Payment Handler Value Proposition

In the Payment Request architecture, the user interacts with a payment handler to respond to the merchant’s request for data. As the Web Payments Working speaks with more organizations about providing services through payment handlers, it has become clear that we need to collect and socialize the benefits of this approach over other approaches.

Our colleagues from the Chrome Team gave a presentation on this topic at the Working Group’s recent face-to-face meeting of the Web Payments Working Group. This blog post borrows heavily from that presentation and a subsequent conversation with Justin Toupin (Google). It also borrows from an early proposal for a modal dialog.

What Payment Services Want

Here is a short list of Web functionality needs —from the perspective of a payment service provider— that could be handled in multiple ways:

  • Run the service in a top-level browsing context, often for security reasons.
  • Minimize distraction and other UX friction.

Let’s compare how different approaches satisfy these needs:

Payment Handlers Redirects Iframes Popups
Top-level context Yes Yes No Yes
Minimize distraction Yes No Yes No

Feedback suggests that the primary and most immediate appeal of payment handlers is the potential for a superior user experience compared to iframes, popups, and redirects. Chrome displays the payment handler as a top-level origin in a modal window that does not obscure the merchant site. This is true in both mobile and desktop views. Chrome also displays the origin of the (Web-based) payment handler. The hypothesis is that this improved user experience will increase conversion rates because it does not abruptly change the user’s checkout context and because there are more security signals to foster user trust.

Many merchants today redirect users to a payment service at another origin. In the best case, this is disruptive to the user experience, but usability can degrade further when an error takes place in the payment service. For example, the user may return to the wrong location in the merchant site, or may not return at all. Payment handlers, on the other hand, preserve the original merchant context.

Payment services cannot run as top-level origins in iframes. Iframes also create a risk of click-jacking, and current countermeasures that reduce this risk would make it very difficult to implement required payment and authentication services. Compare this to payment handlers, where Chrome displays the top-level origin and thus reduces the risk of phishing.

Finally, the way that pop-ups work today makes them less than ideal for payment use cases. If the browser opens a pop-up and the user clicks on the window or changes tabs, the browser hides the pop-up behind the window. This can confuse the user. This is especially true on a mobile device because popups open as new tabs. In addition, because it can be difficult to keep track of which tab a popup belongs to, this can be particularly confusing in a scenario where the user has opened a large number of tabs while comparison shopping. Pop-ups are also generally locked down and difficult to invoke reliably due to the measures introduced by browsers to counter their abuse. Finally, some mobile browsers limit the number of tabs that can be opened at any one time (leading to potential data loss). The payment-handler-in-a-modal approach enables the browser to eliminate confusion resulting from user interactions.

Longer term benefits

We also foresee a number of additional benefits that would start to materialize once there is more interoperable support across browsers, and once there are more payment handlers. Some of these include:

  • make life easier
    • lower code development costs for payment handler developers (provided the same code works with all browsers)
    • lower integration costs for merchants, as more code moves out of checkout pages into payment handlers.
  • improve security
    • browsers can enhance security by checking the digital signatures of native payment handlers (and Chrome does so in its implementation of these APIs). These sorts of checks may not be possible through other approaches.

We have also had some interesting discussions about how payment handlers might be able to increase payment method reach. For example, Klarna showed a demo where the customer received a real-time credit offer through the payment handler, and the payment handler paid the merchant by creating a virtual card. We referred to this as “riding the basic card rails” and the interesting opportunity was to allow for innovation within the payment handler without requiring any changes to the merchant Web site (provided the merchant already accepted a standardized payment method such as basic card through Payment Request). Several people have also raised the idea of connecting payment handlers to browser autofill capabilities, making payment handlers useful even on sites that do not yet use Payment Request.

During TPAC I attended a breakout session on a new idea from Chrome called portals. I wanted to see whether this might be a useful generalization of the modal dialog approach being used for payment handlers. Though very interesting, at first glance it seems it would not meet our needs. (More discussion may be appropriate, of course.)

It does seem that the modal dialog could be useful beyond payment handlers. During TPAC, colleagues from Coil, Google, Microsoft, and Mozilla began to sketch a more general modal window proposal. It would be great if we could satisfy more use cases with such a feature. More discussion is also required on this topic.

Experimenting with Payment Handlers

I have created rudimentary slide deck (Creating a proof of concept for PR API) to help those who want to experiment with payment methods and their handlers. While the data exchanged through Payment Request API by default is limited (by design), this should not limit innovation because one can define the necessary data model in the payment method.

How can you experiment with payment handlers in a world where all browsers do not yet support them? For Google Pay, Google provides merchants a sort of polyfill. Where Payment Request and Payment Handlers are supported, they are used, otherwise the JavaScript provides a fallback user experience.

Please let me know if you think there are additional benefits to the payment handler model!

The Evolution of Payment Request API

The current charter of the Web Payments Working Group expires at the end of 2019. The Working Group plans to recharter and has been discussing scope and priorities since its September face-to-face meeting.

With rechartering in mind, I share here some thoughts on the evolution of the Payment Request API (“PR API”). Although this is not (yet) an official position of the Web Payments Working Group, I believe it represents the views of a number of participants.

The Early View

We started work on PR API in October 2015. One perspective at the time was that PR API would be “an improvement on autofill.” Browsers were already storing addresses and other information for users, and our hope was that PR API would provide a better user experience for returning stored structured data, especially on mobile.

The introductory message was: “PR API is a replacement for forms.” It seems to be low-hanging fruit to replace card payment forms with PR API, so we created our first payment method: “Basic Card.” The thinking was: if all browsers supported Basic Card, it would open the door for merchants to use PR API for other payment methods.

Basic Card was never intended to be the only payment method. There are many payment methods in the world and we never expected browsers to offer built-in support for all of them. Our vision was, and remains, that “third-party” payment handlers —Web-based or native— would be available to respond to payment requests. Indeed, Google Pay, Apple Pay, Samsung Pay, and other payment handlers work today with PR API.

As part of their implementation of PR API, browser vendors created a built-in user experience we call “the sheet.” When the merchant calls PR API and requests data, the browser pops up this view that includes the total, any explanatory strings from the merchant, user contact info and shipping addressed stored in the browser, and matching payment handlers. The user selects the relevant information and hits “Ok.” The browser then sends the selected data back to the merchant.

To summarize an initial set of expectations:

  • All browsers would implement built-in support for Basic Card and a sheet to allow the user to quickly select stored data.
  • Users and merchants would like the PR API experience for Basic Card, and merchants would then adopt the API for more payment methods.
  • Merchants would simplify their checkout pages by having a single “buy” button rather than a potentially confusing number of payment buttons. Because the browser only shows the user matching payment handlers based on what the merchant accepts, this sheet could simplify selection.
  • Third party payment handlers would plug into this ecosystem for other payment methods, either through proprietary APIs or, for Web-based payment handlers, through the W3C’s Payment Handler API.

