In 2019, EMVCo, FIDO Alliance and W3C collaborated to create the Web Payments Security Interest Group (WPSIG) to enhance the security and interoperability of web payments. Now, two years on, the three technical bodies have renewed their commitment to the charter to continue this work until 2023. In this post, Bastien Latge, EMVCo’s Director of Technology, together with Ian Jacobs, Head of W3C Payments Activity, and Christina Hulka, Executive Director and Chief Operating Officer of FIDO Alliance, discuss the significance of the charter renewal, provide an update on the group’s key achievements to date and offer an insight into what’s next for the WPSIG.
Why did EMVCo, FIDO Alliance and W3C create the Web Payments Security Interest Group (WPSIG)?
Bastien: EMVCo, along with FIDO Alliance and W3C have taken steps to improve online payment security through the development of technical specifications. As the payments ecosystem evolved, and our work extended in complementary ways, greater coordination and collaboration between the bodies was needed to help improve security, compatibility and interoperability for secure web payments.
From EMVCo’s perspective, the group enables engagement with companies involved in the FIDO Alliance and in a variety of W3C Working Groups, with whom EMVCo has not traditionally had direct contact, either through the EMVCo Associate Programme or through our other technical liaison partnerships. The discussions with these companies are invaluable in fully enabling the evolution of the EMV® Specifications and to provide further education outside of the core payments world, to help ensure that when transactions do take place online, they are secure.
Ian: Within W3C we recognised that many bilateral conversations were happening separately between the three organisations, and there would be a real benefit to the industry if these conversations were brought into a common, collaborative forum, which was open to payment stakeholders. What started out as an idea for a one-time meeting evolved into the WPSIG that we have today: ongoing conversations between organisations that otherwise may not have been possible.
Christina: At FIDO Alliance, we were having multiple conversations with multiple stakeholders and it was clear we needed a platform to discuss ideas more formally and collaborate on activities. Bringing all of these stakeholders together in this SIG has already led to many achievements, and we hope that providing education on how our different technologies relate is bringing needed clarity to the industry.
Each technical body has just renewed its commitment to the charter until 2023, what does this mean for the payments industry?
Bastien: We extended the charter in recognition of the important ongoing role that the WPSIG plays in fostering online payment interoperability and security. The charter renewal will enable us to continue our work with the wider industry to better understand requirements for secure web-based payments and help shape our ongoing educational activity in the future.
What are the current priorities of the group?
Bastien: In November 2020, the group published its first output – a document explaining the roles of their related technology specifications, that together can support merchants in delivering a more secure and convenient payment experience for the benefit of their e-commerce customers. ‘How EMVCo, FIDO and W3C Technologies Relate’ is an educational resource, which informs payments industry stakeholders on the roles of EMV® Secure Remote Commerce (SRC), EMV 3-D Secure (3DS), EMV Payment Tokenisation, FIDO Alliance’s FIDO2 specifications, and W3C’s Web Authentication and Payment Request APIs, which may be used together to enable more secure and convenient card-based payment during an e-commerce guest checkout on the web. We continue to seek feedback from payment stakeholders on how to improve and enhance the document. Interested organisations can visit https://www.w3.org/securepay/ for further information and details on how to submit feedback.
Christina: Looking to 2021, the group will continue its collaboration to enhance the interoperability of web payments. Key to this ongoing effort is identifying gaps between relevant specifications, and determining ways to close these gaps to increase compatibility among different technologies. We also plan to look at how our technologies fit in with Strong Customer Authentication (SCA) in Europe, risk assessment and privacy, and FIDO adoption.
Ian: For two years we have seen consistently high participation in WPSIG meetings. This is a strong sign that people have valued the discussions. More importantly, the quality of these discussions has enabled us to make real progress. In particular, I am excited about Secure Payment Confirmation (SPC) to streamline strong customer authentication. SPC is the use of combined technologies to provide a seamless authentication to customers for web payments. It combines FIDO authentication with browser capabilities related to payments in service of a variety of protocols, starting with EMV 3-D Secure. SPC is a great example of how high-bandwidth communications are enabling us to accelerate the impact of technology improvements to secure web payments.
How does the work of the WPSIG benefit the ongoing activities within each of the associations?
Christina: From a FIDO perspective, the WPSIG has helped us to better understand industry requirements and receive further feedback from stakeholders on our activities such as delegated authentication. It is helpful for us to provide input to the group to ensure our requirements are addressed, and in turn, include reference to the outcomes within our own materials and documents.
Bastien: For EMVCo, it is beneficial to receive additional feedback and engage with organisations working on web payments that we otherwise traditionally would have had fewer opportunities to interact with. It is helpful for us to receive validation on EMVCo’s strategic direction related to web-based payments and ecommerce in general, and receive wider industry input from the companies that are using EMV technologies.
Ian: The technology landscape continues to evolve rapidly and demands for interoperability are growing. In response, each organisation continues to enhance and revise its respective specifications. One of the key benefits of the group is the opportunity to review and provide feedback on respective work items. This helps us ensure the continued relevance of W3C work to the payments ecosystem, and to increase compatibility among all our technologies.