[PROPOSED] Web Payments Working Group Charter
Status: Superseded.
The mission of the Web Payments Working Group is to make consumer retail payments easier and more secure on the Web. The group seeks to:
- reduce the percentage of transactions abandoned prior to completion (“shopping cart abandonment”) by improving consumer confidence in the Web checkout experience;
- improve Web payment security; and
- simplify and streamline Web checkout experiences.
| Start date | 1 January 2022 (date of the "Call for Participation", when the charter is approved) |
|---|---|
| End date | 31 December 2023 |
| Chairs | Gerhard Oosthuizen (Entersekt); Praveena Subrahmanyam (Airbnb); Nick Telford-Reed, Invited Expert |
| Team Contact | Ian Jacobs (FTE %: 40%) |
| Meeting Schedule |
Teleconferences: Every two weeks (plus task forces) Face-to-face: 2-3 per year |
Background and Topics of Interest
The vision of the Web Payments Working Group —to streamline Web checkout— has evolved since 2015.
The Web Payments Working Group first developed APIs to streamline Web checkout. The following specifications facilitate the exchange of data necessary to complete a transaction: Payment Method Identifiers, Payment Request API, Payment Handler API, and Payment Method Manifest. These technologies are typically used together as follows:
- Merchant uses these APIs instead of forms to build a checkout experience to collect data and authenticate the user.
- Merchant calls Payment Request API when the user activates a (branded) payment button. The payment request identifies one or more accepted payment methods (via Payment Method identifiers).
- Browser presents a built-in user experience to facilitate the display, optional installation, and user selection of a payment app to respond to the request. The Payment Method Manifest specification provides the browser with information about authorized payment apps for a given payment method.
- Payment app supports user interactions such as instrument selection and authentication. A Payment app may be a native mobile wallet, a Web-based payment app (via the Payment Handler API), or functionality built into the browser. In the latter case, the browser returns payment method specific data, essentially enhancing its autofill capabilities for checkout flows.
The Working Group discusses many use cases to determine how standardization can benefit the industry, including:
- guest checkout
- various authentication approaches (such as redirect, embedded, and delegated)
- multi-tender payments
- recurring payments
- real-time credit
- streaming payments
- digital goods
- tips and donations
- discount codes
Scope
Based on experimentation with and adoption of the capabilities mentioned above, as well as increased coordination with the payments ecosystem, the group now focuses on:
- User identification: simplifying user access to accounts and payment instruments while protecting user privacy.
- Instrument selection: presentation and user selection of one or more payment instruments for a transaction.
- Authentication: authentication —including strong customer authentication— for a selected payment instrument. This Working Group coordinates closely with the Web Authentication Working Group.
The Working Group seeks to develop technologies that can be used with a wide variety of payment methods, including card payments, credit transfers, open banking architectures, proprietary payment methods, and mobile wallets. See the section on Coordination for a list of Working Group relationships that inform discussions.
Out of Scope
The following features are out of scope for this group:
- How digital payment schemes register and communicate with payment instruments. Here, a "digital payment scheme" is a set of rules for the execution of payment transactions that are followed by adhering entities (payment service providers, processors, issuers, acquirers, payers and payees). A payment instrument is an account, token, or other means of fulfilling the payment provider’s role in a digital payment scheme. Some digital payment schemes make internal use of payment instruments from other payment schemes.
Deliverables
Updated document status is available on the group publication status page.
In the section below Draft state indicates the state of the deliverable at the time of the charter approval. Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state.
Normative Specifications
The Working Group will deliver the following W3C normative specification.
- Secure Payment Confirmation
-
Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.
Draft state: Public Working Draft
Expected completion: Q2 2023
The following specifications do not yet have sufficient cross-browser implementation experience to advance to Recommendation. However, the implementation in Chromium browsers enables experimentation and the Working Group intends to maintain them as Working Drafts. If the implementation landscape changes, the Working Group will revisit the question of advancement to Recommendation and re-charter as needed.
