Web Payments Working Group

isSecurePaymentConfirmationAvailable

smcgruer_[EST]: We added "isSecurePaymentConfirmationAvailable" to the spec as part of preparing to ship the feature
… the API returns an enum of reasons the API might not be available.
… we are looking to ship in the coming milestone
...Currently available behind a flag (chrome://flags/#enable-secure-payment-confirmation-availability-api)
… this should make it easier for developers to detect SPC

doug: Is it possible, if SPC is available, to know whether the "BBK feature" is available?

smcgruer_[EST]: I don't know if we have a consensus yet on whether to support software BBKs.
… if so, there will always be a BBK.
… I can see a world where, if only hardware BBKs are supported, people want to know if the feature is available. We'd have to see whether answering that question would reveal more info.

ACTION: Ian to add an issue about whether we need an API to detect BBK feature availability

SPC UX updates in Chrome

Chrome UX updates

smcgruer_[EST]: We are working on implementation of new features (but final decisions still pending and things may change)

smcgruer_[EST]: We introduce a "details" line for the payment instrument
… we have the "verify another way" link, for the user journey wants to continue, but not using passkeys (as opposed to cancel)

gkok: Looks great. Do you expect to show a specific "how to authenticate" instruction like "fingerprint" or "scan"

smcgruer_[EST]: We will change the instruction depending on the device; this is a Chrome-controlled string
… if it's Windows hello, for example, we are likely to talk about using your face

Sameer: Agree the UX looks much better.
… is this the final design that the logos are centered?

smcgruer_[EST]: The current design reflects a lot of feedback; if you have a significant change in mind, let us know

sameer: There would be even more alignment with 3DS if the logos were left and right edge-aligned

smcgruer_[EST]: Regarding payment system logos...we've started to prototype this.
… we need to make changes to names to make them more generally useful

smcgruer_[EST]: There are open questions about icon size / quality?
… what does Chrome do if the logo is more vertical?
… we are wondering what it's feasible for a specification to say
… we may get learnings from 3DS, which has more guidelines
… some other questions: what happens if 0 or 1 icon are provided?
… what happens if failure to download?
… light and dark mode support?
… how much should the browser validate in advance of the display?

ACTION: Sameer will take the questions to the 3DS Working Group to provide feedback.

gkok: I think this is pretty standardized (in the land of card payments)
… there's always an option to fall back to a generic card

smcgruer_[EST]: At the moment we are thinking if one logo is shown we'll center it. If 0 logos are provided, it's an open question still (whether nothing or placeholder)

gkok: I don't recall the issuer logo being provided...where does it come from?

smcgruer_[EST]: SPC doesn't care itself, but agree we need to make sure the icons are available through the integrations

[We review the new fallback UX]

smcgruer_[EST]: The new fallback sheet looks like the happy path sheet, but with a different button. This supports the goal of multiple output states.

gkok: What happens when you click on the grey portion of the screen (under the sheet)?

smcgruer_[EST]: It dismisses (that's standard behavior)

gkok: I suggest for the mock-up using an image that is more authentically 3DS.
… I'll send one

Ben: I've not been here lately; remind me if SPC is tightly coupled with passkeys

smcgruer_[EST]: SPC has, to date, ben tightly coupled with passkeys. But things might change.
… there have been proposals for SPC to not use WebAuthe...some folks have proposed that in lower regulation markets it might suffice to have just a confirmation dialog.
… or web crypto under the hood

smcgruer_[EST]: Finally re: UX -- we are starting to prototype

smcgruer_[EST]: We expect to have the UX "soon" :)

smcgruer_[EST]: We'll be shipping first on mobile and moving to desktop later in 2025 at the earliest

Browser Bound Key updates

Pull request 286 to add BBKs to SPC

smcgruer_[EST]: This is close to what we'd like to land as v1. We are just doing refinement to the spec language
… one of the big outstanding issues is whether we should only be doing hardware bound key
… initial feedback internally we got about "how it's being stored" we're not going to give that information.
… are there actual use cases where we absolutely need to know whether it's stored in hardware?

ACTION: Henna to manage a review of the pull request to add BBKs to SPC

Ian: Anyone have any input on software-bound keys?

David: What defines "hardware"?

Nick: Remember previous discussions about virtual machines.

Nick: I think it's ok to not provide metadata in v1

Ben: How does this relate to the device-bound session credentials proposal?

Ian: DBSC is single-origin and silent; SPC is cross-origin with user interaction

smcgruer_[EST]: We chatted with DBSC about shared infrastructure; they said don't rely on them at this time.

Ian: Any new thoughts on mitigating double step-up?

smcgruer_[EST]: See w3c/secure-payment-confirmation#287. That issue currently just tracks; the Chrome Team plans to add our thoughts on how we could mitigate it

Opportunity for implementation updates

Ian: Any updates on adoption or obstacles to adoption?

Ian: How much does code differ between Android and Windows (for the purposes of 2 implementations)?

smcgruer_[EST]: What changes is UX and how to talk to authenticators. All the plumbing in the middle stays the same.

Privacy sandbox update

<smcgruer_[EST]> See the blog post on next steps for the privacy sandbox and cookies.
… we think that current user choice is where we're going to be
… users can opt out of 3p cookies in privacy settings
… at this time Chrome does not plan to push more in that direction.
… there are other activities we do plan to pursue (e.g., masking signals)