- From: Amy van der Hiel <amy@w3.org>
- Date: Thu, 15 Jun 2023 08:43:12 -0400
- To: w3c-news@w3.org
- Cc: "Amy (me) van der Hiel" <amy@w3.org>
Dear friends of W3C,
The World Wide Web Consortium (W3C) today announced a standardization milestone for a new browser capability that helps to streamline user authentication and enhance payment security during Web checkout. Secure Payment Confirmation (SPC) has been published as a Candidate Recommendation.
Secure Payment Confirmation enables merchants, banks, payment service providers, card networks, and others to lower the friction of strong customer authentication (SCA), and produce cryptographic evidence of user consent.
For the past 15 years, e-commerce has increased as a percentage of all retail sales. The COVID pandemic appears to have slightly accelerated this trend. Improvements to in-person payment security and other factors have led to ongoing increases in online payment fraud. To combat online payment fraud growth, Europe and other jurisdictions have begun to mandate multifactor authentication for some types of payments.
"Making it easy for people to pay for things online while improving security has been the vision of our working group since we started in 2015," said Working Group co-Chair Nick Telford-Reed. "Secure Payment Confirmation means that for the first time, there will be a common way of authenticating shoppers across payment methods, platforms, devices and browsers, and builds on the success of W3C's Payment Request and the work of both the FIDO Alliance and EMVCo."
SPC is currently available in Chrome and Edge on MacOS, Windows, and Android. During the Candidate Recommendation period the Web Payments Working Group will seek implementation in other browsers and environments.
Read our Press Release to learn more about this achievement below as text and online at:
https://www.w3.org/2023/06/pressrelease-spc-cr.html.en
Yours sincerely,
Amy van der Hiel
W3C Media Relations Coordinator
=====================================================
[1]W3C For immediate release
[1]
https://www.w3.org/
W3C advances technology to streamline payment authentication
Secure Payment Confirmation (SPC) published as a Candidate
Recommendation
__________________________________________________________
Read [2]testimonials from W3C Members and Liaisons
[3]W3C Press Release Archive
__________________________________________________________
[3]
https://www.w3.org/Press/
Screenshot of SPC transaction dialog in Chrome
[4]
https://www.w3.org/
— 15 June 2023 — The World Wide Web
Consortium today announced a standardization milestone for a
new browser capability that helps to streamline user
authentication and enhance payment security during Web
checkout. [5]Secure Payment Confirmation (SPC) enables
merchants, banks, payment service providers, card networks, and
others to lower the friction of strong customer authentication
(SCA), and produce cryptographic evidence of user consent, both
important aspects of regulatory requirements such as the
[6]Payment Services Directive (PSD2) in Europe.
[4]
https://www.w3.org/
[5]
https://www.w3.org/TR/secure-payment-confirmation/
[6]
https://www.ecb.europa.eu/paym/intro/mip-online/2018/html/1803_revisedpsd.en.html
Publication of Secure Payment Confirmation as a Candidate
Recommendation indicates that the feature set is stable and has
received wide review. W3C will seek additional implementation
experience prior to advancing this version of Secure Payment
Confirmation to Recommendation.
Designed to meet growing demand for strong customer authentication
For the past 15 years, e-commerce has increased as a percentage
of all retail sales. The COVID pandemic appears to have
slightly accelerated this trend. Improvements to in-person
payment security and other factors have led to ongoing
increases in online payment fraud.
To combat online payment fraud growth, Europe and other
jurisdictions have begun to mandate multifactor authentication
for some types of payments. Though multifactor authentication
reduces fraud, it also tends to increase checkout friction,
which can lead to cart abandonment (cf. for example,
[7]Microsoft merchant experiences with SCA under PSD2).
[7]
http://www.w3.org/2022/Talks/dean-jordaan-20220912.pdf
In 2019 the [8]Web Payments Working Group began work on Secure
Payment Confirmation to help fulfill Strong Customer
Authentication requirements with low checkout friction. Stripe
conducted a pilot with an early implementation of SPC and, in
March 2020 [9]reported that, compared to one-time passcodes
(OTP), SPC authentication led to an 8% increase in conversions
at the same time checkout was 3 times faster.
[8]
https://www.w3.org/groups/wg/payments
[9]
http://www.w3.org/2021/Talks/spc-pilot-202103.pdf
W3C continues to receive feedback about Secure Payment
Confirmation through pilot programs, including a second
experiment by Stripe. The Web Payments Working Group
anticipates more experimental data will be available by
September 2023.
SPC benefits from industry collaboration
In the [10]Web Payment Security Interest Group, W3C, the FIDO
Alliance, and EMVCo pursue improvements to online payment
security through the development of interoperable technical
specifications. Secure Payment Confirmation reflects this
collaboration: it is built atop Web Authentication and is
supported by both EMV® 3-D Secure (version 2.3) and EMV®
Secure Remote Commerce (version 1.3); see the Web Payment
Security Interest Group's publication [11]How EMVCo, FIDO, and
W3C Technologies Relate for more details.
[10]
https://www.w3.org/groups/ig/securepay
[11]
https://www.w3.org/TR/htr/
Secure Payment Confirmation is not just for card payments. The
Web Payments Working Group regularly discusses how SPC might be
integrated into other payment ecosystems such as Open Banking,
PIX (in Brazil), as well as in proprietary payment flows.
"Making it easy for people to pay for things online while
improving security has been the vision of our working group
since we started in 2015," said Working Group co-Chair Nick
Telford-Reed. "Secure Payment Confirmation means that for the
first time, there will be a common way of authenticating
shoppers across payment methods, platforms, devices and
browsers, and builds on the success of W3C's Payment Request
and the work of both the FIDO Alliance and EMVCo."