- Payment Handler API
-
This specification defines capabilities that enable Web applications to handle requests for payment.
Draft state: Public Working Draft
Expected completion: Not during this charter period.
- Payment Method Manifest
-
This specification defines the machine-readable manifest file, known as a payment method manifest, describing how a payment method participates in the Web Payments ecosystem, and how such files are to be used.
Draft state: Public Working Draft
Expected completion: Not during this charter period.
Other Deliverables
Payment Request API 1.0 and Payment Method Identifiers are W3C Recommendations. The Working Group will maintain these specifications.
The Working Group has stopped work on the following:
- The Basic Card Note, including removing it from the registry of standardized payment methods. Note: When appropriate, we expect to deprecate the registry itself.
- The registry of Card Network Identifiers approved for use as filters with Payment Request API.
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Test suite and implementation report for the specification;
- Documents to support web developers when designing applications.
Curation of Working Group Resources
The Working Group will continue to curate the following resources it has published:
- Test suites for the above specifications.
Timeline
- Q3 2022: CR for Secure Payment Confirmation
Success Criteria
In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent implementations of every feature defined in the specification.
Each specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users.
There should be testing plans for each specification, starting from the earliest drafts.
Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximizing accessibility in implementations.
To promote interoperability, all changes made to specifications should have tests.
Security and Privacy Considerations
A key security consideration is the ability to prove message integrity and authentication of all message originators. The Working Group will work with the organizations listed in the Coordination section of the charter to help ensure API security.
Protection of the privacy of all participants in a payment is important to maintaining the trust that payment systems are dependent upon to function. A payment process defined by this group should not disclose private details of the participants' identity or other sensitive information unless required for operational purposes, by legal or jurisdictional rules, or when deliberately consented to (e.g., as part of a loyalty program) by the owner of the information. The design of any API should guard against the unwanted or inadvertent leakage of such data through exploitation of the API.
Coordination
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, performance, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least three months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
W3C Groups
- Web Application Security
- For review of security APIs and features.
- Web Authentication Working Group
- For discussion of strong authentication.
- Web Payment Security Interest Group
- For discussions about Web payment security and use cases.
External Organizations
- EMVCo
- EMVCo administers many specifications known collectively as EMV®, including specifications about network tokenization, 3-D Secure, and Secure Remote Commerce.
- FIDO Alliance
- For discussions of strong authentication.
- Open Banking UK, STET, and Berlin Group
- For discussion about open banking APIs and Web payments.
Participation
To be successful, this Working Group is expected to have ten or more active participants for its duration, including representatives from the key implementors of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute one-half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct.
Communication
This group primarily conducts its work on GitHub and the public mailing list public-payments-wg@w3.org (archive). The meeting minutes from teleconference and face-to-face meetings will be archived for public review. Technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor’s Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. However, meetings themselves are not open to public participation.
Information about the group (e.g., deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Payments Working Group home page.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (Section 3.3). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (e.g., email, GitHub issue or web-based survey), with an appropriate response period depending on the chair’s evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs or the Director.
This charter is written in accordance with the W3C Process Document (Section 3.4, Votes) and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
Licensing
This Working Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to Section 5.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 5.2.3):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | 21 October 2015 | 31 December 2017 | N/A |
| Charter Extension | 1 January 2018 | 1 March 2018 | None (Rechartering) |
| 2018 Charter | 9 March 2018 | 31 December 2019 | Deliverables under consideration since the previous charter are listed in section 1.2. |
| 2020 Charter | 19 December 2019 | 31 December 2021 | Deliverables under consideration since the previous charter are listed in section 1.2. |
| 2022 Charter | 1 January 2022 | 31 December 2023 | Added SPC. Completed version 1 of Payment Request and Payment Method Identifiers and moved them to maintenance mode. Reset expectations about Payment Handler and Payment Method Manifest timelines. Deprecated Basic Card Payment Method. Dropped SRC Payment Method. |
Change log
Changes to this document are documented in this section.