Re: [w3ctag/design-reviews] Eligibility for autofill (Issue #831) from Stephen McGruer on 2023-07-04 (public-webapps-github@w3.org from July 2023)

From: Stephen McGruer <notifications@github.com>
Date: Tue, 04 Jul 2023 08:00:52 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/831/1620409445@github.com>

> We'd also suggest requesting feedback from the Web Payments working group if that's not something you've done already since this is so squarely in the payments space?

Putting on my Web Payments WG hat for a moment (whilst acknowledging I also work for Chrome/Google, and alongside @schwering on this proposal):

A desire for autofill to work better for payment forms is definitely common feedback I have heard from payment service providers (PSPs). I would say they have two main needs:

1. Adhere to security best-practices and regulations on processing credit card information (particularly PCI DSS). This results in a need/desire to isolate the merchant from card data (credit card number and CVC being the most sensitive), which is why it is common for PSPs to offer credit card input fields isolated inside of iframes (such as [Stripe Elements](https://stripe.com/en-ca/payments/elements) or [Adyen Components](https://docs.adyen.com/payment-methods/cards/web-component)*).

2. Meet their merchants' needs for customization of the provided checkout flow primitives, such that a merchant can build an experience that matches their own brand. This leads to a few sub-needs, including:
- Separate iframes for each field (cardholder name, credit card number, expiry, CVC), so that the merchant can arrange and style them as needed.
- Some less-sensitive fields to be owned by the merchant (most often cardholder name), since the merchant may need this data directly for e.g. aligning with shipping info.

From a Web Payments WG perspective (but not speaking officially on their behalf), we certainly believe that this status quo is not desirable, and we have long tried to build APIs in what we think is a better direction such as Payment Request (and the now-deprecated basic-card payment method) and Payment Handler. However we also should recognize that so far we have not strongly succeeded in our efforts, and in my opinion we should also meet the industry where it is at (and provide better services to users on the web!) where needed. As such, I personally would hope that the Web Payments WG would support this effort.

\* These are intended as examples only and do not imply specific endorsement of this idea from Stripe or Adyen. As @schwering noted, we can ask for official statements of support from PSPs be provided if desired by the TAG.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/831#issuecomment-1620409445
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/831/1620409445@github.com>

Received on Tuesday, 4 July 2023 15:00:58 UTC