Things did not transpire exactly so:

  • Today three Chromium-based browsers feature built-in support for Basic Card: Chrome, Edge, and Samsung Internet Browser. I have not heard any plans for built-in support for Basic Card in Firefox or Safari.
  • Shopify ran an experiment with 30 or so large merchants using PR API. Although checkout times dropped 30 seconds on average (a good thing), some users were surprised by the new payment sheet and did not complete transactions.
  • Some payment methods include branding requirements, which could limit merchant opportunities to feature a single “buy” button.
  • Similarly, payment handler providers prefer direct access to their payment handler from a button, without going through the sheet. Several of them have also said that they also store contact and address information and would like the option of returning it instead of what may be stored in the browser.

The New View

Real-world implementations and experiments have taught us a lot. Here is how I see us shifting our emphasis.

  • Basic Card is Stable.
    People may still wish to use Basic Card, but the Working Group has shifted its focus to more payment methods, notably working on a Secure Remote Commerce (SRC) payment method. We have not made many changes to the Basic Card specification lately, though we may still enhance it. Although we may not see additional support for Basic Card natively in browsers, it is possible that third party payment handlers could support it.
  • Explore more user experiences without the sheet. We should shift our focus from the “single buy button” view to a more conventional world where merchants continue to use payment buttons. Less functionality in the “sheet” should simplify browser implementations of PR API. We will need to continue to enhance payment handler capabilities, such as the ability for payment handlers to returned stored addresses and contact information.
  • Get Handlers. Browser vendors have indicated they much prefer connecting to third-party payment handlers rather than providing built-in support for payment methods. We have also heard that a strong value proposition of Payment Request API is the ability to enable payments through native (mobile) payment handlers.

An important implication of all this is that we need much stronger support for third-party payment handlers. To that end:

  • People from multiple companies working on the Chromium browser engine continue to add features to Web-based payment handlers in response to requests from payment handler providers. I’d like to express my exuberant gratitude to these engineers for continuing to innovate on this front!
  • We have identified at least one payment handler-specific capability —the modal dialog in the Chromium implementation— that is potentially interesting for other use cases. Work has begun on a modal dialog proposal that could be a more general purpose Web capability. If so, it could be appealing for browser vendors to implement, and also allow us to simplify the Payment Handler APi.
  • We are looking to organize some face-to-face meetings where merchants, payment service providers, browser vendors, and payment handler providers code together to produce superior PR API user experiences, or determine what is still needed. Although I am aware of experimentation by many parties with these APIs, we think a code-a-thon by Working Group participants could accelerate experiments and generate useful demos or other supporting materials.
  • We will continue to work with browser vendors to increase support for an ecosystem of third-party payment handlers. To help support those discussions, we are more clearly documenting payment handler benefits; see this blog post on benefits.

Impact on Rechartering

How does this relate to rechartering?

I think the scope of our specification work will remain roughly the same. But we should adjust our priorities and initiatives to focus on PR API adoption:

  • We need more browsers to support more payment handlers.
  • More browser support will encourage the creation of more payment handlers.
  • More payment handlers will increase the value proposition of PR API to merchants.

Although those are the dependencies, we need to work with all of those stakeholders at the same time:

  • Browser vendors: What are the obstacles to supporting Web-based or native payment handlers? We have heard that removing the sheet and making the modal dialog general purpose could help.
  • Payment handler developers: Other than “more support in browsers,” what features are needed? We have heard “skip-the-sheet,” “delegate requests for stored data to us,” “connect payment handlers to autofill,” and some others.
  • Merchants: Other than “more payment handlers,” what is the minimum set of additional features for merchants to adopt PR API? We heard during TPAC interest in using PR API to speed up account creation, and also make it possible to create a consistent UX for cards-on-file. We need to survey merchants and get a better sense of what they would need to adopt the APIs.

With all of this in mind, the chairs and I now think that our best course of action would be to hold back on advancing Payment Request API 1.0 to Recommendation until we have more adoption. At the same time, that will give browser vendors the chance to schedule implementation of an emerging proposal to enable merchants to request pieces of an address (to reduce data exposure). This is a departure from the consensus we observed at TPAC to move ahead sooner rather than later. However, we believe that once more merchants are using the APIs, more payment handlers are available, and implementations support a new privacy feature, we will be in a stronger position to recommend the work. We plan to seek support within the Working Group for this approach over the next several weeks.

We see significant interest in these APIs and numerous parties experimenting with them. I think that securing more adoption is critical to our success under our new charter, and our planning has begun to do so.

TPAC Recap (2019 Edition)

Web Payments Working Group and guests at TPAC 2019

The Web Payments Working Group met face-to-face 16-17 September as part of TPAC 2019 (agenda, minutes).

The meeting was well-attended, energetic, and brimming with new ideas. I left with the impression that we have a lot to do, but also that we have lots of material to work with, and a growing community to do the work.

The post is long; many thanks to Nick Telford-Reed for helping to make it shorter than it was!

Payment Request API 1.0

To publish our main specification as a Proposed Recommendation we need to address two topics:

  1. A Webkit update following a specification change; this is underway.
  2. The formal objection previously raised when we advanced to Candidate Recommendation for which there is a proposal for a new feature.

On the second point, the group is now evaluating two options:

  • whether to gather implementation experience before requesting to advance Payment Request 1.0 (likely to require a number of months); or
  • to request to advance with this feature as optional for browsers to implement.

The consensus of the group is that the feature set of v1.0 is otherwise stable.

Payment Handlers

We believe we need more broad and interoperable support of both Web-based and native payment handlers. An important objective of the meeting was to understand how to encourage additional adoption.

The Chrome team cited a number of benefits of payment handlers, including expectations for higher completion rates, better connectivity properties, lower implementation effort, increased reliability, and improved security. Because payment handlers operate as top-level origins (unlike iframe-based checkout solutions) they provide new opportunities to streamline authentication.

Chrome demoed new features since our April meeting, including full delegation of requests for contact and shipping info to payment handlers, great tooling to aid developers, and a new “minimal” user experience where the user simply sees the total and a prompt to authenticate.

Other suggestions to expand our adoption strategy included:

  • Compile and share data that shows increasing adoption of Payment Request and Payment Handlers.
  • Conduct more outreach to more merchants, for example via a specialized forum within W3C for merchants to share use cases and requirements.
  • Increase our outreach to large payment service providers such as PayPal, Alipay, and WeChat pay to encourage experimentation with payment handlers.
  • Organize a hackathon to bring together, in particular, merchants, payment handler developers, and browser vendors to demonstrate the value of Payment Request and Payment Handler.
  • Improve tooling and testing for developers

We also looked at possible improvements in interoperability and user experience:

  • Chrome supports two popular behaviors that are not formally specified: “just-in-time installation” and “skip-the-sheet”. As consistency of user experience is important, we might informatively describe Chrome’s implementation and encourage other browser vendors to adopt the same behaviors.
  • The Chrome implementation of Payment Handler API includes a secure modal dialog where the payment handler code executes. This may be a useful type of dialog for other use cases beyond payments, which might make it more attractive from a browser maker perspective. Editor’s note: Since the meeting we have begun work on a modal window explainer.
  • Re-evaluating the role of the “sheet” because:
    • Shopify findings suggested users were surprised by this new UX element.
    • Browser vendors report there is a high cost to maintaining a good UX for the data contained in the sheet.
    • Payment handler developers have asked to be able to handle requests for stored data rather than the browser.
    • Mixing “applications” and “instruments” (e.g., card data) in the sheet may confuse users.
    • Implementers may be able to devise superior “selector” experiences, including optimizations for selection of default payment handlers.

