PROPOSAL: PMI identifies payment method specification, use meta-data for additional granularity

[adrianhopebailie]

Replaces #2

Background

The current proposal of basic string matching has placed unnecessary restrictions on how PMIs can be used.

Under the current system both of the following PMI's reference the Card Payment Method Specification: https://webpayments.org/card/visa https://webpayments.org/card/mastercard

This is redundant because the PMI is fulfilling two roles:

1. Identify the payment method that is supported (Card Payment Method) as defined in a single Payment Method Specification.
2. Pass additional semantics about how that payment method is supported (support for Visa and Mastercard branded cards)

It would be better if a payee or payment app could advertise their support for the card payment method by simply using the PMI; https://webpayments.org/card/ and then use some other mechanism to pass those additional semantics.

Caveat

The mechanism for passing additional semantics needs to be understood by the payment mediator (browser), at least in as much as the mediator must be able to execute the matching algorithm.

Example: If the supported card brands was passed in the payment method specific data then it would only be possible to evaluate if there is a match after invoking the payment app.

However, it's not necessary that the mediator (browser) understand what the meta-data actually means, just how to use it for matching.

Example: The browser doesn't need to know what a card brand/scheme is, just how to perform matching on the set of values ["visa", "mastercard"] named "brand".

Proposal

Matching should be done against two distinct pieces of data:

1. A payment method identifier (PMI) that identifies the payment method as defined in a payment method specification (Eg: Cards, SEPA direct debit, Alipay)
2. A set of filters/constraints that can be used to pass additional meta-data into the matching algorithm allowing the payee and payment app to provide additional granularity to the matching

Definition of the allowed meta-data would be done at a payment method level (i.e. in the payment method specification) but the matching algorithm would still support matching without needing to understand the semantic of the meta-data. (i.e. simple matching rules based on the names and values of the meta-data)

Implementation

There are numerous ways this could be implemented which can be decided upon later if this concept is adopted in principal

So the following PMIs might be implemented as follows:

[
  {
    supportedMethods: [
       "https://web-payments/methods/card/visa",
       "https://web-payments/methods/card/cup",
       "https://web-payments/methods/card/mastercard"
   ]
  },
  {
    supportedMethods: [
      "https://web-payments/methods/card/bitcoin/v1",
      "https://web-payments/methods/card/bitcoin/v2"
    ],
    data: {
      bitcoinWallet: "XXXX",
    }
  }
]

1 - PMIs allow query string parameters as matching meta-data

Match by first matching the URL portion without the query string and then find the intersection of query string parameters.

[
  {
    supportedMethods: "https://web-payments/methods/card/?brand=visa,mastercard,cup"]
  },
  {
    supportedMethods: ["https://web-payments/methods/card/bitcoin/?ver=v1,v2"],
    data: {
      bitcoinWallet: "XXXX",
    }
  }
]

2 - Simple PMIs with additional meta-data in the JSON of the request

Match the PMI which is a simple URL and then look in a standard field in the request for additional

[
  {
    supportedMethods: ["https://web-payments/methods/card/"],
    methodMetadata: {
      "https://web-payments/methods/card/" : {
        "brands" : ["visa", "mastercard", "cup"]
      }
    }
  },
  {
    supportedMethods: ["https://web-payments/methods/card/bitcoin/"],
    methodMetadata: {
      "https://web-payments/methods/card/bitcoin/" : {
        "versions" : ["v1", "v2"]
      }
    },
    data: {
      bitcoinWallet: "XXXX",
    }
  }
]

[ianbjacobs]

@adrianhopebailie, thanks for writing this up.

