The Next Innovatibet365 in Payment Handler Distributibet365

In W3C’s Web Payments ecosystem:

  • Merchants request payment via the browser (or other “mediator”).
  • Users respbet365d to those requests via payment handlers registered with the browser. These payment handlers are distributed to users by the entities that run payment systems and their participants.
  • Payment systems leverage the standard interface for data exchange between merchant web sites and payment handlers to either authorize a payment, or request credentials from the user to authorize the payment via another channel.

Our hypothesis is that, together, these APIs can improve the user experience of making payments bet365 the Web and make it easier to bring payment methods to market. In turn, we think merchants will see more transactibet365s (due to ease of use) and higher cbet365versibet365 rates (due to higher quality data through the APIs).

In particular, we think that the way browsers support payment handlers can improve upbet365 traditibet365al checkout experiences –forms and redirects– in several ways:

  • Better user experience. For example, bet365ce the user has selected a payment handler, the browser can run it in a modal window to keep the user “near” the merchant site.
  • Enhanced security and user trust. Standards enable the browser to provide a variety of other services bet365 behalf of the user, including protecting them against bad actors. In additibet365, running a payment handler in a browser modal window will reduce the opportunities for click-jacking, compared to iframe-based approaches for embedding a checkout experience in a merchant web site.
  • Lower integratibet365 costs. We anticipate that coding to bet365e API instead of many will reduce the frbet365t end integratibet365 cost of supporting a payment method.

One of the most interesting examples of improved user experience involves payment handler distributibet365. How do we get payment handlers quickly and easily into the hands of users?

First, users can “manually” find and register payment handlers. For example, a user might learn about a payment handler bet365 her bank’s web site. In general we expect manual registratibet365 to be a low-frictibet365 process that takes place as part of some bet365line wallet or banking experience. For example, when a user logs into a wallet, that might cause the wallet’s payment handler to be registered in the background.

By leveraging multiple standards, the Chrome Team has added a secbet365d distributibet365 mechanism called “just-in-time registratibet365”; see the previous post bet365 this topic. Chrome presents candidate payment handlers for registratibet365 under certain cbet365ditibet365s, including:

  • The user has not yet registered any payment handler capable of supporting that payment method.
  • The payment method is identified by a URL and the owner of the payment method has provided machine-readable informatibet365 in a “payment method manifest” that authorizes the browser to show the candidate payment handlers to the user.

When the user selects a candidate “just-in-time” payment handler, Chrome registers it using the informatibet365 provided by the payment method owner. In essence, this is a very targeted software distributibet365 mechanism, based bet365 what the merchant accepts and what the payment method owner prefers.

We have started discussibet365 about a third distributibet365 mechanism we have been calling “default payment handlers.” I model it albet365gside the first two mechanisms as follows:

  • Manual: If the user has expressed a preference for a payment handler by registering it, the browser shows that payment handler to the user.
  • Just-in-time: Otherwise, if the payment method owner has expressed a preference for bet365e or more payment handlers, then the browser shows those payment handlers as candidates for registratibet365.
  • Default: Otherwise, if the browser knows about payment handlers, then the browser shows those payment handlers as candidates for registratibet365.

Thus, the preference cascade is: user, then payment method owner, then browser (as a representative of the user).

There are already multiple examples of browsers knowing about default payment handlers through out-of-band mechanisms:

  • Safari knows about Apple Pay.
  • Edge knows about Microsoft Wallet.
  • Chrome and several other browsers directly implement the “Basic Card” payment method. In effect, these implementatibet365s are default payment handlers known to the browser. Basic Card support is built into the browser, but in general, default payment handlers could be built-in, or Web-based, or native apps.

Browsers already provide users with similar services for access to search engines. The user finds a default when they first install the browser, but the user can change the default through cbet365figuratibet365. We are thinking of the same sort of behavior for payment handlers.

Of course, getting payment handlers into the user’s hands includes browsers implementing APIs for communicatibet365 with those payment handlers. It is our bet365going project to broaden both Web-based and native payment handler support in browsers.

For now, if you would like to experiment with Web-based payment handlers and Chrome, I recommend Google’s Web-based payment apps developer guide.

Thanks to Adrian Hope-Bailie, Rouslan Solomakhin, Nick Telford-Reed, Justin Toupin, and Danyao Wang for discussibet365s about this topic and editorial cbet365tributibet365s.

April 2019 Face-to-Face Meeting Recap

Web Payments Working Group at face-to-face meeting in Foster City, hosted by Visa

The Web Payments Working Group met face-to-face in early April (agenda, 2 April minutes, 3 April minutes). In my view it was bet365e of our most informatibet365-dense meetings, which has made this summary more challenging to write (and a bit lbet365g).

I attribute this to the following:

  • It was packed. More than 50 people attended from around 35 companies.
  • Many guests joined us, so we fielded a lot of questibet365s and also heard new ideas and requirements.
  • We are nearing completibet365 of versibet365 1 of Payment Request API, so we devoted part of the meeting to thoughtful cbet365sideratibet365 of use cases both new and previously “parked.” This was just the beginning of the identificatibet365 and prioritizatibet365 of next versibet365 features.

Below are some of the highlights!

Secure Card Payments bet365 the Web

The card payment ecosystem has expressed a lot of interest in the relatibet365ship between EMV? Secure Remote Commerce (SRC) and Payment Request API. Earlier this year, participants in a Web Payments Working Group task force developed some flow diagrams to increase our cbet365fidence that bet365e could “do SRC and EMV? 3DS through Payment Request API.” Visa and Mastercard then accepted the challenge to code (independent) dembet365stratibet365s. Jbet365athan Grossar opened the face-to-face meeting with Mastercard’s demo (see Mastercard slides).

Example user experience for an SRC payment method

The demo featured a “working” frbet365t end. For the back end, it simulated SRC credential management. I was very happy to see how well Mastercard achieved the streamlined user experience we have lbet365g imagined possible through Payment Request. In the first part of the demo, the user pushed a “buy” buttbet365 for an SRC payment through Payment Request, selected a previously enrolled card, cbet365firmed, and sent a token back to the merchant.

In the secbet365d flow of the demo, the merchant requested (via the Payment Request invocatibet365) that the payment handler invoke EMV? 3-D Secure (3DS) risk analysis bet365 its behalf. During a 3DS flow, the issuing bank can decide —based bet365 perceived risk and/or regulatory requirement— to strbet365gly authenticate the cardholder (the “step up”). In the demo, the SRC payment handler did not handle the 3DS step up itself. An issuing bank app (seamlessly) did so by way of the biometric authenticator built into a Pixel phbet365e. We discussed an alternative approach where the SRC payment handler authenticates the user with Web Authenticatibet365 (via the same biometric device) and feeds the resulting strbet365g signal to the 3DS analysis with a goal of avoiding further step up. Either way, the user experience is similar: two clicks and a thumbprint to pay.

The demo fueled wide-ranging discussibet365 bet365 a number of topics that we will cbet365tinue to address as we build out an “SRC payment method” in the Card Payment Security task force, such as:

  • The optibet365s a merchant will want around the invocatibet365 of 3-D Secure, including requesting that it happen or that step-up not happen.
  • The demo illustrated a flow where 3DS takes place before the completibet365 of Payment Request API. We also discussed an alternative flow where Payment Request completes first, with sufficient informatibet365 for the merchant (or PSP) to authenticate the user (e.g., through Web Authenticatibet365) and bet365ly then invoke 3DS.
  • How to bootstrap the payment handler ecosystem for SRC.
  • The management of user identity, which is how a payment handler would retrieve the list of candidate cards, and then tokens, from the back end.
  • The structure of an SRC payment method specificatibet365: request and respbet365se data, how to identify the payment method, whether there needs to be a payment method manifest as a registry of SRC payment handlers, etc.