Airbnb Experience with Payment Request

Airbnb saw Payment request API as a means to remove complex billing forms, streamline first-time bookings, connect data collection to account creation, and access more payment methods (e.g., Apple Pay and Google Pay). They shared some of their experiences (slides):

  • Ideally Payment Request would be “the one API.” However, Airbnb has to provide two flows to support both new and stored cards. They asked: could we integrate cards previously stored by the merchant into Payment Request?
  • Could Payment Request give access to label and style information in the sheet to avoid terminology differences between the sheet and a custom checkout?
  • Airbnb works with a number of PSPs for both redundancy and method coverage in different regions so additional flexibility in selecting a PSP during a given transaction would be a boon. They advocated “universal tokens,” which led to discussion of the relationship with EMVCo tokens.
  • Could we unify guest checkout and new account creation with the merchant, ideally as part of the Payment Request experience, so that the user creates credentials and agrees to terms of service? This suggestion raised concerns that adding too much to the API might make it too heavy-weight.

Airbnb would like to see more interoperable support for payment handlers across browsers, and access to more payment handlers, reinforcing the group’s observations about the need for more payment handler support.

Card Payments

The Card Payment Security Task Force has been working on a Secure Remote Commerce (SRC) payment method definition. Mastercard showed a new demo of three user journeys:

  1. New user who is enrolling a card in an SRC system
  2. Returning user on the same device; select a previously enrolled card
  3. Returning user but using Web Authentication

The demos included using Web Authentication when accessing a list of candidate cards from SRC systems, and when, on selecting a card, the issuing bank requests authentication.

The demos showed that the user might be authenticated multiple times in some flows, leading us to discuss ways to minimize friction:

  • A payment handler might authenticate a user directly, or embed an SRC authentication experience.
  • Parties might share authentication results. For example, a payment handler might authenticate the user. Some SRC systems might trust those authentication results, reducing friction when accessing the candidate card list.
  • A payment handler might re-use of authentication results as input to a 3DS risk assessment process, making a subsequent 3DS step-up less likely.

We briefly looked at ways to leverage identity known to the browser to simplify SRC transactions.

The Working Group strongly supported continued work by the Card Payment Security Task Force on an SRC payment method definition. Additionally, there was support for 3-D Secure through Payment Request, independent of SRC.

Basic Card

The “Basic Card” payment method is currently supported in Chrome, Edge, and Samsung Internet Browser through “built-in” payment handlers. There are currently no expectations for support in either Safari or Mozilla, which led some people to argue that we should move away from Basic Card and focus on SRC. Others said that Basic Card remains a useful payment method at least in the short term because full SRC adoption will require time, and some merchants many not move to SRC.

We heard another idea as well: could browsers connect Basic Card payment handlers to existing autofill capabilities? If so, users could leverage payment handlers on merchant sites that don’t yet support Payment Request.

Merchant and Consumer Pain Points

We organized a session on Consumer and Merchant pain points both to validate that our current work is addressing industry needs, and to identify and prioritize requirements as we recharter the group.

The session organizers pre-selected 15 pain points for discussion. During the presentation, people added a few more:

  • Some merchants may not ship to some locations (e.g., smaller countries). One idea to help merchants was to geo-locate the IP address of the user and display a warning at the start of checkout.
  • Friendly fraud, such as when a child uses a parent’s account to make a purchase (without parental consent) leading to discussion about device profiles and configurations (e.g., “this biometric is authorized to make payments; this one is not.”). In practice, segmenting biometric templates raises usability issues and therefore is uncommon.

We then split into four breakout groups for “importance / difficulty” evaluation of the pre-selected pain points. Some preliminary findings:

  • Some pain points could be addressed through more widespread adoption of payment handlers.
  • Two groups suggested reframing “speed up checkout” as “find the optimal checkout speed.” For example, checkout could involve more help for new users, and could involve less friction for repeat customers.
  • We need to be clearer in our next conversations about audience: when we say “account-free,” what kind of account do we mean? When we say “difficult,” which stakeholder does that refer to?

The Working Group will look for patterns across the breakout group findings and otherwise continue to refine the analysis as part of rechartering.

Payments in Asia

We invited colleagues from JCB and SWIFT Asia to share updates on the payments landscape in Japan and Asia more broadly. We heard specifically about:

  • A new QR code standard for in-person payments in Japan. Several people expressed support for more work on QR codes for online payments in our next charter.
  • SWIFT initiatives around real-time payments in Australia and GPI, which focuses on improving cross-border payments.

We were treated to a demo of GPI through Payment Request API. The demo involved a push payment initiated by the payment handler, which then returned information that enables the merchant track the status of payment within the GPI system.

Web Monetization

The Working Group has discussed Web Monetization at its face-to-face meetings for over a year. We heard about progress on the Web Monetization specification since April.

On the first day of the Working Group’s meeting, Coil announced a Grant for the Web, in partnership with Mozilla and Creative Commons. According to the Web site, “Grant for the Web is a $100M fund to boost open, fair, and inclusive standards and innovation in web monetization.”

Naturally, we asked how this relates to Web Payments Working Group deliverables. Coil indicated that there is a likely need for both a payment method definition and enhancements to payment handler functionality to support the Web Monetization model. For example, today content providers include a meta element in their pages to indicate where they can receive payment. That could be replaced by calls to Payment Request API.

Web Monetization is called out in our current charter and I anticipate it will also feature in our new one.

Web Authentication and Payments

Several members of the Web Authentication Working Group joined us to talk about their upcoming new features including so-called “TLD+1” use cases, where Web Authentciation may be called from within an embedded iframe. For example, if a Web-based payment handler were to embed code from an issuing bank origin in an iframe, the issuing bank would not be able to use Web Authentication Level 1, but would be able to use the intended Web Authentication Level 2.

We also discussed:

  • “Carrying authentication downstream” to avoid multiple authentications (and reduce friction).
  • Segmenting biometric templates (or, “authentication profiles”) and the accompanying user experience challenges.
  • Dynamic linking requirements under PSD2 and how to secure the display for authenticators that do not have their own display.
  • Token binding and its potential role in risk assessment.

The two groups agreed to form a joint task force for continued discussion about payments use cases and Web Authentication.

Rechartering

The Working Group’s current charter expires at the end of the year. In Japan the participants expressed a strong expectation that we would recharter, so the co-Chairs and I will begin work on a draft to include:

  • Completion of Payment Request API 1.0
  • Enhancements in Payment Request API 1.1
  • Continued work on Payment Handler API
  • Continued work on an SRC payment method as well as discussion of identity and user experience issues
  • Web Monetization in some capacity

Personally, I think more discussion is required before we include the following:

  • Basic Card. I think we need to reach a better shared understanding of the role of Basic Card, and then document that in the charter.
  • 3DS support outside of an SRC context.
  • QR codes. The QR code discussions we had in Japan focused on physical world payments; I think we need a better understanding of the relationship to Payment Request.

As always, I would like to thank all of the Working Group participants for contributing to this effort. Each year I appreciate the camaraderie and energy boost of TPAC. I look forward to our next phase of Web payments innovation.

TPAC 2019 Next Week

I look forward to meeting with colleagues next week during TPAC 2019. I hear that nearly 650 people will be in Fukuoka, Japan over the course of the week.

