The Working Group met remotely 27-29 March (agenda and minutes). After a successful in-person meeting at TPAC 2022 we had wanted to meet in-person again, but fell back to remote due to scheduling challenges.
Co-Chair Nick Telford-Reed opened the meeting with an overview of the group:
- Working Group
- Charter renewed in November 2022 for 2 years
- Secure Payment Confirmation (SPC)
- Specification status: we are nearly ready to go to Candidate Rec
- Implementation status: shipping in Chrome and Edge; still working on other browsers
- Integration status: referenced from both EMV® 3-D Secure and EMV® Secure Remote Commerce; looking at other payment systems
- Pilot status: Adyen/Airbnb pilot ongoing; Stripe (second) pilot imminent; expect data at TPAC 2023
- Next use cases and features: see the issues list
- Payment Request and Payment Handlers
- Payment Request advanced to Recommendation in September 2022 and is shipping in Chrome, Edge, and Safari. Feature requests are several years old; we did not spend time on these at this meeting but may do so soon.
- Payment Handler is a Working Draft, shipping in Chrome and Edge; not actively working on it but the Chrome team makes changes periodically to align with other privacy-related changes.
- We don’t want to prevent frictionless recurring payments (e.g., very low-value, recognized payment)
- It would be great to reduce the need for strong customer authentication for subsequent payments. For example, could SPC be used to gather consent for an initial payment of $100 and also future payments of $10 monthly, and could the evidence of this consent lead to frictionless flows for the future payments? Another example: could the consent to pay $10 monthly for an initial subscription to a service, and agree at the same time to pay up to $15 for extra services so that they do not need to re-authenticate later?
With that framing in mind, here’s how our agenda played out.
Working Group: Request to Restore some Text
Colleagues from Apple requested (262) the restoration of some text to the Working Group charter. While the Working Group of course wants to increase participation, we also discussed the disadvantages of rechartering, such as the time and effort required, and the risk of W3C Member objections to other parts of the charter (however unlikely). More discussion with Apple is needed to better understand the request and how to proceed.
SPC UX when no matching credentials
We revisited issue 98 regarding the SPC user experience when there are no matching credentials. As a reminder, there is a “fallback UX” today in order to avoid leaking information about whether the user has any Web Authentication credentials on the current device. We looked at some proposed UX improvements. I took away that there is support for a user experience that offers a clearer distinction between “the user wishes to authenticate another way” and “the user wishes to cancel”, provided that the UX does not leak the fact that the user does not have matching credentials. We are now seeking entities who would like to experiment with an SPC deployment, and would be interested in testing different fallback experiences.
SPC Integration: EMV® 3-D Secure
SPC is referenced from EMV® 3-D Secure 2.3, and there are ways to use SPC with earlier versions as well. With members of the EMVCo 3-D Secure Working Group we reviewed both (1) basic UX enhancements for the “single transaction” use case (the current implementation of SPC), and (2) enhancements to support other use cases.
In particular, we looked closely at a range of recurring payments and installments use cases to get a better understanding of what data it could be interesting to display in the transaction dialog (and have signed upon authentication). We acknowledged the complexities of recurring payments use cases, but also the value of both cryptographic evidence of consent, and consistent UX across payment systems. Furthermore, there is a sense that some regulators (e.g., in Europe) may be looking for stronger consumer protection in the area of recurring payments, and, if so, it would be great for SPC to be well-positioned as a relevant technology.
In general, the Web Payments Working Group is interested in both streamlining strong authentication (with SPC) and frictionless payments, where no user interaction is required. The following topics thus arose during our discussion of recurring payments:
As with the fallback UX, I think experimentation will play a key role in encouraging browser support for recurring payment and other use cases.
SPC Integration: Grant Negotiation and Authorization Protocol (GNAP)
Although we frequently discuss SPC with card payment flows, SPC is not just for cards. On Tuesday we discussed other integrations, both GNAP and PIX.
We first learned about GNAP and SPC at our 2 February meeting when Adrian Hope-Bailie (Fynbos) presented a demo showing GNAP as the protocol used to carry out a payment from a digital wallet, with SPC as the authentication UX. We continued the discussion at this week’s meeting, with an introduction to GNAP by one of the authors (Justin Richer) and more detail from Adrian Hope-Bailie about a related IETF draft: “GNAP Secure Payment Confirmation Extension.” Given our previous discussion about recurring payments, we had discussion about whether and how to use access tokens to represent consent for future payments. And since we had been discussing frictionless payments, we discussed how, with GNAP, an Access Server (AS) could return a token based on context and other information, without requiring additional user interaction. It was pointed out out that there are overlaps in functionality between GNAP, EMV® 3-D Secure, and EMV® Secure Remote Commerce, and so I anticipate we’ll continue to have discussions about protocol interoperability.
SPC Integration: PIX
Although the WPWG had discussed the Brazilian Boleto system previously, I think this is the first time we discussed PIX, the Brazilian instant payments system. Through a very informative (and witty) presentation, we learned about rapid rise of PIX (driven in part by concerns about inflation) and the evolution of fraud mitigation approaches grounded in the relationships managed through the Central Bank of Brazil: trusted actors and a surrounding ring of indirect partners. Our colleagues from Netflix and Itaú pointed out that the user experience and security mechanisms currently available on the Web are lacking, and thus they are interested in how SPC might help. We learned about the current PIX UX where users copy codes from a merchant page and paste into a bank app and discussed whether we could improve on that (e.g., via specific URL schemes). I anticipate we will continue to discuss PIX and SPC and I hope see some experimentation as well.
SPC Integration: EMV® Secure Remote Commerce
EMV® Secure Remote Commerce (SRC) version 1.3 integrates SPC as one of the authentication method types known to the protocol. During the meeting this week we considered two related concepts from the SRC protocol: user recognition and cardholder authentication. For the first, we discussed how FedCM (designed primarily for federated login use cases in a world without 3p cookies) might prove useful in SRC flows (see the presentation from the EMVCo SRC Working Group). We also discussed different ways that FedCM and SPC might be used together, including with and without a “common entity” that could help coordinate data exchange across different SRC systems.
Low Friction Authentication
We wrapped up the meeting with more discussion about “frictionless” and “low-friction” payment experiences. Industry stakeholders have made clear that friction can lead to cart abandonment, and the Web should support flows with minimal friction, for example, in regulatory contexts where multi-factor authentication is not required. It is not clear to me what role, if any, SPC will play in “frictionless” flows because it involves a user experience, but even if it does not, I expect the Working Group will continue to brainstorm about how to use emerging technology to minimize checkout friction.