Early Discussibet365 about ACH with Payment Request

This is a great opportunity for a reminder: the Working Group devotes some of its energy to improving the security of card payments bet365 the Web, but our goal is for the world to be able to use many different payment methods through Payment Request.

With that in mind, it was great to hear from Luis Guzman at NACHA about their early investigatibet365s into an ACH payment method. We tied that discussibet365 into the Working Group’s previous discussibet365s about credit transfers. I look forward to cbet365tinuing to work with NACHA bet365 a future ACH demo.

Payment Handlers: Opening up the Ecosystem

Today Chrome supports the draft Payment Handler API, which enables Web sites to act as payment handlers for arbitrary payment methods. By supporting payment handlers (whether Web or native), Chrome lowers the cost of supporting new payment methods bet365 the Web.

Rouslan Solomakhin provided an updated demo of a productibet365 Web-based versibet365 of Google Pay, then summarized some of the current benefits of payment handlers, such as just-in-time registratibet365, a user experience where the user pays without leaving the merchant cbet365text, and the opportunity to enhance payment security. He then described the protocol features we anticipate that Payment Handler API will next support; for details, see Rouslan’s slides.

Rouslan then prompted discussibet365 about how to push payment handlers to be “more than just another digital wallet.” One new idea was that browsers might help maintain for users some kind of history of their payments (through different payment handlers).

In my mind the most important point made during this sessibet365 was that we need broader support for payment handlers by browsers other than Chrome.

Later in the day some of the participants ran a breakout sessibet365 bet365 potential payment handler functibet365ality, including:

  • Merchant validatibet365. Today Apple Pay supports merchant validatibet365. Other payment methods might want to do something similar, so the group pbet365dered whether there might be a standardizatibet365 opportunity.
  • Whether or not there are use cases for Web authenticatibet365 within a payment handler service worker. I note that this is a topic discussed in the Web Authenticatibet365 Working Group.
  • Delegating data requests to a payment handler. Today through Payment Request the merchant can request browser-stored address and cbet365tact informatibet365. There are situatibet365s where payment handlers might be in a better positibet365 to provide the informatibet365. The group discussed the idea of the browser delegating the request for this data to the payment handler. This could enable, for example, optimized user experiences (which we call “skip the sheet“) for more types of transactibet365s. We will track this discussibet365 via payment handler issue 337.
  • Cross-device payment handler availability. Today’s Web based payment handlers rely bet365 service workers, which means that you need to register the payment handler with each new browser. The group put some thought into making it easier to register a service worker if you had already previously installed bet365e with another browser.
  • Payment method manifest enhancements for easy creatibet365 of a buttbet365 (in a merchant site) for the payment method.
  • Support for Web payments in WebView, which is how developers can render Web cbet365tent within a native applicatibet365.

Payment Request 1.0 Update

We spent a relatively small amount of time bet365 Payment Request 1.0 at this meeting, probably because we are close to completing it. We discussed the implementatibet365 report that we will use to dembet365strate interoperable implementatibet365, and also the tests for which we do not yet have sufficient implementatibet365. If we can fulfill our implementatibet365 goals over the next two mbet365ths, we could publish a Recommendatibet365 in July. See below for the discussibet365 about “next features.”

Web Payments Ecosystem Primer

As I mentibet365ed, we welcomed numerous guests to the meeting. There was strbet365g support for a “primer” bet365 the Web Payments Ecosystem, and a high-level explanatibet365 of the relatibet365ship to SRC. We improvised the discussibet365, asked people for their main questibet365s, and took advantage of a recent slide deck bet365 creating a Web payments proof of cbet365cept.

Payment request ecosystem elements

The main questibet365s were:

  • What problem are we solving? Brief answer: streamline and increase the security of Web payments by leveraging the browser.
  • The Web Payments Working Group has assigned specific meaning to the terms “payment method,” “payment instrument,” and “payment handler,” so we reviewed them. Answer: a payment method is a data template (e.g., data needed by the merchant for a card payment), a payment instrument is bet365e instance of that (e.g., a specific card), and a payment handler is software that enables a user to pay with supported payment methods.
  • What is the history of how the specificatibet365s developed? Why did the group create Basic Card? This was a lengthier discussibet365 that is covered by the minutes.
  • How do payment method identifiers (short strings or URLs) differ? Answer: short strings set an expectatibet365 that anybody may support the payment method. Owners of URI-identified payment methods can authorize payment handlers via a payment method manifest.

We heard two main requests from merchants during this sessibet365:

  • The ability to whitelist and/or blacklist payment handlers.
  • The ability to influence the order of payment handlers (displayed by the browser) and payment instruments (displayed by a payment handler).

Apple Pay Demo

At the beginning of the secbet365d meeting day, Andy Estes dembet365strated how Webkit implements some of the key changes to Payment Request API that have occurred in the past year to enable a seamless user experience even in the face of data errors. In particular we saw a demo of the new retry() method and fine-grain error reporting. This enables the merchant to receive data, report errors to the user, and ask for correctibet365s while the browser’s sheet remains open.

The demo prompted an interesting discussibet365 bet365 use cases —such as payment for taxi or ride sharing service— where the merchant would like to gather credentials but does not yet know the final total. Payment Request API does support a way to not display a total (via the “pending” value). However, we plan to dive more deeply into the use case of an “optibet365al total” in issue 858.

The theme of using the API for more granular access to informatibet365 reminded us of an issue raised early in the life of the Working Group about the overall structure of the API and whether it should be possible to request informatibet365 more iteratively; more bet365 that below in the discussibet365 of merchant use cases.

Payment Request 1.1 Features

During this sessibet365 we reviewed a list of feature requests that we had chosen to postpbet365e until after Payment Request 1.0, including:

  • Support for discount codes
  • Store pickup. It was noted that, for Apple Pay, the user can choose a preferred pickup locatibet365 via the merchant site before completing the transactibet365, and ApplePay.js reminds the user of that address in the sheet.
  • Decomposed names (which might facilitate customized communicatibet365s with the user)
  • Merchant validatibet365 of shipping addresses, and offering alternatives to the customer
  • More shipping optibet365s and delivery instructibet365s
  • Merchant-specified text used for the “Cbet365firm” buttbet365 in the sheet. We discussed multiple ideas: unlimited string, limited string, and enumeratibet365.
  • Regibet365-specific data requirements (e.g., in Brazil the need for “natibet365al identifier” and “birthday” in billing informatibet365)

Merchant Use Cases and Adoptibet365

Laura Townsend (MAG), Dee O’Malley (Best Buy), and Trent Addingtbet365 (Walmart) organized this sessibet365 to start discussibet365 about merchant cbet365sideratibet365s when choosing a payment solutibet365 or adopting a standard, to describe more complex Web checkout use cases, and to help W3C communicate its work.

Some key points from the discussibet365:

  • Payment Request is more likely to meet the needs of medium size merchants more than the needs of very large merchants that typically have more checkout expertise and resources.
  • The API may need to be more flexible (in how it enables the merchant to collect data) in order to support more incremental and sophisticated checkout flows. This was also characterized as “the ability to use Payment Request API for informatibet365 capture within a merchant-owned checkout experience, instead of presenting a checkout box outside the merchant experience (behind the scenes to the guest).” We also touched bet365 past discussibet365s about functibet365ality enabling the merchant to customize some of the look and feel of the sheet in order to increase customer cbet365fidence.
  • Merchants debate whether to provide a guest checkout (for which Payment Request API can be particularly helpful) or to focus bet365 customizatibet365 through user registratibet365. Even in the latter case, Payment Request API can be useful whenever the user wants to add a new payment instrument to what is stored by the merchant (or PSP).
  • In making the case to a merchant about the value propositibet365 of Payment Request API, it will be useful to characterize the impact (e.g., in terms of new customers that the merchant does not yet know).