The agenda of the Web Payments Working Group includes discussions about the current status of Payment Request API and Payment Handler API, EMV Secure Remote Commerce (SRC), merchant and customer pain points in e-commerce, Web Monetization, rechartering, and more.

I plan to write a meeting summary in this space that should be available before the end of the month. Until then!

The Next Innovation in Payment Handler Distribution

In W3C’s Web Payments ecosystem:

  • Merchants request payment via the browser (or other “mediator”).
  • Users respond to those requests via payment handlers registered with the browser. These payment handlers are distributed to users by the entities that run payment systems and their participants.
  • Payment systems leverage the standard interface for data exchange between merchant web sites and payment handlers to either authorize a payment, or request credentials from the user to authorize the payment via another channel.

Our hypothesis is that, together, these APIs can improve the user experience of making payments on the Web and make it easier to bring payment methods to market. In turn, we think merchants will see more transactions (due to ease of use) and higher conversion rates (due to higher quality data through the APIs).

In particular, we think that the way browsers support payment handlers can improve upon traditional checkout experiences –forms and redirects– in several ways:

  • Better user experience. For example, once the user has selected a payment handler, the browser can run it in a modal window to keep the user “near” the merchant site.
  • Enhanced security and user trust. Standards enable the browser to provide a variety of other services on behalf of the user, including protecting them against bad actors. In addition, running a payment handler in a browser modal window will reduce the opportunities for click-jacking, compared to iframe-based approaches for embedding a checkout experience in a merchant web site.
  • Lower integration costs. We anticipate that coding to one API instead of many will reduce the front end integration cost of supporting a payment method.

One of the most interesting examples of improved user experience involves payment handler distribution. How do we get payment handlers quickly and easily into the hands of users?

First, users can “manually” find and register payment handlers. For example, a user might learn about a payment handler on her bank’s web site. In general we expect manual registration to be a low-friction process that takes place as part of some online wallet or banking experience. For example, when a user logs into a wallet, that might cause the wallet’s payment handler to be registered in the background.

By leveraging multiple standards, the Chrome Team has added a second distribution mechanism called “just-in-time registration”; see the previous post on this topic. Chrome presents candidate payment handlers for registration under certain conditions, including:

  • The user has not yet registered any payment handler capable of supporting that payment method.
  • The payment method is identified by a URL and the owner of the payment method has provided machine-readable information in a “payment method manifest” that authorizes the browser to show the candidate payment handlers to the user.

When the user selects a candidate “just-in-time” payment handler, Chrome registers it using the information provided by the payment method owner. In essence, this is a very targeted software distribution mechanism, based on what the merchant accepts and what the payment method owner prefers.

We have started discussion about a third distribution mechanism we have been calling “default payment handlers.” I model it alongside the first two mechanisms as follows:

  • Manual: If the user has expressed a preference for a payment handler by registering it, the browser shows that payment handler to the user.
  • Just-in-time: Otherwise, if the payment method owner has expressed a preference for one or more payment handlers, then the browser shows those payment handlers as candidates for registration.
  • Default: Otherwise, if the browser knows about payment handlers, then the browser shows those payment handlers as candidates for registration.

Thus, the preference cascade is: user, then payment method owner, then browser (as a representative of the user).

There are already multiple examples of browsers knowing about default payment handlers through out-of-band mechanisms:

  • Safari knows about Apple Pay.
  • Edge knows about Microsoft Wallet.
  • Chrome and several other browsers directly implement the “Basic Card” payment method. In effect, these implementations are default payment handlers known to the browser. Basic Card support is built into the browser, but in general, default payment handlers could be built-in, or Web-based, or native apps.

Browsers already provide users with similar services for access to search engines. The user finds a default when they first install the browser, but the user can change the default through configuration. We are thinking of the same sort of behavior for payment handlers.

Of course, getting payment handlers into the user’s hands includes browsers implementing APIs for communication with those payment handlers. It is our ongoing project to broaden both Web-based and native payment handler support in browsers.

For now, if you would like to experiment with Web-based payment handlers and Chrome, I recommend Google’s Web-based payment apps developer guide.

Thanks to Adrian Hope-Bailie, Rouslan Solomakhin, Nick Telford-Reed, Justin Toupin, and Danyao Wang for discussions about this topic and editorial contributions.

April 2019 Face-to-Face Meeting Recap

Web Payments Working Group at face-to-face meeting in Foster City, hosted by Visa

The Web Payments Working Group met face-to-face in early April (agenda, 2 April minutes, 3 April minutes). In my view it was one of our most information-dense meetings, which has made this summary more challenging to write (and a bit long).

I attribute this to the following:

  • It was packed. More than 50 people attended from around 35 companies.
  • Many guests joined us, so we fielded a lot of questions and also heard new ideas and requirements.
  • We are nearing completion of version 1 of Payment Request API, so we devoted part of the meeting to thoughtful consideration of use cases both new and previously “parked.” This was just the beginning of the identification and prioritization of next version features.

Below are some of the highlights!

Secure Card Payments on the Web

The card payment ecosystem has expressed a lot of interest in the relationship between EMV® Secure Remote Commerce (SRC) and Payment Request API. Earlier this year, participants in a Web Payments Working Group task force developed some flow diagrams to increase our confidence that one could “do SRC and EMV® 3DS through Payment Request API.” Visa and Mastercard then accepted the challenge to code (independent) demonstrations. Jonathan Grossar opened the face-to-face meeting with Mastercard’s demo (see Mastercard slides).

Example user experience for an SRC payment method

The demo featured a “working” front end. For the back end, it simulated SRC credential management. I was very happy to see how well Mastercard achieved the streamlined user experience we have long imagined possible through Payment Request. In the first part of the demo, the user pushed a “buy” button for an SRC payment through Payment Request, selected a previously enrolled card, confirmed, and sent a token back to the merchant.

In the second flow of the demo, the merchant requested (via the Payment Request invocation) that the payment handler invoke EMV® 3-D Secure (3DS) risk analysis on its behalf. During a 3DS flow, the issuing bank can decide —based on perceived risk and/or regulatory requirement— to strongly authenticate the cardholder (the “step up”). In the demo, the SRC payment handler did not handle the 3DS step up itself. An issuing bank app (seamlessly) did so by way of the biometric authenticator built into a Pixel phone. We discussed an alternative approach where the SRC payment handler authenticates the user with Web Authentication (via the same biometric device) and feeds the resulting strong signal to the 3DS analysis with a goal of avoiding further step up. Either way, the user experience is similar: two clicks and a thumbprint to pay.

The demo fueled wide-ranging discussion on a number of topics that we will continue to address as we build out an “SRC payment method” in the Card Payment Security task force, such as:

  • The options a merchant will want around the invocation of 3-D Secure, including requesting that it happen or that step-up not happen.
  • The demo illustrated a flow where 3DS takes place before the completion of Payment Request API. We also discussed an alternative flow where Payment Request completes first, with sufficient information for the merchant (or PSP) to authenticate the user (e.g., through Web Authentication) and only then invoke 3DS.
  • How to bootstrap the payment handler ecosystem for SRC.
  • The management of user identity, which is how a payment handler would retrieve the list of candidate cards, and then tokens, from the back end.
  • The structure of an SRC payment method specification: request and response data, how to identify the payment method, whether there needs to be a payment method manifest as a registry of SRC payment handlers, etc.