Some additional notes:

• In both approaches (query string or JSON in the payment request), there are payment method specified terms that participate in the matching algorithm. For instance, the basic card payment method spec would allow people to use the term "brands" with a list of (arbitrary) values. In the above example, the bitcoin payment method spec would define the term "version" and explain how that term is used (e.g., a list of strings that represent version numbers).
• One of the ideas we discussed is that when payment request API is called, payment method identifiers could be repeated N times, but with different constraints each time. (Thus they would not be "duplicate PMIs" as long as the constraints are different.) A mediator would then invoke the matching algorithm for each of these PMI/constraint pairs.
• In a world with payment method specific terms (e.g., brands or version) the mediator running the matching algorithm needs some semantics beyond "URL matching" for testing the constraints. Here are some thoughts on that:
  • Subclass matching is likely to be symmetric: There should be a match both when the merchant accepts a superset of what the user has, and when the merchant accepts a subset of what the user has. In both cases, there is some some common subset, justifying the match.
  • Similarly, when there is a given type of constraint on one side (e.g., on brands) and no constraint on the other, that should constitute a match.
  • For a given constraint, if the nature of the constraint is not subclassing and the values are otherwise different, that should not constitute a match.
• In pseudo-code, a mediator-implemented matching algorithm (independent of any given payment method) might look like this:
  • Let PMI_M be the set of PMIs-and-constraints specified by the merchant.
  • Let PMI_U be the set of PMIs-and-constraints specified by the user. (Note: The payment app spec will define how this user-side set is computed as input to the matching algorithm.)
  • The algorithm will loop over PMI_M, looking one by one for matches with members of PMI_U. The result of the loop will be the set of all matching members of PMI_U. This data is most useful from the perspective of the matching payment apps.
• Within that loop, let A and B each be any two PMIs-with-constraints that we are comparing. Here is what I expect the mediator will need to know how to do and thus would be part of the PMI standard:
  • Do an equivalence test on the URL portion.
  • Identify the constraint sets for A and B (which may be empty)
  • Collect the contraint terms common to the A and B constraint sets.
  • Parse each constraint term treating the values as a list of one or more items.
  • Compare items for equivalence or subclass relationships.

Here's a syntax for discussion: A{term1=item1, item2, term2=item2/itemN} which means:

• A is the the URL portion, the contraint is between curly braces.
• The constraint is a list of term/value pairs.
• Each value is a list of one or more items.
• Each item may be composed of a series of subclasses separated by "/", with the root class on the left. Thus, "itemN" is a subclass of "item2" in the example.

We want the following to match:

• A, A
• A{}, A
• A{term1=item1}, A
• A{term1=item1}, A{term2=item5}
• A{term1=item1}, A{term1=item1}
• A{term1=item1, item2}, A{term1=item1, item2}
• A{term1=item1}, A{term1=item1, item2}
• A{term1=item1}, A{term1=item1/item5, item2}
• A{term1=item1/item5}, A{term1=item1}
• A{term1=item1}, A{term1=item1, item2/item5}

And the following not to match:

• A, B
• A{term1=item1}, A{term1=item2}
• A{term1=item1/item5}, A{term1=item1/item6}

The following test by the mediator would result in a match between two PMIs-with-constraints:

1. The URL parts match (using a simple URL equivalence test) AND
2. Any of the following is TRUE:
    a. No overlapping constraints. This includes the following cases:
        - Empty contraints for A or B (or both)
        - No overlapping constraint terms between A and B.
    b. At least one successful match for a term T that appears in both A and B. This includes:
        - There is at least one value for T in A that is string equivalent to one value for T in B.
        - There is at least one value for T in A that is a subclass of a value for T in B.
        - There is at least one value for T in B that is a subclass of a value for T in A.

Ian

[msporny]

-1 for domain specific languages (DSL) that encode matching logic in the URL query parameters (@adrianhopebailie's option #1 above) . PMIs should be simple to match against, we shouldn't require Web developers to learn a DSL to use the matching portion of this system

+1 for a tags-based approach - placing extra matching information in the JSON data. The selection logic might not be selecting on a strict hierarchy of payment options, but among a subset of overlapping sets. @adrianhopebailie's proposal #2 above feels a bit awkward, but is the right general direction, imho.

I'm also wary of creating these tags w/o a very good idea of the ecosystem of options. How many different cards classify themselves as visa vs. visa debit vs. corporate vs. ...

