The standardization company EMVCo (which has the de facto MasterCard and Visa), the Fast Identity Online (FIDO) Fast Digital Identity Verification Alliance and the World Wide Web Consortium (W3C) have formed a common interest group for secure online payments.
According to the W3C press release, the “Web Payment Security Interest Group” will first define areas where the three organizations want to work together and identify any gaps between their existing technical specifications. Subsequently, the compatibility between the individual technical procedures should be improved.
Statute and goals
The Statute of the “Web Payment Security Interest Group” therefore provides for the development of a common target image for the security of online payments. In addition, the partners want to develop use cases, analyze gaps, look for cooperation with other organizations, and look for ways to standardize their membership. However, they did not want to develop common specifications; this should happen within the organizations involved.
EMVCo hopes to work with its CEO, Karteek Patel, to develop new technologies to improve security and consumer convenience in online payments, also with a view to future issues. Similarly, Brett McDowell, CEO of the FIDO Alliance, said that they are using their authentication solutions. “The authentication and payment standards are to be seen as part of comprehensive transformation processes of payment service providers,” said W3C chief executive Jeff Jaffe, the sustainability as a common goal.
The future development of this transformation is “difficult to assess, especially with regard to new web services such as video streaming, real-time communication and augmented reality”. The stakeholder group should ensure that security is one of the basic requirements for new payment models for such services.
FIDO and W3C have already collaborated on the WebAuthn initiative to standardize logins with two-factor authentication without a password. For example, a hardware token and a biometric feature such as fingerprint or face are used. Among security experts, however, the April 2011 finalized WebAuthn standard is not uncontroversial.