The Web Payments Community Group provides an inclusive venue where web payment solutions, regardless of their origin, can be incubated, evaluated, refined, and tested. The focus of the group is to promote open Web payment innovations based primarily on their technical merit. Members of the group include Bloomberg, Mozilla, Telefonica, Opera, Citigroup, UK Government Digital Service, Ripple Labs, and over 122 other people and organizations that are innovating payment solutions for the Web. The group brings together individuals with decades of payment experience and has identified key payment problem areas on the Web where standardization could greatly improve the speed, security, ease of use, and accuracy of financial transactions. This paper outlines payment problem areas on the Web that have been identified by the group, including: Products, Transactions, Receipts, Identity, Transaction Security, and Web Services.
The World Wide Web Consortium (W3C) is the organization that manages the architecture for the Web. 2.4 billion people around the world depend on the technology co-authored by many contributors under the guidance of the W3C. The consortium consists of organizations like Google, Bloomberg, Apple, PayPal, Mozilla, Facebook, Baidu, Yandex, Microsoft, and 392 other technology companies that are united in perpetually improving the Web. The W3C also utilizes more loosely organized Communities that are designed to feed new ideas and technologies into the W3C standardization process. This document outlines the findings of one of those groups named the Web Payments Community Group.
The purpose of the Web Payments Community Group is to discuss, research, document, prototype and test web payment systems. This work is done in order to realize potential future standardization candidates and ensure interoperability between these solutions. The goal of the group is to forge a path for a secure, decentralized system of web payments that would empower both individual people and organizations on the Web to send and receive money as easily as they exchange instant messages and email today. In addition to documentation, this Group collaborates on and shares various proof-of-concept solutions and components through open source methods, unencumbered by patents or royalties. The solutions developed by the Web Payments CG may be voted on by its membership to be standardized in W3C, IETF, or similar standards setting organizations.
In general, the Web Payments CG provides an inclusive venue where web payment solutions, regardless of their origin, can be incubated, evaluated, refined, and tested. The focus of the group is to promote payment innovations based primarily on their technical merit. This approach invites competing technical designs to be submitted and incubated in the same group. The hope is that this strategy will lead to either the merging of the best aspects of each technical design, or a clear differentiation emerging between alternative designs.
The combined experience of the members in the group stretches back multiple decades, much further than the inception date of the group. The membership also represents a variety of areas including banks, mobile operators, browser vendors, financial services, and government. These members include Telefonica, Mozilla, Bloomberg, Orange, Opera, Citigroup, UK Government Digital Service, Ripple Labs, and many others. Over the years, the group has identified six key areas that are pain points related to payments on the Web. These areas are: Products, Transactions, Receipts, Identity, Payment Security, and Web Service APIs.
The group is conscious of the risks associated with disrupting live systems. We are also concerned with indirectly destabilizing the overall payment landscape through implied competition with long-running, legacy systems. We suggest that a the best strategy is to enable an elegant payments layer on the Web in cooperation with incumbent financial systems authorities. The ideal technology would be able to be deployed ubiquitously and non-disruptively, given that there is no prior standard for payments on the Web, and thus no legacy to replace. This layer should improve the experience of sending and receiving money while simultaneously creating a bridge between the fast-moving Web technology field and the deliberately slow-moving core financial systems field.
If such Web Payments technology is successfully standardized via W3C, billions of people will have access to it as a core part of the Web via desktop computers, tablets, smartphones, and other Web-capable devices. They will have the power to undertake transactions with one another over the Internet far more efficiently than they do today. This has large implications for banks, financial institutions, governments, telecom operators, payment solution providers, technology companies, and organizations addressing many socioeconomic issues such as poverty and access to banking services. In order to reach such a system, it is important to understand the shortcomings of the web in the key areas described above.
The Basic Problem
The Web has fundamentally transformed the way the world's people and organizations publish and interact with information. However, the transmission of monetary value has not yet changed. The Web’s foundation offers unrealized potential to transmit and receive funds with the same ease and rigor as sending and receiving email.
Making payments on the Web simpler and more accessible has more than superficial advantages. By distributing to everyone the payment methods that have been traditionally only available to banks and large corporations, the world's economies can benefit from financial system changes that both reduce transaction costs and create new kinds of innovative e-commerce applications. The goal is not to just enable simpler payments, but also to spur innovation in capital formation that helps entrepreneurs of any size, in any location, earn a legitimate living. One prominent global trend that could greatly benefit is crowd-funding, which is currently constrained by less than elegant and cost-inefficient payments methods. In general, the Web has already boosted funding opportunities for startups, eased tax collection, and increased payment security; and there is room for more improvement. The World Bank reports that 2.5 billion people around the world don't have bank accounts and have no ability to save money due to lack of banking services and/or high fees, which inhibits their ability to make a living. Online payments development enabled by telecom providers in some parts of Africa has served as a remarkable proof-of-concept, though it is restricted by limited competition.
It is evident that whilst bringing new or powerful tools to the general public will foster competition and innovation, open Web payments can also bring about more basic societal change. The promise of Web payments is about more than just an exciting future, it is about one that is at the same time far more egalitarian, and far more efficient for U.S. business.