[adrianhopebailie]

@msporny why do you feel that using query parameters is a DSL?

[msporny]

@adrianhopebailie wrote:

why do you feel that using query parameters is a DSL?

For simple cases, one could argue that it's not a DSL. For example, this is simple: brands=visa,mastercard,cup

That said, I don't think the matching logic is going to stay that simple for some payment methods... and that is going to result in added complexity for mediators.

Payment method developers may want to create many different types of filters (which we should discourage) and when you have more than one query parameter, you have to consider if one query parameter is going to be applied before another one. Are they applied in a specific order? Are the options effectively AND'ed or OR'd together? Or are you AND'ing each parameter and OR'ing each item in each parameter? This is when we start getting into DSL territory.

That's what I mean by DSL - there is execution logic here that is more complex than just simple string matching. The characters you use and where you use them matter in the final selection.

Let's take https://web-payments/methods/card/?brand=visa,mastercard,cup&color=red,blue

Here's one way that could be evaluated:

method == card AND brand == (visa OR mastercard OR cup) _AND_ color == (red OR BLUE)

or should you evaluate that as:

method == card AND brand == (visa OR mastercard OR cup) _OR_ color == (red OR BLUE)

Note the final "AND" vs "OR"... and developers are going to have to be keenly aware of those details, which I assert (very strongly) is a bad idea.

I'm not saying having a ton of payment method identifiers is great. I'm saying that doing something like the above would be worse, especially given that we don't know how many different PMIs there are going to be. I'd feel far more comfortable designing something like what's being proposed above if we had a dataset to work from. If we don't have that dataset, we're blindly designing something that we don't know will work out in the real world.

[dlongley]

-1 on encoding any complex matching information in the URL.

I'd be ok with including extra matching information in the JSON data, but I'm not sure how restrictive that needs to be in order for it to work for implementers or for the use cases. One option is to make the supportedMethods values be either a string (a PMI URL) or an object with an id property that has the PMI URL for its value and then some standardized properties that would include the appropriate matching data. This would need to be generalized enough to support more than just one payment method, otherwise mediators will have to understand the matching specifics for every payment method in order to implement.

An argument was presented before that going with a simpler approach where listing out all of the supported PMIs (where "brand" information would be included in them, e.g. https://webpayments.org/card/visa) could be made simpler for developers via a helper library. Looking at the proposed URL syntax, I would say that a Web developer would also want to use a library to generate the output. That tells me that we should go with the simpler approach.

If the simpler approach is actually insufficient to cover the use cases, then we should put more complex (but generalized) matching semantics into the non-payment-method-specific JSON, not into the URLs.

[dlongley]

"brand" is definitely a DSL. Not every payment method will have "brands".

[adrianhopebailie]

I don't think the matching logic is going to stay that simple for some payment methods

The matching logic can't easily change. The logic is the same for all payment methods because it is coded into the mediator. It is precisely this fact that leads me to believe that a simple algorithm that can only take a single set of identifiers as input will severely restrict the design of payment methods

This is a proposal to define a matching algorithm that can take sets of filters/tags/constraints (call them what you like) as input. i.e. each identifier can have one or more sets of filters attached to it as input to the matching algorithm.

Payment method developers may want to create many different types of filters (which we should discourage) and when you have more than one query parameter, you have to consider if one query parameter is going to be applied before another one.

Payment method developers are not empowered to create different types of filters. All filters will be of the same type they will just have different names. If they were able to develop new types of filter that new logic would somehow need to get injected into the mediator so I'm not sure how that would ever work.

The proposal is to evaluate all filters the same way, i.e. method == card AND brand == (visa OR mastercard OR cup) AND color == (red OR BLUE)

-1 on encoding any complex matching information in the URL.

I think you are missing the point of the proposal. The proposal is to have a matching algorithm that matches first on the PMI and then also considers additional filters like "brand" or "version".

"brand" is definitely a DSL. Not every payment method will have "brands".