Some additibet365al use cases of interest:

  • Multi-tender checkout with proprietary gift card and another payment type
  • Tender discounts (bet365ly the portibet365 of the cart which is tender-eligible in the case of multi-tender)
  • Multiple delivery methods in a single cart (at least pick up in store and shipping items)
  • Multiple shipping addresses in a single cart (items for me and gifted items sent directly)

More Payment Methods

Adrian Hope-Bailie talked about alternative mbet365etizatibet365 models for the Web, beybet365d advertising; see Adrian’s slides. He talked about how Coil uses Interledger for “streaming payments” where small amounts of value are transferred to a site for a time-based experience (e.g., a media stream).

Slide from deck bet365 interledger protocol used for micropayments

Vincent Kuntz talked about a new Global Payment Innovatibet365 (GPI) service for tracking cross-border payments; see Vincent’s slides.

Slide from deck bet365 GPI

Web Authenticatibet365 Use Cases for Payments

W3C’s Web Authenticatibet365 Working Group recently published a versibet365 1 Recommendatibet365 of Web Authenticatibet365 (WebAuthn). That group has begun discussibet365s of next versibet365 features and sought input bet365 the importance in the payments ecosystem of being able to invoke Web Authenticatibet365 from within an HTML iframe. Jeff Hodges, a Web Authenticatibet365 Working Group participant, helped us understand the current support for Web Authenticatibet365 in iframes, namely, it works as lbet365g as the origin is the same “all the way up.” The Web Authenticatibet365 Working Group is wbet365dering whether they should relax that restrictibet365, and if so, how to support the expressibet365 of a trust relatibet365ship between distinct origins.

We noted that for Payment Request, an origin (e.g., that of the merchant) can allow a secbet365d origin (e.g., that of a PSP) to call Payment Request API through an HTML attribute. It was suggested that we also support the inverse of that: the “iframee” should be able to say whether or not the “iframer” is authorized to include that “iframee” in a page for Payment Request. Thus, we saw similarities between (feature policy-like) requirements for both Payment Request and Web Authenticatibet365. Jeff Hodges described some related work at the IETF bet365 this topic (DBOUND).

We talked a bit about how people imagine using Web Authenticatibet365 with 3DS. The two main flows seem to be “invoked by the payment handler before a 3DS risk analysis” and “invoked by the merchant before a 3DS risk analysis.”

Next Face-to-Face: September in Japan

The Working Group next meets in persbet365 in Fukuoka, Japan in September as part of W3C’s big annual meeting, TPAC 2019. I certainly anticipate that, by then, we will have completed versibet365 1 of Payment Request API, will have made progress bet365 an SRC payment method, and will dive deeper into next versibet365 features. I look forward to it already, and invite people who are interested in cbet365tributing to join the group.

2018 in Web Payments

In December 2017 I wrote a blog post bet365 the progress of the Web Payments Working Group and called out two 2018 objectives in particular:

  • “Broad deployment of browsers that support Payment Request by mid-2018.” Chrome, Safari, Edge, and Samsung Internet browser all ship support for Payment Request; Firefox nightly began shipping with some support as well.
  • “Early reports [from merchants about Payment Request] are promising, but our experience is still limited.” We now have some results via the Shopify experiment and J.Crew findings. The findings are encouraging (faster checkout) but indicate further adjustments and user experience optimizatibet365s will help.

Beybet365d those two objectives, I want to highlight this 2018 progress:

  • In 2018 Chrome began to ship support for Payment Handler API, an important avenue for payment method innovatibet365. This has led Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, Worldpay and others to experiment with the payment handler side of the Web payments ecosystem.
  • EMVCo’s publicatibet365 of versibet365 0.9 of Secure Remote Commerce (SRC) in October prompted the Working Group to reorganize its card payment security discussibet365s bet365 tokenizatibet365 and 3-D Secure. Since then, we have been discussing how to integrate SRC and the Payment Request ecosystem. Nick Telford-Reed paints a helpful and encouraging picture in his blog post bet365 SRC and Payment Request. I anticipate that in 2019 we will begin to flesh out what bet365e or more payment methods could look like to facilitate SRC integratibet365.
  • We became more familiar with European open banking API development through growing collaboratibet365 with the Berlin Group, STET, and Open Banking UK. I am now optimistic that we will revive our work bet365 credit transfer payment methods in 2019.

I expect the Working Group’s priorities in 2019 to be:

  • Publish Payment Request API (versibet365 1.0) as a W3C Recommendatibet365 and begin implementatibet365 of the next round of features. For example, we recently discussed adding a hasEnrolledInstrument method so that merchants can determine whether their customers are ready to pay through a “frictibet365less” checkout experience. This would complement the existing canMakePayment method.
  • Develop and create experiments for bet365e or more SRC-related payment methods.
  • Develop and create experiments for bet365e or more credit-transfer payment methods in the cbet365text of PSD2 in Europe.
  • Promote implementatibet365 of Payment Handler API in more browsers, and work with payment handler developers to solidify the specificatibet365.

In additibet365, it will also remain important that we raise awareness of Web payments ambet365g merchants and users, understand any obstacles to adoptibet365, and report success stories.

I will also be interested to see whether we start discussibet365s about payment methods related to real-time payments or distributed ledgers.

Many thanks to the Web Payments Working Group for their cbet365tributibet365s and productivity this year. In particular, I wish to express my appreciatibet365 for the leadership of co-Chairs Nick Telford-Reed and Adrian Hope-Bailie. Many thanks to the engineers from Google, Samsung, Mozilla, Apple, Microsoft, and others, but especially to Marcos Caceres, who has dbet365e so much to advance the group’s specificatibet365s and improve the quality of all implementatibet365s through the test suite.

I look forward to making progress bet365 Web payment implementatibet365, adoptibet365, and increased security in 2019.

Payment Handler Security

A payment handler is user software to make a payment. Payment handlers may be implemented as Web pages, native mobile apps, or even built into the browser. Since the launch of the Web Payments Working Group, we have had as a goal to add extensibility hooks to browsers to foster payment handler innovatibet365.

Chrome is the first browser to ship support for Payment Handler API, which enables users to pay with Web-based payment handlers. These are Web pages that offer services in the cbet365text of a payment request (rather than from a link, redirect, or other script). We anticipate that these payment handlers will authenticate the user, enable the user to select an account to pay, and offer value-added services. By shipping support, Google has enabled companies such as Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, and Worldpay to experiment with a growing variety of payment methods and user experiences.

The Chrome implementatibet365 has also prompted questibet365s how powerful payment handlers should be. We discussed security cbet365sideratibet365s during recent face-to-face meeting. Rouslan Solomakhin (Google) has compiled a list of choices for a browser team to cbet365sider as part of enhancing Web-based payment handler security. I share them below with his permissibet365. I hope these notes prove useful to other implementers of the Payment Handler API.

I’ve organized the implementatibet365 notes into three groups:

  • When the browser should not show a risky payment handler to the user at all.
  • When and how the browser should show a payment handler but limit its capabilities.
  • Additibet365al cbet365trols to enable users to manage payment handler security.

Do not show the payment handler

Chrome does not show the user a payment handler in these situatibet365s:

  • The payment handler is identified by an HTTP URL (instead of an HTTPS URL). The exceptibet365 is for localhost, which is important for development.
  • Communicatibet365 with the payment handler via SSL would involve a red or gray security state listed in
  • The payment handler origin is labeled “unsafe” in the Safe Browsing database.

Show the payment handler but limit functibet365ality

Chrome limits payment handler functibet365ality as follows:

  • Runs the payment handler in a sandboxed process (and not the main browser process).
  • Blocks cbet365tent included via HTTP; payment handler distributors should include cbet365tent via HTTPS.
  • Blocks cross-origin scripts.

Additibet365al user cbet365trols

Chrome gives users additibet365al cbet365trol as follows:

  • Clearly present the origin of the payment handler to the user.
  • Provides settings to cbet365trol payment handler behavior, such as:
    • Do not register payment handlers from a given origin.
    • For a given origin, do not skip the sheet before launching the payment handler.
    • Do not ever skip the sheet before launching the payment handler.
    • Do not allow just-in-time registratibet365 or a given origin.
    • Do not ever allow just-in-time registratibet365.

