W3C announces new Web standard for online payments
This seems interesting. The World Wide Web Consortium has announced a new web standard for a new browser capability that helps streamline user authentication and enhance payment security during Web checkout. It’s not clear yet if this will have an impact on or extend Apple Pay.
Introducing Secure Payment Confirmation
In a press release, the W3C explains how this works. “Secure Payment Confirmation (SPC) enables merchants, banks, payment service providers, card networks, and others to lower the friction of strong customer authentication (SCA), and produce cryptographic evidence of user consent, both important aspects of regulatory requirements such as the Payment Services Directive (PSD2) in Europe.
The standard is now available as a Candidate Recommendation, which means the feature set is stable and it has received wide review.
What W3C said
Working Group co-Chair Nick Telford-Reed. “Secure Payment Confirmation means that for the first time, there will be a common way of authenticating shoppers across payment methods, platforms, devices and browsers, and builds on the success of W3C’s Payment Request and the work of both the FIDO Alliance and EMVCo.”
The consortium says the standard has been created in response to increased adoption of web-based ecommerce and the accompanying increase in payment fraud. It notes that existing attempts to mitigate such fraud, principally MFA, also increase checkout friction.
In the background
Since 2019, the W3 has been developing Secure Payment Confirmation to help fulfil Strong Customer Authentication requirements with low checkout friction. Stripe conducted a pilot with an early implementation of SPC and, in March 2020 reported that, compared to one-time passcodes (OTP), SPC authentication led to an 8% increase in conversions at the same time checkout was 3 times faster.
The Web Payments Working Group anticipates more experimental data will be available by September 2023.
[Also read: How Apple Pay makes money (Merchant Transaction Fees)]
In the Web Payment Security Interest Group, W3C, the FIDO Alliance, and EMVCo pursue improvements to online payment security through the development of interoperable technical specifications.
Secure Payment Confirmation is not just for card payments.
The Web Payments Working Group regularly discusses how SPC might be integrated into other payment ecosystems such as Open Banking, PIX (in Brazil), as well as in proprietary payment flows.
A sense of how this might work
Secure Payment Confirmation adds a “user consent layer” above Web Authentication. At transaction time, Secure Payment Confirmation prompts the user to consent to the terms of a payment through a “transaction dialog” that is governed by the browser. The transaction details are signed by the user’s FIDO authenticator, the bank or other party can validate the authentication cryptographically and know the user has consented to the terms of the payment.
SPC is currently available in Chrome and Edge on MacOS, Windows, and Android. During the Candidate Recommendation period the Web Payments Working Group will seek implementation in other browsers and environments – given Apple’s involvement in W3C and FIDO, Safari support seems likely.
Mastercard is aboard
“Mastercard is committed to ensuring security and trust across the payments ecosystem, while also providing an exceptional consumer experience,” said Pablo Fourez, Executive Vice President, Network and Digital Payment Services, Mastercard in a press release.
“As e-commerce continues to reach new heights around the world, we welcome the introduction of the World Wide Web Consortium’s SPC standardization to support streamlined authentication of consumers across merchants and payment use cases. It’s more important than ever that the online checkout experience is seamless and safe, and this standard is a positive and productive step in scaling our innovative technology that supports this space.”
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.