Obviously the algorithm must be designed so that it doesn't need to understand what "brand" is other than a label for a set of filters so I'm not sure I understand this logic.

-1 on encoding any complex matching information in the URL. I'd be ok with including extra matching information in the JSON data

The way the extra filters are encoded is not what's being discussed. I have simply provided examples of how the encoding may be done. In any case, both the query string and JSON examples above are encoding the same data so saying +1 to one and -1 to the other makes no sense really.

[rsolomakhin]

This approach seems sensible.

new PaymentRequest(
  [ 
    { 
      supportedMethods: ['https://web-payments/methods/card/'],
      data: {brands: ['visa', 'mastercard', 'cup']}
    },
    { 
      supportedMethods: ['https://web-payments/methods/card/bitcoin/v1'],
      data: {bitcoinWallet: 'XXXX'}
    } 
  ],
  details, options);

[dlongley]

@adrianhopebailie,

In any case, both the query string and JSON examples above are encoding the same data so saying +1 to one and -1 to the other makes no sense really.

When there's more than one way to achieve a particular goal, I think it makes perfect sense for people to express preferences for one way over another. In fact, analyzing the particular methods proposed for achieving the goal help determine its feasibility. That's what almost every issue we debate is about. I don't understand why this one would be different.

I think we're asking a few interdependent questions here:

• Should we allow/require payment mediators to match on information more granular than payment method identifiers?
• What level of granularity should be encapsulated within payment method identifiers? For example, should every new payment instrument provider or type for a particular payment method yield a new payment method identifier?
• How should we encode additional caveats that must be met in order for payment methods to be considered supported such that a payment mediator may check and match on them?

Implicit in all of these questions is the proposal that something be done. Some of the ideas for "how" have been given.

I think it may be possible to encode additional caveats (e.g. "brand") within PMI URLs without treating them as anything more than opaque strings in a matching algorithm. But I say this without having fully dived into the use cases. So, given that I could be mistaken, I'm willing to entertain alternative ideas.

I think the proposal to encode the caveats in the PMI URL but then change the matching algorithm so that the payment mediator must parse the URL to produce a set of filters that can be combined in various ways is a bad one.

I think the proposal to encode additional caveats in the JSON is potentially workable one, but it should be in the non-payment-method-specific JSON and it should be generalized. I think JSON is a format much more amenable to expressing complex structured data than query parameters in a URL. So I do think how this information is encoded matters.

You may say "for this version we'll only combine and process these filters/tags in one way" -- so encoding it in the URL is fine. Well, if we feel the need to do something more complex in the future, then we've chosen a mechanism that really won't easily allow for it. So let's not do that.

[adrianhopebailie]

When there's more than one way to achieve a particular goal, I think it makes perfect sense for people to express preferences for one way over another.

This is a proposal to adopt SOME mechanism for expressing additional granularity and provides examples of two possible ways that additional granularity could be encoded purely for illustration.

We are wasting a lot of cycles debating the merits of one encoding mechanism vs the other before establishing if we think this is something we want to do at all.

[adrianhopebailie]

@rsolomakhin there are two problems with that approach:

1. It mixes data that is supposed to be used for matching (i.e. parsed by the browser) into data that is supposed to be an opaque payment method specific blob only arsed by the payment app.
2. It only works because you are only using a single payment method in each array.

[rsolomakhin]

I am open to suggestions.

[dlongley]

@adrianhopebailie,

We are wasting a lot of cycles debating the merits of one encoding mechanism vs the other before establishing if we think this is something we want to do at all.

That may be because of how the proposal was presented. Given the presentation, the decision for whether or not to do it was dependent upon how it would be done (there's little else to analyze here).

If we want to step back from the details, then I think it would be better to look at a set of use cases to see if we can cover them without having to change the current design. It would be easier to make the decision you're after if we were able to say:

"With the current design we can't do X" or "With the current design doing X is unnecessarily difficult"... and "X is really important to cover in version 1."

What use cases, in particular, did you have in mind and how would the solution look using the current design?