Secure Payment Confirmation shipping today
Secure Payment Confirmation adds a "user consent layer" above
Web Authentication. At transaction time, Secure Payment
Confirmation prompts the user to consent to the terms of a
payment through a "transaction dialog" that is governed by the
browser; the Chrome implementation of the transaction dialog is
shown above. The transaction details are signed by the user's
FIDO authenticator, and the bank or other party can validate
the authentication results cryptographically, and thus that the
user has consented to the terms of the payment (a requirement
under PSD2 called "dynamic linking"). EMV® 3-D Secure and other
protocols can be used to communicate the authentication results
to banks or other parties for this validation.
SPC is currently available in Chrome and Edge on MacOS,
Windows, and Android. During the Candidate Recommendation
period the Web Payments Working Group will seek implementation
in other browsers and environments.
About the World Wide Web Consortium
The mission of the World Wide Web Consortium (W3C) is to lead
the Web to its full potential by creating technical standards
and guidelines to ensure that the Web remains open, accessible,
and interoperable for everyone around the globe. W3C well-known
standards HTML and CSS are the foundational technologies upon
which websites are built. W3C works on ensuring that all
foundational Web technologies meet the needs of civil society,
in areas such as accessibility, internationalization, security,
and privacy. W3C also provides the standards that undergird the
infrastructure for modern businesses leveraging the Web, in
areas such as entertainment, communications, digital
publishing, and financial services. That work is created in the
open, provided for free and under the groundbreaking W3C Patent
Policy.
W3C's vision for "One Web" brings together thousands of
dedicated technologists representing more than 400 [12]Member
organizations and dozens of industry sectors. W3C is a
public-interest non-profit organization incorporated in the
United States of America, led by a Board of Directors and
employing a global staff across the globe. For more information
see [13]
https://www.w3.org/.
[12]
https://www.w3.org/Consortium/Member/List
[13]
https://www.w3.org/
End Press Release
Media Contact
Amy van der Hiel, W3C Media Relations Coordinator
<[14]w3t-pr@w3.org>
mailto:w3t-pr@w3.org
+1.617.453.8943 (US, Eastern Time)
EMV® is a registered trademark in the U.S. and other countries
and an unregistered trademark elsewhere. The EMV trademark is
owned by EMVCo, LLC.
__________________________________________________________
Testimonials from W3C members and Liaisons
[15]EMVCo • [16]Entersekt • [17]Fime • [18]Mastercard •
[19]Nok Nok
EMVCo
"Fighting checkout friction is key to businesses delivering
a convenient digital shopping experience. Our work
initiative with W3C and FIDO Alliance continually seeks to
streamline customer authentication and aligns with our
broader commitment to support evolving payment habits
without compromising security. Collaborative industry work
to enhance the interoperability of technologies, such as the
Web Payment Security Interest Group, are crucial in
delivering smoother, safer checkout experiences for
consumers."
Arman Aygen, Director of Technology, [20]EMVCo
[20]
https://www.emvco.com/
Entersekt
"At Entersekt, we are excited to see Secure Payment
Confirmation (SPC) advancing to Candidate Recommendation,
and the very real advancements it brings to our common goal
of keeping global organisations safer, without compromising
user experience. W3C and the FIDO Alliance have done
tremendous work to promote and mature WebAuthentication.
Google, Apple and Microsoft have rolled out support for
passkeys to make this available on a global scale. Payments
makes up a critical part of a banking customer's journey and
SPC now provides for it. EMVCo has already included Secure
Payment Confirmation in their EMV® 3-D Secure 2.3.1
specification, to enable secure and compliant card payments.
We look forward to roll out Secure Payment Confirmation to
all our FIDO clients in the banking sector, as a seamless
part of our industry leading Context Aware Authentication
platform. As one of the Web Payment Working Group chairs,
I'm also eager to see how we use the SPC foundation as a
stepping stone to further build out other payment and
banking related use-cases."
Gerhard Oosthuizen, CTO, [21]Entersekt
[21]
https://www.entersekt.com/
Fime
"For online payment transaction, the consumer is highly
solicited, increasing the risk of abandonment. In parallel,
laws across the world are imposing stronger authentication
of the user during a transaction to strengthen security. SPC
technology is an effective solution to this dilemma,
providing a robust authentication method for browser,
without degrading the user experience. At Fime, we are
thrilled to see the industry benefit from such a
technological breakthrough."
Raphael Guilley, CTO, [22]Fime
[22]
https://www.fime.com/
Mastercard
"Mastercard is committed to ensuring security and trust
across the payments ecosystem, while also providing an
exceptional consumer experience. As e-commerce continues to
reach new heights around the world, we welcome the
introduction of the World Wide Web Consortium’s SPC
standardization to support streamlined authentication of
consumers across merchants and payment use cases. It’s more
important than ever that the online checkout experience is
seamless and safe, and this standard is a positive and
productive step in scaling our innovative technology that
supports this space."
Pablo Fourez, Executive Vice President, Network and Digital
Payment Services, [23]Mastercard
[23]
https://www.mastercard.us/en-us.html
Nok Nok
"In times of rising card-not-present fraud and users'
expectations for more convenient payment approvals, Nok Nok
is pleased to collaborate with the World Wide Web Consortium
(W3C) on the new Secure Payment Confirmation (SPC) solution
that addresses both of these challenges. Nok Nok already
supports the new SPC solution and passkeys that streamline
user authentication and enhance payment security in the
latest release of the Nok Nok S3 Suite announced in April
2023."
Dr. Rolf Lindemann, Vice President, Products, [24]Nok Nok
__________________________________________________________
[24]
http://www.noknok.com/
[25]W3C Press Release Archive
[25]
https://www.w3.org/Press/
Received on Thursday, 15 June 2023 12:43:15 UTC