Early Discussion about ACH with Payment Request

This is a great opportunity for a reminder: the Working Group devotes some of its energy to improving the security of card payments on the Web, but our goal is for the world to be able to use many different payment methods through Payment Request.

With that in mind, it was great to hear from Luis Guzman at NACHA about their early investigations into an ACH payment method. We tied that discussion into the Working Group’s previous discussions about credit transfers. I look forward to continuing to work with NACHA on a future ACH demo.

Payment Handlers: Opening up the Ecosystem

Today Chrome supports the draft Payment Handler API, which enables Web sites to act as payment handlers for arbitrary payment methods. By supporting payment handlers (whether Web or native), Chrome lowers the cost of supporting new payment methods on the Web.

Rouslan Solomakhin provided an updated demo of a production Web-based version of Google Pay, then summarized some of the current benefits of payment handlers, such as just-in-time registration, a user experience where the user pays without leaving the merchant context, and the opportunity to enhance payment security. He then described the protocol features we anticipate that Payment Handler API will next support; for details, see Rouslan’s slides.

Rouslan then prompted discussion about how to push payment handlers to be “more than just another digital wallet.” One new idea was that browsers might help maintain for users some kind of history of their payments (through different payment handlers).

In my mind the most important point made during this session was that we need broader support for payment handlers by browsers other than Chrome.

Later in the day some of the participants ran a breakout session on potential payment handler functionality, including:

  • Merchant validation. Today Apple Pay supports merchant validation. Other payment methods might want to do something similar, so the group pondered whether there might be a standardization opportunity.
  • Whether or not there are use cases for Web authentication within a payment handler service worker. I note that this is a topic discussed in the Web Authentication Working Group.
  • Delegating data requests to a payment handler. Today through Payment Request the merchant can request browser-stored address and contact information. There are situations where payment handlers might be in a better position to provide the information. The group discussed the idea of the browser delegating the request for this data to the payment handler. This could enable, for example, optimized user experiences (which we call “skip the sheet“) for more types of transactions. We will track this discussion via payment handler issue 337.
  • Cross-device payment handler availability. Today’s Web based payment handlers rely on service workers, which means that you need to register the payment handler with each new browser. The group put some thought into making it easier to register a service worker if you had already previously installed one with another browser.
  • Payment method manifest enhancements for easy creation of a button (in a merchant site) for the payment method.
  • Support for Web payments in WebView, which is how developers can render Web content within a native application.

Payment Request 1.0 Update

We spent a relatively small amount of time on Payment Request 1.0 at this meeting, probably because we are close to completing it. We discussed the implementation report that we will use to demonstrate interoperable implementation, and also the tests for which we do not yet have sufficient implementation. If we can fulfill our implementation goals over the next two months, we could publish a Recommendation in July. See below for the discussion about “next features.”

Web Payments Ecosystem Primer

As I mentioned, we welcomed numerous guests to the meeting. There was strong support for a “primer” on the Web Payments Ecosystem, and a high-level explanation of the relationship to SRC. We improvised the discussion, asked people for their main questions, and took advantage of a recent slide deck on creating a Web payments proof of concept.

Payment request ecosystem elements

The main questions were:

  • What problem are we solving? Brief answer: streamline and increase the security of Web payments by leveraging the browser.
  • The Web Payments Working Group has assigned specific meaning to the terms “payment method,” “payment instrument,” and “payment handler,” so we reviewed them. Answer: a payment method is a data template (e.g., data needed by the merchant for a card payment), a payment instrument is one instance of that (e.g., a specific card), and a payment handler is software that enables a user to pay with supported payment methods.
  • What is the history of how the specifications developed? Why did the group create Basic Card? This was a lengthier discussion that is covered by the minutes.
  • How do payment method identifiers (short strings or URLs) differ? Answer: short strings set an expectation that anybody may support the payment method. Owners of URI-identified payment methods can authorize payment handlers via a payment method manifest.

We heard two main requests from merchants during this session:

  • The ability to whitelist and/or blacklist payment handlers.
  • The ability to influence the order of payment handlers (displayed by the browser) and payment instruments (displayed by a payment handler).

Apple Pay Demo

At the beginning of the second meeting day, Andy Estes demonstrated how Webkit implements some of the key changes to Payment Request API that have occurred in the past year to enable a seamless user experience even in the face of data errors. In particular we saw a demo of the new retry() method and fine-grain error reporting. This enables the merchant to receive data, report errors to the user, and ask for corrections while the browser’s sheet remains open.

The demo prompted an interesting discussion on use cases —such as payment for taxi or ride sharing service— where the merchant would like to gather credentials but does not yet know the final total. Payment Request API does support a way to not display a total (via the “pending” value). However, we plan to dive more deeply into the use case of an “optional total” in issue 858.

The theme of using the API for more granular access to information reminded us of an issue raised early in the life of the Working Group about the overall structure of the API and whether it should be possible to request information more iteratively; more on that below in the discussion of merchant use cases.

Payment Request 1.1 Features

During this session we reviewed a list of feature requests that we had chosen to postpone until after Payment Request 1.0, including:

  • Support for discount codes
  • Store pickup. It was noted that, for Apple Pay, the user can choose a preferred pickup location via the merchant site before completing the transaction, and ApplePay.js reminds the user of that address in the sheet.
  • Decomposed names (which might facilitate customized communications with the user)
  • Merchant validation of shipping addresses, and offering alternatives to the customer
  • More shipping options and delivery instructions
  • Merchant-specified text used for the “Confirm” button in the sheet. We discussed multiple ideas: unlimited string, limited string, and enumeration.
  • Region-specific data requirements (e.g., in Brazil the need for “national identifier” and “birthday” in billing information)

Merchant Use Cases and Adoption

Laura Townsend (MAG), Dee O’Malley (Best Buy), and Trent Addington (Walmart) organized this session to start discussion about merchant considerations when choosing a payment solution or adopting a standard, to describe more complex Web checkout use cases, and to help W3C communicate its work.

Some key points from the discussion:

  • Payment Request is more likely to meet the needs of medium size merchants more than the needs of very large merchants that typically have more checkout expertise and resources.
  • The API may need to be more flexible (in how it enables the merchant to collect data) in order to support more incremental and sophisticated checkout flows. This was also characterized as “the ability to use Payment Request API for information capture within a merchant-owned checkout experience, instead of presenting a checkout box outside the merchant experience (behind the scenes to the guest).” We also touched on past discussions about functionality enabling the merchant to customize some of the look and feel of the sheet in order to increase customer confidence.
  • Merchants debate whether to provide a guest checkout (for which Payment Request API can be particularly helpful) or to focus on customization through user registration. Even in the latter case, Payment Request API can be useful whenever the user wants to add a new payment instrument to what is stored by the merchant (or PSP).
  • In making the case to a merchant about the value proposition of Payment Request API, it will be useful to characterize the impact (e.g., in terms of new customers that the merchant does not yet know).