[msporny]

What use cases, in particular, did you have in mind and how would the solution look using the current design?

I'd like to add one more thing, which I've been asking for repeatedly :), to the list of "things that we need to make an informed decision":

• A list of all of the PMIs we reasonably expect to have in version 1

If that list is roughly 5-10 items in size, and only 3-5 of those PMIs would use this feature, I'd assert that we don't have enough data to create a generalized solution at this point in time. I'd also assert that we can add this feature in the future without a large negative impact to the ecosystem.

If that list is 30-70 items in size, and 20 of those PMIs would use this feature, I'd feel comfortable that we have enough data to try out a couple of ideas given a good sample set of data.

At the moment, the use case seems to be "we need to find a way to list one PMI for visa/mastercard/discover/cup". I fully admit to not having the knowledge that a PSP would have wrt. the variety of PMIs in the wild. I'm asking that the PSPs (or anyone with that knowledge) share that data so that everyone involved in making a decision on this feature is fully informed when discussing it.

[msporny]

@adrianhopebailie wrote:

This is a proposal to adopt SOME mechanism for expressing additional granularity and provides examples of two possible ways that additional granularity could be encoded purely for illustration.

The proposal included implementation details and I think most of us are reacting to that.

To put it another way, I'm +0.5 for "SOME mechanism for expressing additional granularity" - I don't think it's high priority, but I don't think it hurts to hash out the design.

I'm -1 for one particular proposal - encoding this mechanism in URL query parameters - I think that approach is too limited.

We are wasting a lot of cycles debating the merits of one encoding mechanism vs the other before establishing if we think this is something we want to do at all.

Ask the two questions separately. I'm +0.5 to try and find a solution. I'm not convinced we have the data we need (all PMIs we expect in v1) to design a solution at this point in time.

[adrianhopebailie]

I believe that @mattsaxon has already provided a list of a hundred or more variations of card payments alone

[msporny]

I believe that @mattsaxon has already provided a list of a hundred or more variations of card payments alone

Link?

[dlongley]

@adrianhopebailie,

I believe that @mattsaxon has already provided a list of a hundred or more variations of card payments alone

And how often do merchants only accept some very specific variation? I understand that debit and credit may be a fairly common differentiation. How many variations, in practice, are used in such exclusive ways that would require Payment Apps to have to list all 100 supported methods as individual PMIs?

I'm worried we may be trying to capture an abstraction without a purpose. That two payment method have something (or many things) in common doesn't change the fact that they are different payment methods.

Regarding credit card brands, Payment Apps have to indicate that they support one or the other (or both) and each uses its own payment network and payment credentials. Why should they not be considered just as different as bitcoin is from visa? Should bitcoin and ethereum both be considered blockchain payment methods and have their differences represented in some other way?

Is the only reason we're considering this because a Payment App may have to list many supported methods vs. a few? Aren't we aiming for a standard that enables innovation in the ecosystem to support many payment methods in the future anyway?

In terms of the purpose of this particular abstraction in the ecosystem, I do not yet understand the reason why we need a more complex method of comparison. It still seems to me that simple PMI URLs ought to be sufficient. There may be a lot of them to list, but I'm not convinced that's a real problem. I think seeing the future undesirable scenarios spelled out in a way that makes it clear that they're untenable would be helpful.

[adrianhopebailie]

Regarding credit card brands, Payment Apps have to indicate that they support one or the other (or both) and each uses its own payment network and payment credentials. Why should they not be considered just as different as bitcoin is from visa? Should bitcoin and ethereum both be considered blockchain payment methods and have their differences represented in some other way?

This is a terrible analogy. We are proposing to use a single payment method, defined in a single payment method spec, for all payment cards. Nobody is proposing a single payment method for all crypto-currencies. If you are proposing that we need a new payment method spec for each card brand then I think you've missed the point.

Thus far all I can glean from the comments is:

1. Preference for the JSON encoding style
2. Opposition to the proposal in principal because it's not possible right now to understand how this will be used

Regarding 1 - This is useful input but not the point of the discussion Regarding 2 - You are taking a very US-centric view of the world where the majority of merchants either accept cards or don't and at most will need to express which brands they support.