Aligning Payments with the Web
The Web flourishes when competition in a particular space is maximized. In order for competition to be maximized, solutions to a problem on the Web need to have good interoperability standards. There exist no such standards for transferring value on the Web. Sending money is not as simple as sending email because there is no common standard for it, and that's the biggest problem with payments on the Web.
Standardization and decentralization are two of the primary drivers of innovation on the Web. You don't have to ask permission to publish your creation on the Web. Open Web standards such as HTTP and HTML ensure interoperability between applications. At the most basic level, the problem with payments on the Web are:
- Payment solutions are not decentralized, leading to vendor lock in.
- There is no open, patent and royalty-free standard for payments on the Web.
- Most payment solutions for the Web are not built on core Web architecture principles, like using URLs for identifiers.
- Many payment mechanisms don't allow anyone to be be able to implement payment processor technology, or there are steep fees associated with being a payment processor.
- Most payment solutions are not transparent with regard to their methods and processes for assurance, integrity, privacy, confidentiality, auditability, and reliability.
In addition to these basic problems with payments on the Web, the Web Payments Community Group asserts that there are additional problems with payment technology on the Web:
- The payment systems on the Web today do not enable choice among customers, vendors, and payment processors. As a result, healthy market competition suffers.
- Current payment systems are not extensible in a decentralized way, allowing application-specific extensions to the core protocol without coordination.
- Payment systems suffer from being able to natively support higher order economic behaviors like crowdfunding and digitally executing legal contracts.
- Many payment systems suffer from bad security design and do not use the latest security best practices to protect entire systems from attack.
- A number of newer payment systems do not take government concerns such as fair tax collection, a reporting infrastructure for central monetary authorities, money-laundering prevention, and anti-terrorism initiatives into account.
- Many payment systems are not designed to be be truly currency agnostic with regard to central bank currencies (US Dollar, the Euro, and the Japanese Yen) and virtual currencies (e.g. Bitcoin and Ripple).
- Payment systems do not easily enable buyer and seller choice in the basic attributes of pricing to support seamless commerce and stability in global markets. For example, this results in speculative FOREX trading having more of an effect on a vendor's prices than it should.
- Payment solutions are typically tacked onto the back of the Web instead of being deeply integrated into it. This results in payment flows that are awkward to customers, harmful to vendors, and result in a higher level of fraud that is necessary for payment providers.
The rest of this paper digs deeper into the problems outlined above by examining five key areas where payments on the Web are suffering today.
It is currently difficult to establish a verifiable identity on the Web. Since identity is one of the fundamental mechanisms that we use to trust the parties in a financial transaction, not having an identity solution for the Web is harming a good payments solution for the Web. The problems with identity for payments on the Web are:
- There is no simple decentralized standard for asserting aspects of your identity on the Web.
- Identities are not discoverable after you login to a website. For example, after you log in, there is no resolvable address that you can provide the website where it can discover more about you. Technologies like Persona are a step in the right direction, but more is needed for financial transactions.
- It is not possible to attach verifiable machine-readable information to an identity via 3rd parties. This means that Know Your Customer clearing is very difficult because there is no standard way to associate government-issued credentials, like an electronic passport, with your identity on the Web.
- There is no standard access control mechanism to expose both public and private identity data to external sites, based on who is accessing the resource. A vendor cannot easily verify that a person is of legal age or licensed to purchase a particular item.
- There is no standard secure digital signature and encryption mechanism for identity data.
In order for payments to become more trustworthy and secure on the Web, an identity solution that takes payment use cases into account must be created.
The mechanisms that can be used on the Web to execute a transaction are varied, and as a result, it is both technically difficult and expensive for vendors to support a wide range payment mechanisms. Specifically:
- There is no standard way for a vendor to initiate a purchase process via a Web browser. This leads to a different buy flow on most websites which can lead to side-effects like phishing opportunities that prey on a customer's unfamiliarity with the process.
- There is no standard way for a vendor to send a purchase request to a payment processor that includes product and pricing information.
- There is no standard response format to notify a vendor that a purchase was executed successfully.
A standard solution for initiating and verifying transactions could support both proprietary buy flows and open standard buy flows. By focusing on standardizing how a payment is initiated and how a payment is verified, the W3C could get both proprietary payment providers and open standard payment providers to agree on a common goal that would result in an improved payment process for everyone that uses the Web.
Products and Services
The data markup mechanism used by most vendors and payment providers today is not capable of expressing resources like people, places, events, goods/services, and a variety of other data in a standard machine-readable way. This data exists in the transaction chain, often on 3rd party websites, but is often lost during the course of a transaction. If payments on the Web are going to improve, the following product and service description issues must be addressed by a set of Web payment standards:
- There is no standard mechanism to enable product descriptions to be easily machine-readable. If products can be described in a machine-readable way, and that data is retained during the lifecycle of a transaction, then it can be placed into a digital receipt at the end of the transaction. Once detailed machine-readable product information is placed into a digital receipt, the digital receipt becomes something that is more useful. For example, it could help the vendor perform more detailed analytics while enabling the customer to manage their expenses, file their taxes, and analyze their spending habits more accurately.