Some additional use cases of interest:

  • Multi-tender checkout with proprietary gift card and another payment type
  • Tender discounts (only the portion of the cart which is tender-eligible in the case of multi-tender)
  • Multiple delivery methods in a single cart (at least pick up in store and shipping items)
  • Multiple shipping addresses in a single cart (items for me and gifted items sent directly)

More Payment Methods

Adrian Hope-Bailie talked about alternative monetization models for the Web, beyond advertising; see Adrian’s slides. He talked about how Coil uses Interledger for “streaming payments” where small amounts of value are transferred to a site for a time-based experience (e.g., a media stream).

Slide from deck on interledger protocol used for micropayments

Vincent Kuntz talked about a new Global Payment Innovation (GPI) service for tracking cross-border payments; see Vincent’s slides.

Slide from deck on GPI

Web Authentication Use Cases for Payments

W3C’s Web Authentication Working Group recently published a version 1 Recommendation of Web Authentication (WebAuthn). That group has begun discussions of next version features and sought input on the importance in the payments ecosystem of being able to invoke Web Authentication from within an HTML iframe. Jeff Hodges, a Web Authentication Working Group participant, helped us understand the current support for Web Authentication in iframes, namely, it works as long as the origin is the same “all the way up.” The Web Authentication Working Group is wondering whether they should relax that restriction, and if so, how to support the expression of a trust relationship between distinct origins.

We noted that for Payment Request, an origin (e.g., that of the merchant) can allow a second origin (e.g., that of a PSP) to call Payment Request API through an HTML attribute. It was suggested that we also support the inverse of that: the “iframee” should be able to say whether or not the “iframer” is authorized to include that “iframee” in a page for Payment Request. Thus, we saw similarities between (feature policy-like) requirements for both Payment Request and Web Authentication. Jeff Hodges described some related work at the IETF on this topic (DBOUND).

We talked a bit about how people imagine using Web Authentication with 3DS. The two main flows seem to be “invoked by the payment handler before a 3DS risk analysis” and “invoked by the merchant before a 3DS risk analysis.”

Next Face-to-Face: September in Japan

The Working Group next meets in person in Fukuoka, Japan in September as part of W3C’s big annual meeting, TPAC 2019. I certainly anticipate that, by then, we will have completed version 1 of Payment Request API, will have made progress on an SRC payment method, and will dive deeper into next version features. I look forward to it already, and invite people who are interested in contributing to join the group.

2018 in Web Payments

In December 2017 I wrote a blog post on the progress of the Web Payments Working Group and called out two 2018 objectives in particular:

  • “Broad deployment of browsers that support Payment Request by mid-2018.” Chrome, Safari, Edge, and Samsung Internet browser all ship support for Payment Request; Firefox nightly began shipping with some support as well.
  • “Early reports [from merchants about Payment Request] are promising, but our experience is still limited.” We now have some results via the Shopify experiment and J.Crew findings. The findings are encouraging (faster checkout) but indicate further adjustments and user experience optimizations will help.

Beyond those two objectives, I want to highlight this 2018 progress:

  • In 2018 Chrome began to ship support for Payment Handler API, an important avenue for payment method innovation. This has led Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, Worldpay and others to experiment with the payment handler side of the Web payments ecosystem.
  • EMVCo’s publication of version 0.9 of Secure Remote Commerce (SRC) in October prompted the Working Group to reorganize its card payment security discussions on tokenization and 3-D Secure. Since then, we have been discussing how to integrate SRC and the Payment Request ecosystem. Nick Telford-Reed paints a helpful and encouraging picture in his blog post on SRC and Payment Request. I anticipate that in 2019 we will begin to flesh out what one or more payment methods could look like to facilitate SRC integration.
  • We became more familiar with European open banking API development through growing collaboration with the Berlin Group, STET, and Open Banking UK. I am now optimistic that we will revive our work on credit transfer payment methods in 2019.

I expect the Working Group’s priorities in 2019 to be:

  • Publish Payment Request API (version 1.0) as a W3C Recommendation and begin implementation of the next round of features. For example, we recently discussed adding a hasEnrolledInstrument method so that merchants can determine whether their customers are ready to pay through a “frictionless” checkout experience. This would complement the existing canMakePayment method.
  • Develop and create experiments for one or more SRC-related payment methods.
  • Develop and create experiments for one or more credit-transfer payment methods in the context of PSD2 in Europe.
  • Promote implementation of Payment Handler API in more browsers, and work with payment handler developers to solidify the specification.

In addition, it will also remain important that we raise awareness of Web payments among merchants and users, understand any obstacles to adoption, and report success stories.

I will also be interested to see whether we start discussions about payment methods related to real-time payments or distributed ledgers.

Many thanks to the Web Payments Working Group for their contributions and productivity this year. In particular, I wish to express my appreciation for the leadership of co-Chairs Nick Telford-Reed and Adrian Hope-Bailie. Many thanks to the engineers from Google, Samsung, Mozilla, Apple, Microsoft, and others, but especially to Marcos Caceres, who has done so much to advance the group’s specifications and improve the quality of all implementations through the test suite.

I look forward to making progress on Web payment implementation, adoption, and increased security in 2019.

Payment Handler Security

A payment handler is user software to make a payment. Payment handlers may be implemented as Web pages, native mobile apps, or even built into the browser. Since the launch of the Web Payments Working Group, we have had as a goal to add extensibility hooks to browsers to foster payment handler innovation.

Chrome is the first browser to ship support for Payment Handler API, which enables users to pay with Web-based payment handlers. These are Web pages that offer services in the context of a payment request (rather than from a link, redirect, or other script). We anticipate that these payment handlers will authenticate the user, enable the user to select an account to pay, and offer value-added services. By shipping support, Google has enabled companies such as Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, and Worldpay to experiment with a growing variety of payment methods and user experiences.

The Chrome implementation has also prompted questions how powerful payment handlers should be. We discussed security considerations during recent face-to-face meeting. Rouslan Solomakhin (Google) has compiled a list of choices for a browser team to consider as part of enhancing Web-based payment handler security. I share them below with his permission. I hope these notes prove useful to other implementers of the Payment Handler API.

I’ve organized the implementation notes into three groups:

  • When the browser should not show a risky payment handler to the user at all.
  • When and how the browser should show a payment handler but limit its capabilities.
  • Additional controls to enable users to manage payment handler security.

Do not show the payment handler

Chrome does not show the user a payment handler in these situations:

  • The payment handler is identified by an HTTP URL (instead of an HTTPS URL). The exception is for localhost, which is important for development.
  • Communication with the payment handler via SSL would involve a red or gray security state listed in badssl.com.
  • The payment handler origin is labeled “unsafe” in the Safe Browsing database.

Show the payment handler but limit functionality

Chrome limits payment handler functionality as follows:

  • Runs the payment handler in a sandboxed process (and not the main browser process).
  • Blocks content included via HTTP; payment handler distributors should include content via HTTPS.
  • Blocks cross-origin scripts.

Additional user controls

Chrome gives users additional control as follows:

  • Clearly present the origin of the payment handler to the user.
  • Provides settings to control payment handler behavior, such as:
    • Do not register payment handlers from a given origin.
    • For a given origin, do not skip the sheet before launching the payment handler.
    • Do not ever skip the sheet before launching the payment handler.
    • Do not allow just-in-time registration or a given origin.
    • Do not ever allow just-in-time registration.