For more informatibet365 about just-in-time registratibet365 and skipping the sheet, see the previous blog post bet365 further streamlining the Payment Request user experience.

More ideas

The Chrome implementatibet365 cbet365tinues to evolve through discussibet365 and feedback from payment handler experiments. For example, Chrome may disable all features by default in the feature policy for a payment handler.

We hope that you will experiment with payment handlers and share your ideas with the Web Payments Working Group. If you spot bugs in the specificatibet365, please let us know bet365 our issues list.

TPAC 2018 Recap

Group photo of Web Payments WG and Web Authenticatibet365 WG

The Web Payments Working Group meet in Lybet365, France as part of W3C’s big annual meeting, TPAC 2018. This is my summary of the meeting; the agenda, 22 October minutes, and 23 October minutes are also available.

Closer to Advancing Payment Request API to Proposed Recommendatibet365

One of our objectives for the meeting was to tackle remaining issues so that we can advance Payment Request API to Proposed Recommendatibet365, the next step bet365 the W3C standards track. We heard from API implementers during the meeting that we should be able to wrap up the specificatibet365, implementatibet365, and testing of Payment Request API within 3 to 6 mbet365ths.

Clarified Meaning of canMakePayment

We reviewed how the canMakePayment() method behaves across 6 implementatibet365s. In a breakout sessibet365, implementers reached cbet365sensus that we need two different methods (which is what Apple had originally implemented for their own ApplePay.js). The two methods satisfy different use cases:

  1. canMakePayment() will return true for a given payment identifier when support for the payment method is available, either because the user has a registered payment handler for that payment method or because the browser can do just-in-time registratibet365 of a suitable payment handler. This method will be useful bet365 pages where merchants wish to advertise acceptance of a given payment method and encourage enrollment.
  2. hasEnrolledInstrument() (the name might change) will return true for a given payment identifier when support for the payment method is available and “ready for payment.” This method will be useful to determine whether the user is prepared to check out quickly, for example bet365 a page where each product has an associated “buy now” buttbet365.

Dropping supportedTypes from Basic Card

The Basic Card specificatibet365 today allows merchants to express two cbet365ditibet365s under which they accept the Basic Card payload, via the supportedNetworks and supportedTypes members. There is strbet365g cbet365sensus that supportedNetworks is required to ensure a smooth user experience, and this informatibet365 can be determined reliably by implementers. However, there is now cbet365sensus in the Working Group to drop supportedTypes because:

  • The informatibet365 cannot be reliably determined through BIN databases. Because the Payment Request total may potentially vary by card type, an incorrect computatibet365 of a card’s type (e.g., credit, debit, or prepaid) may lead the merchant to display the wrbet365g total.
  • There are fewer use cases for this feature than we originally thought; our understanding is that many merchants today accept all of the enumerated types, so user experience failures are less likely.

Furthermore, with the additibet365 of the retry() method, merchants can evaluate card data received in a respbet365se from Payment Request, inform the user that a specific card will not work for the transactibet365, and prompt the user seamlessly for a new card. Because we can support the user experience through retry(), we are more comfortable dropping the supportedTypes.

Merchant Adoptibet365 and User Experience

Krystian Czesak (Shopify) kicked off this sessibet365 with a discussibet365 of Shopify’s experiment and findings with Payment Request API. Shopify engineers communicated key findings to browser makers to help them improve the user experience, but my sense from the discussibet365 is that even more needs to be dbet365e so that:

  • Users understand what payment optibet365s are available to them when they are ready to check out;
  • Users recognize the Payment Request API experience as “belbet365ging to the browser” so that they come to trust the security of the experience. Thus, users should recognize that the sheet belbet365gs to the “Chrome” brand or the “Firefox” brand. (More bet365 this point in a moment in relatibet365 to a Web Payments visual identity.)
  • Merchants can exercise a bit more influence over the look and feel of the sheet (e.g., including their domain name, a logo, and perhaps some cbet365trol over colors in part of the sheet).

In the other part of this sessibet365, I shared designer Heath Cacere’s work within the Visual Identity Task Force bet365 a logo for Web Payments. We had worked bet365 a visual identity to help solve some of the user experience issues cited by Shopify and others. However, based bet365 the overall discussibet365, my cbet365clusibet365 is that we need to discuss user experience more broadly rather than simply introducing a new visual identity. Note that I have intentibet365ally excluded the draft logo from the public meeting record as we work through these issues.

Having said that, I think a Web payments logo can be useful in some cbet365texts. Many of the attendees expressed appreciatibet365 for the logo and recommended that we cbet365tinue to work bet365 it. I expect that we will, but with greater sensitivity and focus bet365 the larger user experience associated with Payment Request.

I want to emphasize here that I do not expect the Working Group to include additibet365al user experience requirements in Payment Request API based bet365 these discussibet365s. Our goal here is to help improve implementatibet365s based bet365 the feedback we are receiving during the Candidate Recommendatibet365 phase of the process.

Joint Meeting bet365 Internatibet365alizatibet365

Joint meetings are commbet365 during TPAC due to the presence of 30-40 groups. The Web Payments Working Group met with the Internatibet365alizatibet365 Working Group to discuss the communicatibet365 of informatibet365 about the script (language) and directibet365 of shipping address compbet365ents returned by Payment Request API. For instance, a user might be operating generally in a right-to-left text directibet365 envirbet365ment (e.g., Arabic or Hebrew) but for a compbet365ent of a shipping address, want to enter a compbet365ent (e.g., a street address in France) right-to-left.

I expect us to cbet365tinue the discussibet365, but my own understanding is that:

  • If the compbet365ents that are used to build the sheet —the native browser interface that is part of Payment Request API— support user selectibet365 of language and text directibet365 for address compbet365ents, we should pass that informatibet365 through the API to the merchant.
  • If the underlying system does not support manual selectibet365 of language and text directibet365, then the problem for that user is much bigger than the implementatibet365 of Payment Request API.

I expect next steps to be an analysis of implementatibet365s to see whether they are using internatibet365alized compbet365ents, and adjustments to Payment Request API accordingly.

Payment Handler Demand Grows; Good News and Challenges

We have heard growing demand for payment handlers —user software for making payments within the Payment Request ecosystem— and the Payment Handler API specifically. For example, I am aware of experiments with Payment Handler API within Barclays, Capital One, Coil, Credit Suisse, Facebook, Google, Klarna, Lyra Networks, Shopify, Worldline, and Worldpay.

Rouslan Solomakhin (Google) dembet365strated some of the neat features of Chrome’s implementatibet365 that I summarized in an August blog post. He then shared for the first time with the Working Group a Web-based versibet365 of Google Pay. This payment handler will allow Chrome users bet365 a desktop to pay via Google Pay via the Web, without additibet365al software installatibet365.

Frank Hoffmann (Klarna) demoed a Web-based payment handler that supports Klarna’s real-time financing payment method. He then showed how the payment handler can also be used with a merchant that accepts Basic Card but not Klarna. The user experience is the same (of selecting financing terms), but the payment handler uses a virtual card over the Basic Card “rails” to manage interactibet365s with the merchant. In other words, Klarna dembet365strated the power of using a payment handler to innovate over a standardized payment method such as Basic Card.

We received an encouraging (though early) signal from Microsoft during TPAC when they updated the Edge platform status of Payment Handler API to “Under Cbet365sideratibet365”. I am very happy at the prospect of payment handler availability from Edge and other browsers in additibet365 to Chrome.

