The context
The Web turned 33 this year. Web inventor Tim Berners-Lee founded the World Wide Web Consortium to ensure the long-term growth of the Web by building community around open technology standards. As more and more people have come to rely on the network, the need for new technologies and standards has increased. It is important that the Web remains an open and competitive platform available to everyone on a wide range of devices: desktops, mobile, televisions, automobiles, e-readers, and more.
Within W3C, the Web Payments Working Group focuses on making payments on the Web easier and more secure.
W3C is community-driven. We welcome additional participation from European stakeholders to ensure that the Web meets the needs of users, merchants, and payment service providers.
Ian Jacobs, W3C Payments Lead
The challenges
The COVID pandemic accelerated an existing trend: the digital transformation of commerce and payments. At the same time, improvements in the security of physical payments (e.g., card chips) has led to an increase in online fraud.
In Europe and other regions, regulators have taken steps to reduce fraud through new requirements for Strong Customer Authentication (SCA), for example under the Payment Services Directive (PSD2). Industry experience shows that implementation of solutions without sufficient attention to user experience can lead to significant shopping cart abandonment, which harms users, merchants, and other ecosystem stakeholders.
How standardisation activities help face the challenges
W3C, the FIDO Alliance, and EMVCo have been working closely to bring to market widely deployed standards to improve the user experience of SCA at the same time increasing online privacy and security.
FIDO2 - the combination of Web Authentication from W3C and CTAP from the FIDO Alliance - is now available on billions of devices (mobile and desktop). One initial goal of FIDO was to replace passwords, which are known to be a major source of online fraud and data breaches. FIDO enables easier and more secure authentication for login, but can also be used for payments.
The Web Payments Working Group has developed a new technology called "Secure Payment Confirmation" (SPC), currently shipping in the Chrome browser.
SPC leverages FIDO authentication and adds capabilities so that Payment Initiation Service Providers (PISPs) can fulfill both SCA and "dynamic linking" requirements of PSD2. The PISP asks the browser to securely display transaction details, and when the user authenticates (with FIDO), those details are signed cryptographically and may be validated as part of PSD2 compliance.
SPC is thus an authentication method that may be used as part of payment systems, including card payments and open banking. EMVCo has integrated support for SPC in the EMV® 3-D Secure (version 2.3), a strong signal of industry support for this emerging standard.
The Benefits
SPC provides a streamlined user experience. Stripe conducted an experiment and found that users completed 8% more transactions with SPC compared to one-time passcodes, and the authentication process was three times faster. SPC/FIDO can help improve online privacy.
SPC makes it easier for PISPs and other stakeholders to fulfill regulatory requirements related to SCA and dynamic linking. SPC relies on FIDO, which is ubiquitously supported.
SPC is designed to reduce payment fraud, which benefits users, merchants, PISPs, banks, and other stakeholders.
Future plans
Although card payment industry has embraced the SPC approach, there is more to do.
Experimentations are currently in place to help solidify the technology. To that end, Adyen and Airbnb are currently conducting an experiment, Modirum has developed a prototype implementation as an Access Control Server (ACS) for EMV® 3-D Secure, and more pilots are in the pipeline. It will also be important for more browsers to implement SPC (only Chrome does so at the moment) so that merchants and PISPs can use it with confidence.
W3C will continue to work closely with the FIDO Alliance and EMVCo to ensure that their respective standards interoperate.
Read more here