For more information about just-in-time registration and skipping the sheet, see the previous blog post on further streamlining the Payment Request user experience.

More ideas

The Chrome implementation continues to evolve through discussion and feedback from payment handler experiments. For example, Chrome may disable all features by default in the feature policy for a payment handler.

We hope that you will experiment with payment handlers and share your ideas with the Web Payments Working Group. If you spot bugs in the specification, please let us know on our issues list.

TPAC 2018 Recap

Group photo of Web Payments WG and Web Authentication WG

The Web Payments Working Group meet in Lyon, France as part of W3C’s big annual meeting, TPAC 2018. This is my summary of the meeting; the agenda, 22 October minutes, and 23 October minutes are also available.

Closer to Advancing Payment Request API to Proposed Recommendation

One of our objectives for the meeting was to tackle remaining issues so that we can advance Payment Request API to Proposed Recommendation, the next step on the W3C standards track. We heard from API implementers during the meeting that we should be able to wrap up the specification, implementation, and testing of Payment Request API within 3 to 6 months.

Clarified Meaning of canMakePayment

We reviewed how the canMakePayment() method behaves across 6 implementations. In a breakout session, implementers reached consensus that we need two different methods (which is what Apple had originally implemented for their own ApplePay.js). The two methods satisfy different use cases:

  1. canMakePayment() will return true for a given payment identifier when support for the payment method is available, either because the user has a registered payment handler for that payment method or because the browser can do just-in-time registration of a suitable payment handler. This method will be useful on pages where merchants wish to advertise acceptance of a given payment method and encourage enrollment.
  2. hasEnrolledInstrument() (the name might change) will return true for a given payment identifier when support for the payment method is available and “ready for payment.” This method will be useful to determine whether the user is prepared to check out quickly, for example on a page where each product has an associated “buy now” button.

Dropping supportedTypes from Basic Card

The Basic Card specification today allows merchants to express two conditions under which they accept the Basic Card payload, via the supportedNetworks and supportedTypes members. There is strong consensus that supportedNetworks is required to ensure a smooth user experience, and this information can be determined reliably by implementers. However, there is now consensus in the Working Group to drop supportedTypes because:

  • The information cannot be reliably determined through BIN databases. Because the Payment Request total may potentially vary by card type, an incorrect computation of a card’s type (e.g., credit, debit, or prepaid) may lead the merchant to display the wrong total.
  • There are fewer use cases for this feature than we originally thought; our understanding is that many merchants today accept all of the enumerated types, so user experience failures are less likely.

Furthermore, with the addition of the retry() method, merchants can evaluate card data received in a response from Payment Request, inform the user that a specific card will not work for the transaction, and prompt the user seamlessly for a new card. Because we can support the user experience through retry(), we are more comfortable dropping the supportedTypes.

Merchant Adoption and User Experience

Krystian Czesak (Shopify) kicked off this session with a discussion of Shopify’s experiment and findings with Payment Request API. Shopify engineers communicated key findings to browser makers to help them improve the user experience, but my sense from the discussion is that even more needs to be done so that:

  • Users understand what payment options are available to them when they are ready to check out;
  • Users recognize the Payment Request API experience as “belonging to the browser” so that they come to trust the security of the experience. Thus, users should recognize that the sheet belongs to the “Chrome” brand or the “Firefox” brand. (More on this point in a moment in relation to a Web Payments visual identity.)
  • Merchants can exercise a bit more influence over the look and feel of the sheet (e.g., including their domain name, a logo, and perhaps some control over colors in part of the sheet).

In the other part of this session, I shared designer Heath Cacere’s work within the Visual Identity Task Force on a logo for Web Payments. We had worked on a visual identity to help solve some of the user experience issues cited by Shopify and others. However, based on the overall discussion, my conclusion is that we need to discuss user experience more broadly rather than simply introducing a new visual identity. Note that I have intentionally excluded the draft logo from the public meeting record as we work through these issues.

Having said that, I think a Web payments logo can be useful in some contexts. Many of the attendees expressed appreciation for the logo and recommended that we continue to work on it. I expect that we will, but with greater sensitivity and focus on the larger user experience associated with Payment Request.

I want to emphasize here that I do not expect the Working Group to include additional user experience requirements in Payment Request API based on these discussions. Our goal here is to help improve implementations based on the feedback we are receiving during the Candidate Recommendation phase of the process.

Joint Meeting on Internationalization

Joint meetings are common during TPAC due to the presence of 30-40 groups. The Web Payments Working Group met with the Internationalization Working Group to discuss the communication of information about the script (language) and direction of shipping address components returned by Payment Request API. For instance, a user might be operating generally in a right-to-left text direction environment (e.g., Arabic or Hebrew) but for a component of a shipping address, want to enter a component (e.g., a street address in France) right-to-left.

I expect us to continue the discussion, but my own understanding is that:

  • If the components that are used to build the sheet —the native browser interface that is part of Payment Request API— support user selection of language and text direction for address components, we should pass that information through the API to the merchant.
  • If the underlying system does not support manual selection of language and text direction, then the problem for that user is much bigger than the implementation of Payment Request API.

I expect next steps to be an analysis of implementations to see whether they are using internationalized components, and adjustments to Payment Request API accordingly.

Payment Handler Demand Grows; Good News and Challenges

We have heard growing demand for payment handlers —user software for making payments within the Payment Request ecosystem— and the Payment Handler API specifically. For example, I am aware of experiments with Payment Handler API within Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, and Worldpay.

Rouslan Solomakhin (Google) demonstrated some of the neat features of Chrome’s implementation that I summarized in an August blog post. He then shared for the first time with the Working Group a Web-based version of Google Pay. This payment handler will allow Chrome users on a desktop to pay via Google Pay via the Web, without additional software installation.

Frank Hoffmann (Klarna) demoed a Web-based payment handler that supports Klarna’s real-time financing payment method. He then showed how the payment handler can also be used with a merchant that accepts Basic Card but not Klarna. The user experience is the same (of selecting financing terms), but the payment handler uses a virtual card over the Basic Card “rails” to manage interactions with the merchant. In other words, Klarna demonstrated the power of using a payment handler to innovate over a standardized payment method such as Basic Card.

We received an encouraging (though early) signal from Microsoft during TPAC when they updated the Edge platform status of Payment Handler API to “Under Consideration”. I am very happy at the prospect of payment handler availability from Edge and other browsers in addition to Chrome.

Separately, Mozilla indicated some concerns about allowing arbitrary content in a payment handler if the user could potentially confuse the payment handler with trusted browser chrome. I look forward to organizing discussion with all the browser vendors to better understand the concern and look for the right combination of specification improvements and implementation guidance so that we can continue to improve and garner support for this important payment extension point.

Enhancing Card Payment Security on the Web

On the Friday before TPAC, EMVCo made public a draft of the Secure Remote Commerce (SRC) specification. This generated some excitement that we might discuss it during TPAC. However, we opted not to because participants had not had an opportunity to read the specification. At our 1 November meeting we set the stage to organize a “formal” Web Payments Working Group review of SRC during the public comment period.

Although we did not dive into SRC, we did discuss some of the framework’s presumed components. Jonathan Grossar (Mastercard) led off with a high-level vision for increasing card payment security through merchant registration, tokenization, and strong cardholder authentication.