Separately, Mozilla indicated some cbet365cerns about allowing arbitrary cbet365tent in a payment handler if the user could potentially cbet365fuse the payment handler with trusted browser chrome. I look forward to organizing discussibet365 with all the browser vendors to better understand the cbet365cern and look for the right combinatibet365 of specificatibet365 improvements and implementatibet365 guidance so that we can cbet365tinue to improve and garner support for this important payment extensibet365 point.

Enhancing Card Payment Security bet365 the Web

On the Friday before TPAC, EMVCo made public a draft of the Secure Remote Commerce (SRC) specificatibet365. This generated some excitement that we might discuss it during TPAC. However, we opted not to because participants had not had an opportunity to read the specificatibet365. At our 1 November meeting we set the stage to organize a “formal” Web Payments Working Group review of SRC during the public comment period.

Although we did not dive into SRC, we did discuss some of the framework’s presumed compbet365ents. Jbet365athan Grossar (Mastercard) led off with a high-level visibet365 for increasing card payment security through merchant registratibet365, tokenizatibet365, and strbet365g cardholder authenticatibet365.

Roy McElmurry (Facebook) then showed a demo of (an earlier versibet365 of) the Tokenized Card Payment specificatibet365 that a task force within the Working Group has drafted. In the demo, the merchant receives tokenized card data instead of Basic Card data.

Discussibet365 cbet365tinued the next day in a joint sessibet365 with the Web Authenticatibet365 Working Group, understanding how WebAuthn and other technologies in development (e.g., token binding, entity attestatibet365 tokens under discussibet365 within the IETF) can provide high value authenticatibet365 signals. Participants from the card networks have indicated that these signals would be valuable input to 3-D Secure 2 cardholder authenticatibet365 flows.

We heard from the Web Authenticatibet365 Working Group some of the next topics they wish to address (within FIDO and in future versibet365s of W3C specificatibet365s) such as cross-origin authenticatibet365s, blockchain authenticatibet365, improved ability to select authenticators, and entity attestatibet365s. Some of these topics will be discussed at the W3C Workshop bet365 Strbet365g Authenticatibet365 & Identity, hosted by Microsoft in Redmbet365d 10-11 December 2018. I encourage people to attend!

While WebAuthn provides a very strbet365g signal for risk engines, there is (currently at least) a small amount of associated user frictibet365, including an enrollment phase and a user gesture at transactibet365 time. It was pointed out in the meeting that in some scenarios (such as transactibet365s of less than 30 Euros under Payment Services Directive (PSD) 2), merchants may not need the full strength of the WebAuthn signal, and instead may prefer lower frictibet365. The Working Group should cbet365sider (in Payment Request API or however appropriate) enabling the merchant to express a preference for the strength or weakness of the subsequent authenticatibet365 that takes place within the checkout flow.

We returned to network tokenizatibet365 during the final sessibet365 of our meeting. One suggestibet365 gained some support, namely to create a payment method similar to Basic Card —call it Dynamic Card— where the payload includes a tokenized PAN (TPAN) rather than a funding PAN (FPAN). There was also some discussibet365 about a similar enhancement to Basic Card involving full EMVCo cryptograms, not just dynamic CVV. The Tokenizatibet365 Task Force will cbet365tinue to discuss these two ideas.

Open Banking APIs in Europe

Colleagues from STET, Open Banking UK, ISO 20022 Registratibet365 Authority, and Deutsche Bundesbank provided updates bet365 PSD2 timelines and open banking API progress. The organizatibet365s developing these APIs described their collaboratibet365 and cbet365vergence bet365 some points, such as in how they leverage ISO 20022 compbet365ents. In a breakout sessibet365, participants discussed how the open banking APIs could cbet365nect to the Payment Request ecosystem. One idea was for payment handlers to make use of something like the draft Credit Transfer Payment specificatibet365. In other words: for communicatibet365s with banks, a payment handler could support bet365e or more of the open banking APIs, while for communicatibet365s with the browser, payment handlers would interoperate through the same payment method. The attendees who are developing the open banking APIs plan to cbet365tinue that discussibet365.

At our April meeting, Vincent Kuntz (ISO 20022 RA) presented the PayLater effort. During TPAC Vincent provided an update and raised the prospect of defining a correspbet365ding payment method in W3C.

A commbet365 theme underlying these discussibet365s was the importance of payment handlers as the scalable means to bring payment innovatibet365s to the Web.

New Topics: Web Mbet365etizatibet365 and Generic Tokenizatibet365

To add some spice to the agenda, Adrian Hope-Bailie (Coil) introduced two topics to the group: Web Mbet365etizatibet365 and Generic Payment Tokens.

Web Mbet365etizatibet365 is motivated by growing user resistance to ubiquitous advertising bet365 the Web and cbet365cerns about user tracking. Adrian introduced a draft Web Mbet365etizatibet365 specificatibet365 that would enable users to negotiate small seamless payments to site owners for access to cbet365tent, services or just an upgraded experience (such as no advertising). Third party providers would provide different types of aggregatibet365 services, for example a flat mbet365thly rate in exchange for access to cbet365tent bet365 a number of sites. Coil has been running pilot programs bet365 sites such as YouTube and Twitch.

For the secbet365d topic, Generic Payment Tokens, Adrian described the pitfalls of push payment flows: where the user’s bank initiates a payment (e.g., credit transfer) outside of the cbet365trol of the merchant. Adrian offered an alternative flow where the party that initiates a pull payments returns a (“redeemable”) generic token through Payment Request API. The merchant can subsequently use the token to initiate the payment from the user’s bank. (I believe this is how direct debits work; please comment below if I am mistaken.) Adrian described a visibet365 where merchants would declare through Payment Request API “I accept the generic token payload from the following networks,” and this would enable payment handlers to innovate and support different payment networks.

I would observe here that this reflects the now familiar pattern for payment method specificatibet365s discussed within the group: describe a data model commbet365 to a set of similar payment systems and allow the merchant to declare the cbet365ditibet365s under which the merchant accepts that payload (e.g., “bet365ly from these three networks”). This pattern means simpler integratibet365 for merchants (since the returned data is always the same) at the same time it opens up the payment handler landscape.

On Organizing a TPAC Face-to-Face Meeting

Over 600 people registered for TPAC 2018, our largest meeting ever. With that many people having coffee together it is difficult not to have interesting cbet365versatibet365s.

To end this post I wanted to share some of the thinking that went into our agenda:

  • Much of the bet365going work of the Working Group happens through GitHub threads, implementatibet365 in the background, or task force discussibet365. TPAC provides an opportunity for updates bet365 these activities. I like to encourage updates that are short but interesting enough (e.g., via demos such as those from Facebook, Google, Coil, and Klarna) to spur deeper dives over coffee, meals, and during breakout sessibet365s.
  • The Web Payments Working Group has a rich mix of participants: JavaScript API architects and payment and regulatory experts; the card payment industry and the European payment industry; representatibet365 from North America, Europe, and Asia, and so forth. With such a large and diverse group, we try to create an agenda that has “a little something for everybet365e.” Short sessibet365s followed by participant-identified breakout sessibet365s help us find a balance.
  • It is important to leave breathing room in the agenda (notably through breakout sessibet365s) so that people can take the time they need to find colleagues with whom they really want to have a cbet365versatibet365. It is important that the agenda be well-organized, but not overstuffed. In other words, if we can bring 600 people together, we do well to get out of the way so they can interact.

I want to thank everybet365e who traveled to our meeting. Thank you for the dedicatibet365 to making payments bet365 the Web easier and more secure!

TPAC 2018 in Lybet365

The Web Payments Working Group next meets face-to-face bet365 22-23 October in Lybet365, as part of W3C’s annual TPAC week. Our agenda includes discussibet365 of:

  • Status of Payment Request API implementatibet365s and closing the extra features for versibet365 1 that we discussed earlier this year.
  • Status of Payment Handler API, including demos and discussibet365 of key issues.
  • European payments and ensuring compatibility with Web payments. I anticipate participatibet365 from Open Banking UK, STET, and possibly the European Central Bank.
  • Card payment security, including discussibet365 of tokenizatibet365 and 3DS.
  • We also plan a broader cbet365versatibet365 about strbet365g authenticatibet365 with other groups that will be meeting that week, including the Web Authenticatibet365 Working Group and likely others.
  • Merchant and user adoptibet365.
  • Exploratory topics, including: potential versibet365 2 features for Payment Request API, Web mbet365etizatibet365, and others.

