The World Wide Web Consortium today announced a standardization milestone for a new browser capability that helps to streamline user authentication and enhance payment security during Web checkout. Secure Payment Confirmation (SPC) enables merchants, banks, payment service providers, card networks, and others to lower the friction of strong customer authentication (SCA), and produce cryptographic evidence of user consent, both important aspects of regulatory requirements such as the Payment Services Directive (PSD2) in Europe.
Publication of Secure Payment Confirmation as a Candidate Recommendation indicates that the feature set is stable and has received wide review. W3C will seek additional implementation experience prior to advancing this version of Secure Payment Confirmation to Recommendation.
Designed to meet growing demand for strong customer authentication
For the past 15 years, e-commerce has increased as a percentage of all retail sales. The COVID pandemic appears to have slightly accelerated this trend. Improvements to in-person payment security and other factors have led to ongoing increases in online payment fraud.
To combat online payment fraud growth, Europe and other jurisdictions have begun to mandate multifactor authentication for some types of payments. Though multifactor authentication reduces fraud, it also tends to increase checkout friction, which can lead to cart abandonment (cf. for example, Microsoft merchant experiences with SCA under PSD2).
In 2019 the Web Payments Working Group began work on Secure Payment Confirmation to help fulfill Strong Customer Authentication requirements with low checkout friction. Stripe conducted a pilot with an early implementation of SPC and, in March 2020 reported that, compared to one-time passcodes (OTP), SPC authentication led to an 8% increase in conversions at the same time checkout was 3 times faster.
W3C continues to receive feedback about Secure Payment Confirmation through pilot programs, including a second experiment by Stripe. The Web Payments Working Group anticipates more experimental data will be available by September 2023.
SPC benefits from industry collaboration
In the Web Payment Security Interest Group, W3C, the FIDO Alliance, and EMVCo pursue improvements to online payment security through the development of interoperable technical specifications. Secure Payment Confirmation reflects this collaboration: it is built atop Web Authentication and is supported by both EMV® 3-D Secure (version 2.3) and EMV® Secure Remote Commerce (version 1.3); see the Web Payment Security Interest Group’s publication How EMVCo, FIDO, and W3C Technologies Relate for more details.
Secure Payment Confirmation is not just for card payments. The Web Payments Working Group regularly discusses how SPC might be integrated into other payment ecosystems such as Open Banking, PIX (in Brazil), as well as in proprietary payment flows.
“Making it easy for people to pay for things online while improving security has been the vision of our working group since we started in 2015,” said Working Group co-Chair Nick Telford-Reed. “Secure Payment Confirmation means that for the first time, there will be a common way of authenticating shoppers across payment methods, platforms, devices and browsers, and builds on the success of W3C’s Payment Request and the work of both the FIDO Alliance and EMVCo.”
Secure Payment Confirmation shipping today
Secure Payment Confirmation adds a “user consent layer” above Web Authentication. At transaction time, Secure Payment Confirmation prompts the user to consent to the terms of a payment through a “transaction dialog” that is governed by the browser; the Chrome implementation of the transaction dialog is shown above. The transaction details are signed by the user’s FIDO authenticator, and the bank or other party can validate the authentication results cryptographically, and thus that the user has consented to the terms of the payment (a requirement under PSD2 called “dynamic linking”). EMV® 3-D Secure and other protocols can be used to communicate the authentication results to banks or other parties for this validation.
SPC is currently available in Chrome and Edge on MacOS, Windows, and Android. During the Candidate Recommendation period the Web Payments Working Group will seek implementation in other browsers and environments.