The need for a Payment API in Browsers from Anders Rundgren on 2020-03-02 (public-payments-wg@w3.org from March 2020)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 2 Mar 2020 08:24:26 +0100
To: Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <db6d2a59-e8d7-d306-52b3-a6eb1b724ea2@gmail.com>

For the record only.

I was at the TPAC 2013 in Shenzhen when this idea was "sold" to the W3C management. Personally, I didn't really see any need for a dedicated API for payments but rather for some intelligent way of "breaking" the Same Original Policy (SOP) which is doesn't work well for a number of applications including payments.

One if the motives for the payment API was that it was important to reduce the number of payment options by only showing the ones that were relevant for actual user. The recent "skipping the list" seems to point in another direction.

There was also a perceived need for a unified payment API. This has in practice shown to be impossible to achieve since payment requests including security solutions adds a number of non-standard elements (like for Google Pay), making payment method, amount and currency the only common denominator. For the result part the variance is even bigger.

Although defining a JavaScript API is logical it has short-comings in a more universal setting. It is not particularly clear how you can map such APIs to a system using a channel like required for QR or BLE. In order to get universality in the Merchant code, you would need to always spawn a browser. However, 5 years have passed without any progress on the connection between PaymentRequest and POS terminals. The same goes for the Desktop/Web using a Mobile Wallet which is a pretty common scenario these days.

The idea of mixing payments and shipping is tempting but introduces a lot of complexity. Auto fill probably works well enough for most people.

The modal window will most likely revive these discussions.

Personally I'm only using PaymentRequest as a "bridge" between the Web and payment handlers. That is, I have defined my own JSON-based Payment API which was necessary in order to achieve a cryptographically secured scheme where the input (request) data is hashed and signed by a user-side payment-authorization key.

How PaymentRequest blends with Open Banking ought to be an interesting topic but apparently there is no WG work going on here.

thanx,
Anders Rundgren

Received on Monday, 2 March 2020 07:24:43 UTC