Andrew Orr
The World Wide Web Consortium is working to further secure online payments in browsers with a new technology that works alongside other payment services like Apple Pay, Google Pay, and more.
Known as Secure Payment Confirmation (SPC), it allows various entities like merchants, banks, payment service providers, and card networks to reduce the obstacles associated with strong customer authentication (SCA) and generate cryptographic proof of user consent. These factors are crucial in meeting regulatory obligations such as Europe's Payment Services Directive (PSD2).
To address the increasing incidence of online payment fraud, Europe and other regions have initiated requirements for multifactor authentication in certain payment scenarios. While multi-factor authentication effectively reduces fraud, it also tends to create additional complexity during checkout, which can result in customers abandoning their shopping carts.
Secure Payment Confirmation
Secure Payment Confirmation introduces an additional layer of "user consent" on top of web authentication. During a transaction, SPC prompts the user to consent to the payment terms through a "transaction dialog" governed by the browser.
The transaction dialog lets a user review and confirm the transaction details. The user's FIDO authenticator signs the transaction details, allowing the bank or relevant entity to verify the authentication outcome cryptographically.
The cryptographic verification ensures that the user has indeed consented to the payment terms, as required by the Payment Services Directive 2 (PSD2), under the concept of "dynamic linking."
The Web Payments Working Group started the development of Secure Payment Confirmation in 2019 to meet the Strong Customer Authentication requirements while minimizing checkout difficulties. Stripe conducted a trial using an initial implementation of SPC, and in March 2020, it was observed that SPC authentication resulted in an 8% boost in conversions compared to one-time passcodes (OTP).
Additionally, the checkout process was three times faster with SPC authentication. SPC could extend beyond card payments and encompasses other payment ecosystems as well.
Currently, SPC is accessible on Chrome and Edge platforms across macOS, Windows, and Android, which doesn't include Apple's Safari browser. But as the Web Payments Working Group enters the Candidate Recommendation phase, efforts will be made to extend SPC implementation to other browsers and platforms.
Christine McKee
Stephen Silver
Charles Martin
Amber Neely
16 Comments
Currently just works with malware-providers Chrome and Edge on the Mac. Is W3C "owned" by Google or Microsoft? If it's being pushed by the EU, I can see why Safari isn't included.
I hate complexity and refuse to use anything that might lock me out. Passwords are fine, and I still use 1Password to manage them. But 2FA? No! Absolutely not. I still refuse to switch it on when it comes to my Apple ID. That means I can't use some Apple services, but so be it. I hate it with a passion. For what if I am accessing something from a computer without my iPhone? Seriously! To force me to have an iPhone is wrong. So I keep 2FA switched off.
Whatever solution these people come up with had better not force me to need anything other than a password. I don't mind fingerprints and biometric access, but not ever computer has that. Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.