- Pricing information is often tightly bound to product information on the Web, often in a way that is not machine-readable. Ideally, a product must be separable from the terms under which the sale occurs, enabling different prices to be associated with different product licenses, affiliate sales, and business models like daily deals.
- The creator of a product often cannot specify preferences on pricing, reseller restrictions, validity periods, and a variety of other properties associated with the sale of the product. This causes a great deal of manual labor and negotiation to be performed by both product manufacturers and vendors to get a product to market. Ideally, a product manufacturer could list the terms under which a product could be sold in a machine-readable way enabling vendors to sell the product without the need for prior negotiation on the terms of sale.
- Product descriptions and the terms of sale do not support decentralized extensibility. Extensibility is important when certain market verticals need to add market-specific data, such as the purity of a metal, or the digital encoding format for a file, to the product description and terms of sale.
- Product and service descriptions on the Web are not protected against modification after a sale has occurred. This makes it more difficult and costly for a buyer to challenge an unscrupulous vendor, or a vendor to assert that the product that a buyer requested was delivered.
- It is easy for a vendor to list counterfeit products for sale on the Web and then claim that they were not the source of the counterfeit goods. This sort of fraud could be reduced if product descriptions and the terms of sale were digitally signed by the vendor.
- Often, content creators are forced to choose a centralized retailer and grant exclusivity to that retailer for the sale of their content. If products could be listed in a decentralized way, a content creator could express the terms under which they want their work to be sold, and retailers the world over could compete by using their networks to re-sell the good. This negotiation would be automatic due to the machine-readability of the product's distribution rules, as set by the content creator.
A solution to these problems would simultaneously reduce fraud, and increase competition, transaction speed and correctness.
Receipts and Contracts
Interoperability of commerce systems on the Web requires the clear machine-readable expression of digital receipts and contracts, but common standards for expressing these fundamental objects of commerce are not present today.
- There is currently no standard machine-readable mechanism on the Web to express an intent to purchase. As a result, it is difficult to signal to a person or organization that you would like to engage them in a transaction.
- There is no standard machine-readable way of expressing a proof of purchase, digital receipt, or contract. Not having such a mechanism makes it difficult to link different financial systems, such as retail software, payment processors, accounting services, and regulatory systems together.
- There is no standard machine-readable mechanism to include complex product information, licensing information, restrictions on use, or other details about the transaction into a digital receipt.
In order to enable interoperable commerce on the Web, a system of expressing purchase requests, digital contracts, and digital receipts should exist. The current state of only knowing if the payment went through, or having basic human-readable fields in the transaction history makes it impossible for the information to be useful outside of the payment systems that processed the payment.
While there are large industry initiatives to detect and reduce fraudulent transactions on the Web, the fundamental way that most transactions are performed on the Web (the credit card and bank account transfer) are flawed. In addition, the Web does not yet have a simple to implement, standard and robust security architecture that is capable of authenticating and verifying payment requests. The state of security on the Web with regard to payments creates the following problems:
- Credit card theft and identity theft are two of the major causes of fraud on the Web. This is primarily because information that should be private, such as credit card numbers, bank account numbers, and home addresses are unnecessarily leaked to vendors.
- There is no standard mechanism to digitally sign a purchase request, contract, or digital receipt on the Web. This makes it difficult to determine whether or not a purchase request originated from an account holder, or someone that has broken into the account holder's financial account.
- Core web standards, such as HTTP, do not have a simple mechanism that enables web services to digitally sign important pieces of information, such as the headers of an HTTP message.
- Public security audits for most financial transaction protocols on the Web are not available because the technology design is not open to public scrutiny. This leaves the state of security for most financial protocols on the Web as unknown.
In order to make payments more secure on the Web, it is necessary to extend some of the more fundamental Web protocols to provide greater security for financial transactions.
The rate of innovation in payments has stagnated for a number of decades. Some say that the last major consumer innovation in payments was the credit card. It is only recently, with the advent of new financial protocols like Bitcoin and Ripple as well as a focus on making developer's lives easier by organizations like Stripe, Google, Balanced, and Square, has noticeable progress been made. However, this progress has failed to make the core payments space more innovative as most of the new payment technology has either been proprietary, or has been done in the periphery, and thus has not changed average behavior in any sort of meaningful way. The entire market suffers as a result. Customers are charged higher fees for lackluster service. Vendors are charged higher fees than necessary and have increased implementation costs. Payment processors have higher operational costs due to identity and fraud issues.
The Web Payments Community Group has identified all of the issues above as areas that could be addressed by simple Web standards and has forged ahead in an attempt to create solutions for the issues ahead. These solutions are released under an open, patent and royalty-free W3C license, making them an ideal candidate as input documents to standardization in the areas listed above. If invited to speak at the W3C Web Payments Workshop, the group would be happy to elaborate on the problem areas above and the path that it has taken to address these problem areas using technology that is both compatible with the Web, and is open to implement by anyone.