to know
what cut was taken by whom;
... re transparency and seamlessness, they don't correlate; the
more choices are offered, the more complex the UX
Gray Taylor: Customers will never read those screens
Eric Tak: What about point-of-sale (POS) terminals, how do we
integrate what we come up with here?
Gray Taylor: Fees added happen in the back office, not the POS.
pricing queues at the POS are philosohically great, but
impossible
... if we can present the final ticket across multiple vendors
and give choice that would be great
... our POS challenge is painting the screen as the user is
using it; we have to keep it simple for the user
... moving the POS screen down to the phone, you can see
exactly what's going on
USE CASE: Move the point of sales terminal off to the users
mobile .
Michel Leger: Need for customer choice may be based upon size of
the transaction. For small amounts, you probably don't care.
Cyril Vignet: Is is possible to automate options at the POS, for
POS with web-based presentation
Dave Birch: Existing systems do limit us, so we mustn't limit
our standards efforts to the existing card system, but look to
more options, with the understanding that one implementation of
the standard may ultimately be card-based
Michel Leger: Should a standard be explicit about roles? would
it be acceptable for intermediaries to propose components of
price?
... in multiple currency transactions, the intermediary does
define components of price
Manu wanted to ask about entry points for change being merchants
(MCX, could we deploy web payments in fuel industry?)
Manu Sporny: It's good to think past cards; who will be the
early adopters? probably not the banks unless fees are preserved
... convincing consumers may also be difficult
Dave Birch: Successful wallets are from retailers
Manu Sporny: Exactly; retailers will push this into the market;
W3C will need to figure out how to work with them
Dave Birch: We do need to build those bridges
Ori Eisen: What is the problem we are trying to solve?
Michel Leger: If the banks are changing, they will change with
the game also if the economics are right
Dave Birch: Banks also have an interest in driving down costs
Gray Taylor: The litmus test for retailers will be can they get
banks to change from the interbank model
... retailers want online and POS to work the same
ACTION: Manu to reach out to MCX to try and get them involved in
the W3C work on payments.
Dave Birch: Retailers will incentivize customers to opt for MCX
David Ezell: MCX == Merchant Customer Exchange, a movement to
build a Visa/MasterCard alternative network with far lower
transaction fees.
Ernesto Jimenez: Re the point about negotiation on the payment
process, users may need to choose manually since you can't always
know what balances are on the different payment methods
... availability of options will also depend upon location
Dave Birch: What I am saying is there can be a wider set of
possibilities
Virginie Galindo: More about MCX here : http://www.mcx.com/
Ernesto Jimenez: Range of payment service providers can be
loaded into the wallet in the short term, but balances may not be
known
... user behavior/preferences can also drive automated choices
Dave Birch: Policies can be set and downloaded from many sources
and executed at the POS
Tobie Langel: This is typically where user agents compete
Ricardo Varela: API integrations in browsers will likely cause
Visa/MC to cooperate; so we shouldn't expect them to resist this.
The standards won't say anything about fees so that will change
on its own
... is we assume that we have to tell intermediaries what they
have to do we are already making some assumptions
Joseph Potvin: What I was saying was that the role that
intermediaries are taking needs to be visible in the standard
Ricardo Varela: There you are already supposing there will be
intermediaries, and how many there are is unclear
Emil Johansson: Question re SEPAmail; trust is important, what
will be the consumer protections?
Cyril Vignet: Consumer protection will be provided by the TTPP;
the payload will define terms etc; the payment request will have
all the data, the idea is to have all the info at the customer
side so they can make decisions
Dave Birch: Under the current systems, these aspects are all
bundled. A system like SEPAmail will allow unbundling of those
elements, which can then become part of a negotiation.
... Specialist Intermediaries may arise who can provide that
role; Visa/MC may actually fulfill that role
Alexander Gee: We have draft legislation that payer should have
the final word on which payment service should be used
End of session 4.
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/
Received on Monday, 31 March 2014 21:06:20 UTC