/steve-194x221.png?sfvrsn=b32bf2cf_5)
The World Wide Web Consortium (W3C) held their annual conference, better known as TPAC, the week of September 23, 2024. This year also marked the 30th anniversary of the Consortium and the 35th anniversary of the Web itself. While W3C sets standards for all things Web, two of the groups most relevant to payments are the Web Payments Working Group (WPWG) and the Web Payments Security Interest Group (WPSIG). The focus of the WPWG is to make payments easier and more secure on the Web. The purpose of the WPSIG is to enhance the security and interoperability of various Web payments technologies by creating a forum for organizations to collaborate on identifying gaps between existing technical specifications and improve compatibility between technologies. Both groups held meetings during the conference, and in this article, I will touch on some of my takeaways.
The WPWG held full-day sessions on Monday and Tuesday covering a number of topics from fraud and regulatory trends to trust signals to perspectives on Latin American payments. In addition, I had the opportunity to speak to the group on merchant hot topics in eCommerce where we covered capturing data and signals related to first-party fraud and browser token auto-fill, among other topics. An area of particular focus was Secure Payment Confirmation (SPC). The purpose of SPC is to make the authentication process during checkout easier and more secure. Mastercard and Visa presented on their SPC pilots, both of which focused on comparing the SPC experience to a standard WebAuthn experience. One of the key factors for strong authentication is possession, and the working group had been looking at FIDO passkeys to establish possession. However, since FIDO updated their standards to allow for synced passkeys that can be shared across devices, the utility of FIDO passkeys as a possession factor is degraded. While synced passkeys are useful for login use cases, they create challenges for determining possession in payments. To address this issue, the group discussed at length a proposal for browser-bound keys. On Tuesday afternoon, a joint meeting with the Web Authentication Working Group was held to discuss this proposal, and others from the WAWG to add the possession factor back into passkeys. The WPWG will continue working to develop requirements for an approach on the possession factor.
The WPSIG held a full-day session on Thursday. While several topics were discussed, most of the group’s discussions focused on authentication topics including using Device Bound Session Credentials (DBSC) to perform device recognition for 3D Secure and allowing a Grant Negotiation and Authorization Protocol (GNAP) authentication flow for EMV Secure Remote Commerce (SRC). A presentation on PCI DSS v4 highlighted challenges with requirements for protecting cardholder data from scripts included on a payments page due to needed features not being supported on all browsers. As in the WPWG meeting, synced FIDO credentials were also a topic the group addressed with a discussion on potential trust signals that could provide a higher level of assurance that devices with a shared credential are actually under the control of the same person. A suggestion was made that the WPWG should look into building device-binding into SPC and work towards a state where passkeys can provide the previously mentioned FIDO trust signals for financial services use cases. Finally, a joint discussion with the Anti-Fraud Community Group focused on denying access to IP addresses by third parties and possible alternatives for third parties as IP addresses play a key role in device recognition and fraud detection.
The meetings at TPAC obviously get deep into the technical weeds, but hopefully this article provided a flavor of the meeting topics, discussions, and issues the WPWG and the WPSIG are working to address. For those looking to dive deeper, the minutes and many of the WPWG presentation decks are publicly available by going to the WPWG’s GitHub site and clicking on the session dates. Access to WPSIG minutes and presentation decks requires membership in one of the Interest Group partner organizations (W3C, FIDO, and/or EMVCo).