Of course this seems simple when you only have a single dimension (brand), but as @mattsaxon has already indicated merchants often have more specific requirements for risk, cost or other reasons.

If we just take card payments as an example there are at least 4 dimensions of granularity I can think of off-hand:

1. Brand - Visa, MasterCard, Amex etc
2. Card Type - Debit, Credit, Hybrid etc
3. Risk Profile - Silver, Gold, Platinum etc
4. Card holder type - Private person, corporate card

Every new dimension exponentially grows the list of possible combinations that a merchant, may want to express support for. This simply won't work using a URL for every combination.

[dlongley]

This is a terrible analogy. We are proposing to use a single payment method, defined in a single payment method spec, for all payment cards. Nobody is proposing a single payment method for all crypto-currencies. If you are proposing that we need a new payment method spec for each card brand then I think you've missed the point.

Like I said, for the purpose of this particular abstraction (matching on what you can do), it doesn't really matter if the same spec forms the foundation for paying a particular way if a merchant lets someone pay with one brand but doesn't support letting them pay with another. We're talking about different "things" being supported at that point, not the same thing that works in one case and not another. The boundary for the abstraction is wrong with respect to how the mediator decides if an app is a good match for a merchant.

What's the purpose of including the PMI in the data the mediator uses? My understanding was that it was supposed to allow a mediator to determine if a particular Payment App could service the payment request. But if what a merchant needs can't be summed up by "basic card payment method", then something is off. "Visa" doesn't use the "basic card payment method", it uses something more specific that inherits from that. That's what I mean when I say the abstraction isn't quite right here.

You are taking a very US-centric view of the world where the majority of merchants either accept cards or don't and at most will need to express which brands they support.

I'm willing to concede that. Can you provide actual use cases where, for example, merchants only accept really specific cards? I'd like to understand the situations that are actually out there in the wild (wherever they are) to get a grasp on the need for this granularity. I would expect merchants to accept many possibilities but perhaps offer different pricing.

[dlongley]

If I'm a Payment App developer and I say that my app supports payment method X, does that mean I support all subtypes? What if a new subtype arises at some later point in time (as one might expect), won't my app start to fail and I'll have to deal with people thinking it's my app's fault? Does this mean I'll have to enumerate every possible subtype... and doesn't that mean it's not really all that different from making them separate payment methods?

[adrianhopebailie]

won't my app start to fail and I'll have to deal with people thinking it's my app's fault

That depends on the payment method. For a lot of the filters we think will be useful for cards it won't.

If I say I support all VISA cards and someone else says they only support VISA cards in the platinum tier I'd expect my app to seamlessly support a new tier like like red and the other app to not support it until they expressly state they do.

[dlongley]

On another point -- I'm not convinced this information will actually ever be used by the mediator (but maybe by a Payment App). As a Payment App developer won't I just always say I support every kind of payment instrument (if possible) for a particular payment method? I want people to come use my app. So what would the match actually be against?

At a minimum, wouldn't I always say I support a particular brand? So what does it matter if it gets more specific than that -- I won't ever report it on my end. For basic card in particular, with no special kind of tokenization, I don't see why I wouldn't always support everything. Seems like it could matter more with other payment methods.

[dlongley]

Another way of looking at this:

For the basic card payment method, why would a Payment App indicate that they only support some subset of possible cards? And how granular would it need to be?

[adrianhopebailie]

For the basic card payment method, why would a Payment App indicate that they only support some subset of possible cards? And how granular would it need to be?

Because if a merchant says they will only accept one set then they can provide a guarantee that they are able to handle the payment request.

Also, the granularity allows the merchant to provide price differentiation (especially important when the different card types have different transaction fees and risk profiles)

[ianbjacobs]

Closing this issue. We are addressing how payment apps handle filters in the payment apps task force: https://github.com/w3c/webpayments-payment-apps-api/issues/63