A new web standard will add another layer of security to online payment services like Apple Pay

W3C announces a standard for secure online payments

The World Wide Web Consortium is working to further secure online payments in browsers with a new technology that works alongside other payment services like Apple Pay, Google Pay, and more.

Known as Secure Payment Confirmation (SPC), it allows various entities like merchants, banks, payment service providers, and card networks to reduce the obstacles associated with strong customer authentication (SCA) and generate cryptographic proof of user consent. These factors are crucial in meeting regulatory obligations such as Europe's Payment Services Directive (PSD2).

To address the increasing incidence of online payment fraud, Europe and other regions have initiated requirements for multifactor authentication in certain payment scenarios. While multi-factor authentication effectively reduces fraud, it also tends to create additional complexity during checkout, which can result in customers abandoning their shopping carts.

Secure Payment Confirmation

Secure Payment Confirmation introduces an additional layer of "user consent" on top of web authentication. During a transaction, SPC prompts the user to consent to the payment terms through a "transaction dialog" governed by the browser.

The transaction dialog lets a user review and confirm the transaction details. The user's FIDO authenticator signs the transaction details, allowing the bank or relevant entity to verify the authentication outcome cryptographically.

The cryptographic verification ensures that the user has indeed consented to the payment terms, as required by the Payment Services Directive 2 (PSD2), under the concept of "dynamic linking."

The Web Payments Working Group started the development of Secure Payment Confirmation in 2019 to meet the Strong Customer Authentication requirements while minimizing checkout difficulties. Stripe conducted a trial using an initial implementation of SPC, and in March 2020, it was observed that SPC authentication resulted in an 8% boost in conversions compared to one-time passcodes (OTP).

Additionally, the checkout process was three times faster with SPC authentication. SPC could extend beyond card payments and encompasses other payment ecosystems as well.

Currently, SPC is accessible on Chrome and Edge platforms across macOS, Windows, and Android, which doesn't include Apple's Safari browser. But as the Web Payments Working Group enters the Candidate Recommendation phase, efforts will be made to extend SPC implementation to other browsers and platforms.