Roy McElmurry (Facebook) then showed a demo of (an earlier version of) the Tokenized Card Payment specification that a task force within the Working Group has drafted. In the demo, the merchant receives tokenized card data instead of Basic Card data.

Discussion continued the next day in a joint session with the Web Authentication Working Group, understanding how WebAuthn and other technologies in development (e.g., token binding, entity attestation tokens under discussion within the IETF) can provide high value authentication signals. Participants from the card networks have indicated that these signals would be valuable input to 3-D Secure 2 cardholder authentication flows.

We heard from the Web Authentication Working Group some of the next topics they wish to address (within FIDO and in future versions of W3C specifications) such as cross-origin authentications, blockchain authentication, improved ability to select authenticators, and entity attestations. Some of these topics will be discussed at the W3C Workshop on Strong Authentication & Identity, hosted by Microsoft in Redmond 10-11 December 2018. I encourage people to attend!

While WebAuthn provides a very strong signal for risk engines, there is (currently at least) a small amount of associated user friction, including an enrollment phase and a user gesture at transaction time. It was pointed out in the meeting that in some scenarios (such as transactions of less than 30 Euros under Payment Services Directive (PSD) 2), merchants may not need the full strength of the WebAuthn signal, and instead may prefer lower friction. The Working Group should consider (in Payment Request API or however appropriate) enabling the merchant to express a preference for the strength or weakness of the subsequent authentication that takes place within the checkout flow.

We returned to network tokenization during the final session of our meeting. One suggestion gained some support, namely to create a payment method similar to Basic Card —call it Dynamic Card— where the payload includes a tokenized PAN (TPAN) rather than a funding PAN (FPAN). There was also some discussion about a similar enhancement to Basic Card involving full EMVCo cryptograms, not just dynamic CVV. The Tokenization Task Force will continue to discuss these two ideas.

Open Banking APIs in Europe

Colleagues from STET, Open Banking UK, ISO 20022 Registration Authority, and Deutsche Bundesbank provided updates on PSD2 timelines and open banking API progress. The organizations developing these APIs described their collaboration and convergence on some points, such as in how they leverage ISO 20022 components. In a breakout session, participants discussed how the open banking APIs could connect to the Payment Request ecosystem. One idea was for payment handlers to make use of something like the draft Credit Transfer Payment specification. In other words: for communications with banks, a payment handler could support one or more of the open banking APIs, while for communications with the browser, payment handlers would interoperate through the same payment method. The attendees who are developing the open banking APIs plan to continue that discussion.

At our April meeting, Vincent Kuntz (ISO 20022 RA) presented the PayLater effort. During TPAC Vincent provided an update and raised the prospect of defining a corresponding payment method in W3C.

A common theme underlying these discussions was the importance of payment handlers as the scalable means to bring payment innovations to the Web.

New Topics: Web Monetization and Generic Tokenization

To add some spice to the agenda, Adrian Hope-Bailie (Coil) introduced two topics to the group: Web Monetization and Generic Payment Tokens.

Web Monetization is motivated by growing user resistance to ubiquitous advertising on the Web and concerns about user tracking. Adrian introduced a draft Web Monetization specification that would enable users to negotiate small seamless payments to site owners for access to content, services or just an upgraded experience (such as no advertising). Third party providers would provide different types of aggregation services, for example a flat monthly rate in exchange for access to content on a number of sites. Coil has been running pilot programs on sites such as YouTube and Twitch.

For the second topic, Generic Payment Tokens, Adrian described the pitfalls of push payment flows: where the user’s bank initiates a payment (e.g., credit transfer) outside of the control of the merchant. Adrian offered an alternative flow where the party that initiates a pull payments returns a (“redeemable”) generic token through Payment Request API. The merchant can subsequently use the token to initiate the payment from the user’s bank. (I believe this is how direct debits work; please comment below if I am mistaken.) Adrian described a vision where merchants would declare through Payment Request API “I accept the generic token payload from the following networks,” and this would enable payment handlers to innovate and support different payment networks.

I would observe here that this reflects the now familiar pattern for payment method specifications discussed within the group: describe a data model common to a set of similar payment systems and allow the merchant to declare the conditions under which the merchant accepts that payload (e.g., “only from these three networks”). This pattern means simpler integration for merchants (since the returned data is always the same) at the same time it opens up the payment handler landscape.

On Organizing a TPAC Face-to-Face Meeting

Over 600 people registered for TPAC 2018, our largest meeting ever. With that many people having coffee together it is difficult not to have interesting conversations.

To end this post I wanted to share some of the thinking that went into our agenda:

  • Much of the ongoing work of the Working Group happens through GitHub threads, implementation in the background, or task force discussion. TPAC provides an opportunity for updates on these activities. I like to encourage updates that are short but interesting enough (e.g., via demos such as those from Facebook, Google, Coil, and Klarna) to spur deeper dives over coffee, meals, and during breakout sessions.
  • The Web Payments Working Group has a rich mix of participants: JavaScript API architects and payment and regulatory experts; the card payment industry and the European payment industry; representation from North America, Europe, and Asia, and so forth. With such a large and diverse group, we try to create an agenda that has “a little something for everyone.” Short sessions followed by participant-identified breakout sessions help us find a balance.
  • It is important to leave breathing room in the agenda (notably through breakout sessions) so that people can take the time they need to find colleagues with whom they really want to have a conversation. It is important that the agenda be well-organized, but not overstuffed. In other words, if we can bring 600 people together, we do well to get out of the way so they can interact.

I want to thank everyone who traveled to our meeting. Thank you for the dedication to making payments on the Web easier and more secure!

TPAC 2018 in Lyon

The Web Payments Working Group next meets face-to-face on 22-23 October in Lyon, as part of W3C’s annual TPAC week. Our agenda includes discussion of:

  • Status of Payment Request API implementations and closing the extra features for version 1 that we discussed earlier this year.
  • Status of Payment Handler API, including demos and discussion of key issues.
  • European payments and ensuring compatibility with Web payments. I anticipate participation from Open Banking UK, STET, and possibly the European Central Bank.
  • Card payment security, including discussion of tokenization and 3DS.
  • We also plan a broader conversation about strong authentication with other groups that will be meeting that week, including the Web Authentication Working Group and likely others.
  • Merchant and user adoption.
  • Exploratory topics, including: potential version 2 features for Payment Request API, Web monetization, and others.

As usual, broad participation makes these meetings valuable (and fun). Current registrants from the Working Group include: Airbnb, Alibaba, American Express, Apple, Bank of America, Barclays Bank, BPCE, Capital One, China Mobile, Coil, Conexxus, Digital Bazaar, Discover, Facebook, Google, GS1, ISO 20022 RA, Klarna, Lyra Networks, Mastercard, Microsoft, Mozilla, Orange, Shopify, Spec-Ops, Worldpay, and Visa. I am also expecting more participants to register between now and the meeting.

In addition, we plan to have guests from: Access, Amazon, Baidu, Brave Software, EMVCo, Fujitsu, Igalia, Intel, JCB, Rakuten, Sony, STET, Toshiba, Volkswagen, and Yubico.

If the experience of previous years holds, some of our discussions will “spill over” into Wednesday, as breakout sessions.

I look forward to Lyon!