Re: [w3ctag/design-reviews] Secure Payment Confirmation (#544)

Thanks @hober for the feedback!

> 1. Is this necessary? Existing payment methods (e.g. Apple Pay) already securely confirm payments. (If it is necessary, how does it interact with existing payment methods which already have secure confirmation built in?)

Yes. Although existing payment methods such as Apple Pay has secure confirmation, form-based checkouts are still more common. This feature enables WebAuthn-based strong authentication for any form-based checkouts. Merchants usually have multiple business reasons to consider when switching from form-based checkouts to payment apps. So I believe it's valuable to add a small primitive to enhance the security of checkout forms in the mean time.

> 2. I realize that your explainer already states, in bold, that a fallback mechanism still needs to be designed. That said, it's hard to evaluate the proposal without one. Have you designed a fallback mechanism since filing this request? If so, could you update the explainer with details?

With the implementation experience from the pilot, I'm leaning towards leaving the fallback mechanism to the merchant (or PSP who is handing the checkout on behalf of the merchant). So the Secure Payment Confirmation request will simple reject with an error code. I will update the explainer soon, unless TAG sees a concern with this approach.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/544#issuecomment-768412115

Received on Wednesday, 27 January 2021 16:39:12 UTC