Re: [w3ctag/design-reviews] Secure Payment Confirmation (#544)

Hi TAG,
I have performed an extensive review of SPC.  It covers technical issues but also things that may affect adoption:
https://github.com/cyberphone/doc/blob/gh-pages/payments/review-secure-payment-confirmation.md#external-review-googlew3c-secure-payment-confirmation-spc

On the technical side, the following may be particularly worth looking into:
- Sending card numbers in clear to third-parties like merchants (which for example Apple Pay do not), appears to be incompatible with modern standards.
- The specification does not elaborate on backend requirements, this is supposed to be catered for by the industry.  However, AFAICT the SPC Web API which targets merchants, does in most real-world cases in practice require that the entire payment process is outsourced.  That the underlying standard (3DS) is covered by a whopping 500 pages of documentation gives an indication of the complexity of this (not researched) part.

I hope that SPC gets a more professional analysis by TAG than its (now _finally discontinued_) predecessor, the `PaymentHandler` got:
https://lists.w3.org/Archives/Public/www-tag/2017Aug/0001.html

It is important to realize that since the idea of providing an API enabling developers writing compelling payment application didn't pan out, we are now about to standardize an "application" which unlike most other applications must (in order to work) be accepted by _merchants_, _payment providers_, _banks_, and last but not least by _consumers_.  The W3C have never done anything comparable before.  That banks rarely participate in any kind of open standardization, makes things even a bit more challenging!

@hober @kenchris 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/544#issuecomment-899457518