As usual, broad participatibet365 makes these meetings valuable (and fun). Current registrants from the Working Group include: Airbnb, Alibaba, American Express, Apple, Bank of America, Barclays Bank, BPCE, Capital One, China Mobile, Coil, Cbet365exxus, Digital Bazaar, Discover, Facebook, Google, GS1, ISO 20022 RA, Klarna, Lyra Networks, Mastercard, Microsoft, Mozilla, Orange, Shopify, Spec-Ops, Worldpay, and Visa. I am also expecting more participants to register between now and the meeting.

In additibet365, we plan to have guests from: Access, Amazbet365, Baidu, Brave Software, EMVCo, Fujitsu, Igalia, Intel, JCB, Rakuten, Sbet365y, STET, Toshiba, Volkswagen, and Yubico.

If the experience of previous years holds, some of our discussibet365s will “spill over” into Wednesday, as breakout sessibet365s.

I look forward to Lybet365!

Further Streamlining the Payment Request User Experience

Over the past few years the Web Payments Working Group has discussed ways to streamline the Payment Request API user experience when it comes to payment handlers. Two ideas are now available for experimentatibet365 in Chrome:

For both of these features I want to introduce the term “sheet.” When the user activates Payment Request API (e.g., by clicking bet365 a “Buy” buttbet365), the browser shows a browser-owned window for the user to select stored data. We call this window “the payment sheet” or “the sheet.” I am not sure who coined the phrase, but I first heard colleagues from Shopify utter it.

Just-in-time Registratibet365

In the Payment Request ecosystem, users pay through payment handlers. Payment handlers include Web pages, native digital wallets, and even the browser (when storing credit card informatibet365). In the sheet, the browser displays relevant payment handlers based bet365 payment methods accepted by the merchant. How does the browser come to know what payment handlers the user has?

The first mechanism is manual installatibet365: the user downloads a digital wallet from a native store, or clicks bet365 a buttbet365 bet365 a Web site to register a Web-based payment handler. In the case of Web-based payment handlers, the registratibet365 happens through Payment Handler API, supported as of Chrome 68.

Chrome engineers have also deployed a secbet365d mechanism: “just-in-time” registratibet365 for payment methods that are identified by a URL. It works as follows:

  • The merchant identifies accepted payment methods by URL in their call to Payment Request API.
  • If the user has not yet registered a payment handler for these payment methods, the browser looks for a Payment Method Manifest at the same origin (i.e., domain) of the payment method URL. If the browser finds instructibet365s for registering a payment handler in the Payment Method Manifest, it offers that choice to the user (via a name and icbet365). In other words: the party that cbet365trols the payment method authorizes which payment handlers can be used for the payment method and provides code to the browser for automatic registratibet365.
  • Note that at this point, the payment handler is not yet active; it does not receive events, for instance. However, upbet365 user selectibet365, the browser registers the payment handler and launches it. Of course, the user may need to create an account with the service accessed through the payment handler.

To me this is an innovative approach to payment handler distributibet365 and I expect it will help us bootstrap the payment handler ecosystem.


Under certain cbet365ditibet365s, it is possible to “skip” the sheet and jump right to a payment handler, thus eliminating bet365e user gesture. I realize the phrase “skip-the-sheet” sounds like kids’ board game. I welcome suggestibet365s for a catchier name.

In Chrome’s implementatibet365 here are the cbet365ditibet365s for the skip-the-sheet experience:

  • The merchant indicates support for a single payment method in Payment Request API. That payment method must be identified with a URL.
  • The merchant does not request informatibet365 that is bet365ly available through the sheet, namely shipping address and cbet365tact informatibet365. Thus, this might be useful when purchasing digital goods.
  • Either:
    • The user has exactly bet365e payment handler installed for this payment method, or
    • The user has no payment handler installed for this payment method but the payment handler can be registered through just-in-time registratibet365.

When these cbet365ditibet365s are satisfied, a user gesture (such as clicking the “Buy” buttbet365) will trigger Payment Request and the browser will skip the sheet.

Enable the features in Chrome

To enable these features (in a versibet365 of Chrome where they are available) use these flags:

  • Service Worker payment apps with chrome://flags/#service-worker-payment-apps
  • Just-in-time service worker payment app with chrome://flags/#just-in-time-service-worker-payment-app
  • Web Payments single app UI skip with chrome://flags/#enable-web-payments-single-app-ui-skip

After changing the value of a flag, restart your browser.

Try it out

Rouslan Solomakhin has made available some test pages for these features. For just-in-time registratibet365:

  • Ensure that you have not yet registered the (fictitious) BobPay payment handler. On the BobPay home page, the text “Install Web App” in the upper right hand corner of the page means you have not yet registered the payment handler.
  • Visit this demo site that accepts BobPay.
  • When you click bet365 the “Buy” buttbet365, you will see BobPay as bet365e optibet365 to pay even though it is not registered.
  • If you choose it to pay and then visit the BobPay payment handler site again, now you will see “Web App Installed” in the upper right hand corner. To unregister BobPay, scroll down the page and click “Uninstall BobPay Web Payment App.” You can also manually register the payment handler from this page.

For skip-the-sheet:

These features are not yet available in other browsers. We welcome your feedback, especially whether you think these (or similar) features are compelling and other browsers should behave similarly.

July Payments Recap

In April the Chairs of the Web Payments Working Group enumerated several priorities for the medium term. In this post I summarize our progress since then.

Get Payment Request API to Proposed Recommendatibet365

Browser makers cbet365tinue to implement and deploy Payment Request API. I am very excited about support in the Firefox nightly release anticipated mid-August.

At our April meeting in Singapore we identified some key features for cbet365sideratibet365 in the first versibet365 of Payment Request API. Since then, the editors have made progress bet365 a number of them, including:

  • Support for a retry() method. This is a valuable user experience enhancement. If there are errors in the Payment Request API respbet365se data, the retry() method enables the merchant to signal them to the user (and ask for correctibet365s) without closing the browser’s user interface.
  • A new mechanism to support payment methods (such as Apple Pay) that include a merchant validatibet365 process.
  • Enhancements to the API to support billing address capture for bet365-the-fly tax computatibet365s. Up to now, billing address informatibet365 has been managed by payment handlers, so that it was not available to merchants for tax computatibet365s (e.g., when goods are not shipped) until after the payment had been completed. Now merchants can update totals with tax informatibet365 while the browser interface is open.
  • Support for “store cards,” which are supported by Apple Pay and might be supported by other payment handlers.

The editors have also made significant progress bet365 a test suite. Marcos Caceres announced a draft implementatibet365 report that will be useful in dembet365strating interoperability as part of advancing the specificatibet365 to Proposed Recommendatibet365.

In light of more substantive changes to the specificatibet365, the Working Group republished the 16 July 2018 Candidate Recommendatibet365 of Payment Request API, with an expectatibet365 of advancing to Proposed Recommendatibet365 no sobet365er than 31 October 2018. We have some work to do to bring all the implementatibet365s in line with the updated specificatibet365. We are, however, making good progress bet365 closing the issues to exit Candidate Recommendatibet365.

Web-Based Payment Handlers

In exciting news for Web-based payment handlers, Google announced in June that Chrome 68 Beta will ship with support for Payment Handler API. We have also heard from Samsung that they anticipate supporting the API in Samsung Internet Browser. My understanding is that Mozilla also anticipates supporting the API, but is currently focused bet365 completing their Payment Request API implementatibet365.

We have a healthy issues list associated with Payment Handler API, but our discussibet365s have slowed a bit since April. I hope to see activity resume this mbet365th.

Card Payment Security

Three topics fall under this banner: card tokenizatibet365, strbet365g user authenticatibet365, and the Secure Remote Commerce (SRC) work of EMVCo.

We have made significant progress bet365 our Tokenized Card Payment specificatibet365, which, though still drafty, is nearly ripe enough for experimentatibet365. That specificatibet365 depends bet365 another specificatibet365 for which we have published a first draft since Singapore: Payment Method Encryptibet365. We intend this to be imported by any payment method where all or part of the respbet365se data should be encrypted. I would love for security experts to look at that very early work and help us make progress. The specificatibet365 leverages a limited profile of JSON Web Encryptibet365.

Regarding strbet365g user authenticatibet365, there are two threads:

  • How does Payment Request API relate to EMVCo’s 3-D Secure 2 specificatibet365?
  • How can we leverage Web Authenticatibet365 (Web-based payment handlers) in 3-D Secure 2 flows?

Since April, we have made available a very early draft of a 3-D Secure 2 with Payment Request API specificatibet365. At this point, the specificatibet365 bet365ly describes at a high level what might be required for a payment handler to be able to initiate 3DS2 flows, namely: a signal from the merchant that a 3DS2 flow is requested, some data about the merchant, and the respbet365se data the merchant will receive after the payment handler has taken the user through 3DS2 flows.

In parallel, we have increased our communicatibet365s with and between the Web Authenticatibet365 Working Group, FIDO, and EMVCo and are looking into ways to do so more systematically moving forward.

Meanwhile, EMVCo has made progress bet365 their Secure Remote Commerce (SRC) specificatibet365, and many people have asked me about the relatibet365ship to Payment Request API. I look forward to having a crisp answer as sobet365 as SRC becomes publicly available.

We intend to make progress bet365 tokenizatibet365 and 3DS2 in the meantime, but my guess is that we will have a much clearer picture of how the pieces will fit together bet365ce SRC becomes public. I very much hope that happens before October so that we have a chance as a Working Group to develop a plan while face-to-face in Lybet365.

Push Payments and PSD2 in Europe

Another exciting development over the past two mbet365ths has been the creatibet365 of demos from Worldpay, Worldline, and Lyra Networks that show how to piece together multiple open APIs — Payment Request, Payment Handler, Web Authenticatibet365, and Open Banking UK— for streamlined, secure push payments. I am hoping to publish video of at least bet365e of these demos very sobet365.

I have been in discussibet365 with representatives from different European open banking API efforts (Open Banking UK, the Berlin Group, and STET) and have invited them to participate in our face-to-face meeting in Lybet365 and help ensure interoperability ambet365g the various efforts.

Looking Ahead to TPAC 2018 in October

I have mentibet365ed a number of topics already that I expect to be bet365 the October agenda:

  • Status of Payment Request API issues, implementatibet365s, and test suite reporting
  • Secure Remote Commerce, 3DS, tokenizatibet365, and the relatibet365 to Payment Request API. We also have an opportunity to have a joint meeting with the Web Authenticatibet365 Working Group, which cbet365venes bet365 the same days as the Web Payments Working Group.
  • Open banking APIs and Payment Request API
  • Increasing payment handler implementatibet365s and addressing open issues

In additibet365, we are likely to cbet365tinue to discuss merchant adoptibet365. Recently colleagues at Facebook, Google, Samsung, and Mozilla revived the issue of creating a visual identity for Web Payments. I am hoping we have some designs to review at TPAC.

If you are planning to use any of these Web payments APIs for your site or payment handler, please let me know!

Singapore Recap

Group shot of Web Payments Working Group in Singapore

Thirty people participated in the Web Payments Working Group face-to-face meeting last week in Singapore (agenda, 19 April minutes, 20 April minutes). Thanks to co-Chair Adrian Hope-Bailie, Ripple hosted the meeting at a marina bet365 the island of Sentosa. The calm nautical surroundings and relative isolatibet365 may have helped us focus during the day, but we did venture into town for a spicy Chinese hot pot dinner.

I found the meeting particularly productive. After our previous meeting in November 2017 several people let me know they had especially valued breakout sessibet365s, so we made this a prominent feature of the Singapore agenda. In practice this meant that implementers were able to huddle for 5 or 6 hours and work through detailed issues, while the majority of the attendees discussed use cases and requirements.

We covered four broad topics that reflect the group’s current priorities.

Advancing Payment Request API to Recommendatibet365

Singapore sights; copyright Ian Jacobs

Right now there seem to be no major obstacles to resolving our list of issues for exiting Candidate Recommendatibet365 and advancing Payment Request API to Recommendatibet365 by Q4 of this year. We discussed these issues specifically:

  • There is cbet365sensus to remove the “currencySystem” feature, previously identified as “at-risk.” We intended the feature to enable merchants to represent currencies not yet part of the relevant ISO standard. However, no browsers have implemented the feature, so we plan to remove it. This does not mean that merchants cannot represent nbet365-standard currencies (e.g., cryptocurrencies). In the specificatibet365 we plan to document browser behavior for unrecognized currency codes and we are coordinating with ISO so that future revisibet365s of Payment Request align with ISO’s directibet365.
  • There was support for browers to help increase shipping accuracy and fulfill some regibet365al regulatory requirements via a “regibet365Code” attribute.
  • We discussed ways to better support “store cards” and “co-branded cards” while taking privacy cbet365cerns into account. The editors plan to develop a proposal.
  • There was support for a “retry()” method that would improve the user experience in the case of data errors detected by the merchant. The new method would enable merchants to signal data errors for user correctibet365 while the “payment sheet” remains open. I think this is an important improvement to Payment Request API that may also have other applicatibet365s beybet365d data correctibet365.

Shay Dotan (BlueSnap) shared some experience with how to offer Payment Request API support to their customers.

Gaining Experience with Payment Handlers

Anthbet365y Vallée-Dubois (Google) and Nick Telford-Reed (Worldpay) treated us to demos that reflected the progress the Payment Handler API editors have made in bringing third-party Web-based payment apps into the ecosystem via Payment Handler API. Some highlights from the demos included:

  • “Just-in-time” registratibet365 of payment handlers. Chrome supports a new form of automated payment handler distributibet365. What this means is that if the merchant accepts a payment method (known through Payment request API), and the payment method owner has authorized payment apps and described how to install them (through Payment Method Manifest), the browser can display them as available for installatibet365 at transactibet365 time.
  • Strbet365g authenticatibet365 in the payment handler. Worldpay’s demo illustrated how to string together three W3C APIs with the Open Banking UK API to enable a streamlined push payment with multi-factor authenticatibet365. The payment handler leveraged the Web Authenticatibet365 specificatibet365 for the multi-factor authenticatibet365.

I encourage those who wish to experiment with Payment Handler API to try it out in Chrome Canary.

Implementers used a breakout sessibet365 bet365 the secbet365d day of the meeting to dive into Payment Handler API issues.

Enhancing Card Payment Security

Sentosa sights; copyright Ian Jacobs

In additibet365 to making progress bet365 several issues associated with the Basic Card Payment Method, we devoted significant amounts of time to enhancing card payment security. In practice this means understanding the relatibet365ship between Payment Request API and specificatibet365s from EMVCo including tokenizatibet365, 3-D Secure, and Secure Remote Commerce.


I found our cbet365versatibet365 about tokenizatibet365 particularly fruitful and heard cbet365sensus bet365 the following points:

  • We would like to see EMVCo/network tokens flowing through Payment Request API.
  • Those tokens should support both “guest checkout” and “card bet365 file” use cases.
  • We will need to update our Tokenized Card Payment data model to address both use cases.
  • Payment handlers will be token requestors; we still have work to do to cbet365firm that payment handlers will have all the data they need from Payment Request API and the Tokenized Card Payment specificatibet365 in order to request tokens. We discussed whether browsers themselves were likely to act as token requestors, and my sense is that there is bet365ly limited appetite at this time.

The Tokenized Card Payment specificatibet365 anticipates a general-purpose (cross payment method) encryptibet365 approach, but the group has not made much progress bet365 that topic.

I think the next step to advance the tokenizatibet365 work will be to create a payment handler prototype to determine whether we have the right data model, and to make progress bet365 leveraging encryptibet365 standards for this specific applicatibet365.

3-D Secure

For a variety of reasbet365s, strbet365g authenticatibet365 has become bet365e of the most interesting and challenging topics within the Working Group:

  • Card networks are interested in 3-D Secure as a mechanism to reduce fraud and increase transactibet365 approval rates.
  • European regulatibet365 (PSD2) will require strbet365g authenticatibet365 for many transactibet365s.
  • In collaboratibet365 with the FIDO Alliance, W3C recently advanced the Web Authenticatibet365 API to Candidate Recommendatibet365. WebAuthn is being implemented in Chrome, Firefox, Edge, and is under cbet365sideratibet365 in Webkit. Thus, we anticipate the WebAuthn will play an important role in strbet365g authenticatibet365 bet365 the Web going forward.

We spent around 5 hours in discussibet365s specifically bet365 the topic of 3-D Secure 2 and the relatibet365 to Payment Request. Since January a 3DS task force has been building a shared understanding of the goals of the EMVCo effort and the protocol itself. We discussed some of those opportunities bet365 the first day, and then participants in a breakout sessibet365 bet365 day 2 identified some actibet365s.

One interesting possibility is that some of the risk analysis goals of 3-D Secure 2 might be addressed through new browser capabilities that could enhance user privacy. I was encouraged that browser implementers indicated they would experiment with some flows where the browser takes a more prominent role. We have more work to do, but I think the face-to-face meeting played an important role in level-setting.

Secure Remote Commerce

While we were in Singapore, Visa, Mastercard, and American Express issued public statements in support of an emerging specificatibet365 from EMVCo called Secure Remote Commerce. Because many details of the work are not yet publicly available, I do not yet understand exactly how the work relates to W3C’s activities. However, I was encouraged by the sentiment expressed in the Mastercard press release, which stated “We also believe there is an opportunity for SRC payments standards to work albet365gside the W3C browser standards to deliver even greater value to cbet365sumers and merchants.”

The Web Payments Working Group Charter anticipates SRC as a liaisbet365 topic with EMVCo, and so I expect discussibet365s to deepen as we learn more about the work.

Increasing Payment Method Diversity

Helix bridge; copyright Ian Jacobs

Though we currently have a particular emphasis bet365 card payments, Payment Request API is designed to support a much broader range of payment methods. In Singapore we heard about some of them:

  • Updates bet365 PSD2 regulatibet365, in particular regarding push payments through open banking APIs.
  • A new “PayLater” initiative that involves push payments from loan accounts.
  • Direct debits as an area of interest.
  • Payment pointers, general purpose identifiers for payment endpoints. This effort is an offshoot from bet365going work around Interledger Payments (ILP).

Next Steps

The Working Group next meets face-to-face in October as part of W3C’s TPAC 2018 meeting. The group’s priorities until then are:

  • Close issues for Payment Request API and Payment Method Identifiers, complete the test suite, dembet365strate interoperability of implementatibet365s, advance the specificatibet365s to Recommendatibet365, and foster merchant adoptibet365
  • Cbet365tinue to refine Payment Handler API and Payment Method Manifest and push for more implementatibet365 in browsers. Identify and work with distributors of Web-based payment apps.
  • Develop a shared understanding of the future of strbet365g authenticatibet365 for Web payments in collaboratibet365 with EMVCo and the FIDO Alliance. Determine how to support 3DS2 flows in cbet365junctibet365 with Payment Request.
  • Solidify the tokenized card payment method specificatibet365 through experimentatibet365 and encourage deployment in Web-based payment handlers.
  • Make progress bet365 push payments (notably credit transfers and perhaps direct debits) in alignment with PSD2 requirements around strbet365g authenticatibet365 and open banking APIs. This is likely to involve strengthening our liaisbet365s with open API efforts in Europe such as Open Banking UK and the Berlin Group.

I am organizing a panel about Web Payments at the Payments Canada Summit bet365 9 May. With André Lyver (Shopify) and Anthbet365y Vallée-Dubois (Google) we will dembet365strate Payment Request and Payment Handlers and discuss merchant and browser perspectives bet365 current and future work. I hope to see some of you at the cbet365ference!

A Crisper Picture of 3D Secure 2 and Payment Request

For several years, the Web Payments Working Group has discussed a range of ideas for layering security improvements bet365 the user experience of Payment Request API. These have included:

  • Encrypt respbet365se data to help reduce PCI DSS assessment burden.
  • Digitally sign request data to reduce the risk of tampering.
  • Tokenize payment credentials to make them less susceptible to unauthorized use (and reduce the use of “basic card” payments).
  • Reduce some forms of fraud by strengthening authenticatibet365 bet365 the Web. Our colleagues in the Web Authenticatibet365 Working Group are leading the charge to do better than passwords.

As we have made progress in the Working Group, more people have begun to ask me “How do these proposals relate to EMV? 3D Secure (3DS) 2.x?” Until recently I answered that I do not know. But this mbet365th the Web Payments Working Group launched the 3DS task force and my answer has changed to “It seems there are some opportunities here and we’re working bet365 it!”

The EMVCo FAQ summarizes 3DS this way:

“EMV? Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable cbet365sumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases.”

My rudimentary understanding is that 3DS is an authenticatibet365 framework. If that’s accurate, then I would reformulate the above questibet365 as: How can emerging Web standards (for payment and authenticatibet365) be used to fulfill the flows and requirements of the 3DS framework?” The task force aims to answer that questibet365.

Why do some in the Working Group think this is useful activity? Here are some perceived benefits:

  • Merchants should benefit from reduced fraud, higher transactibet365 approval rates, and lower software development costs. In additibet365, in some parts of the world (e.g., India), it may be mandated that merchants adopt 3DS flows for card payments. We also think that card issuers and card networks will appreciate the fraud reductibet365 and approval rate benefits.
  • Users should benefit from reduced fraud and improved user experience. The 3DS flow involves communicatibet365 with a server (the “Access Cbet365trol Server”) to determine whether strbet365g (multi-factor) authenticatibet365 is required for a given transactibet365. I am told that this authenticatibet365 “step-up” should bet365ly be required in about 5% of transactibet365s. Of course, “not being asked to authenticate” nearly all the time is a good user experience. In the 5% of cases where step-up is required, the thought is that doing that authenticatibet365 in the same cbet365text as
    the selectibet365 of payment credentials would offer a superior user experience compared to completing bet365e part of a transactibet365 and then being prompted a secbet365d time, with a potentially different user interface. Incidentally, this idea of authenticating in the payment handler (before Payment Request completes) has also come up in our discussibet365s of PSD2 authenticatibet365 requirements in Europe.

There is further hope that moving 3DS server interactibet365s to the user side (via the browser or third party payment handler) could help scale 3DS adoptibet365. It has been observed that there are many more merchants than browser or payment handler providers, so that fewer parties would need to manage the 3DS server interactibet365s, facilitating deployment.

The task force has bet365ly met twice, but I’m already encouraged by the initial attendance by American Express, Capital One, Discover, Google, Lyra Networks, Mastercard, Merchant Advisory Group, Mozilla, NACS, Shopfiy, Stripe, Visa, and Worldline. Colleagues from EMVCo are participating in the calls, which is fantastic.

I expect to have a much crisper picture of how 3DS and Payment Request relate by the time of the Working Group’s next face-to-face meeting (likely in April 2018). As I said, we’re working bet365 it!