W3C advances technology to streamline payment authentication
Secure Payment Confirmation (SPC) published as a Candidate Recommendation
https://www.w3.org/ — 15 June 2023 — The World Wide Web Consortium today announced a standardization milestone for a new browser capability that helps to streamline user authentication and enhance payment security during Web checkout. Secure Payment Confirmation (SPC) enables merchants, banks, payment service providers, card networks, and others to lower the friction of strong customer authentication (SCA), and produce cryptographic evidence of user consent, both important aspects of regulatory requirements such as the Payment Services Directive (PSD2) in Europe.
Publication of Secure Payment Confirmation as a Candidate Recommendation indicates that the feature set is stable and has received wide review. W3C will seek additional implementation experience prior to advancing this version of Secure Payment Confirmation to Recommendation.
Designed to meet growing demand for strong customer authentication
For the past 15 years, e-commerce has increased as a percentage of all retail sales. The COVID pandemic appears to have slightly accelerated this trend. Improvements to in-person payment security and other factors have led to ongoing increases in online payment fraud.
To combat online payment fraud growth, Europe and other jurisdictions have begun to mandate multifactor authentication for some types of payments. Though multifactor authentication reduces fraud, it also tends to increase checkout friction, which can lead to cart abandonment (cf. for example, Microsoft merchant experiences with SCA under PSD2).
In 2019 the Web Payments Working Group began work on Secure Payment Confirmation to help fulfill Strong Customer Authentication requirements with low checkout friction. Stripe conducted a pilot with an early implementation of SPC and, in March 2020 reported that, compared to one-time passcodes (OTP), SPC authentication led to an 8% increase in conversions at the same time checkout was 3 times faster.
W3C continues to receive feedback about Secure Payment Confirmation through pilot programs, including a second experiment by Stripe. The Web Payments Working Group anticipates more experimental data will be available by September 2023.
SPC benefits from industry collaboration
In the Web Payment Security Interest Group, W3C, the FIDO Alliance, and EMVCo pursue improvements to online payment security through the development of interoperable technical specifications. Secure Payment Confirmation reflects this collaboration: it is built atop Web Authentication and is supported by both EMV® 3-D Secure (version 2.3) and EMV® Secure Remote Commerce (version 1.3); see the Web Payment Security Interest Group's publication How EMVCo, FIDO, and W3C Technologies Relate for more details.
Secure Payment Confirmation is not just for card payments. The Web Payments Working Group regularly discusses how SPC might be integrated into other payment ecosystems such as Open Banking, PIX (in Brazil), as well as in proprietary payment flows.
"Making it easy for people to pay for things online while improving security has been the vision of our working group since we started in 2015," said Working Group co-Chair Nick Telford-Reed. "Secure Payment Confirmation means that for the first time, there will be a common way of authenticating shoppers across payment methods, platforms, devices and browsers, and builds on the success of W3C's Payment Request and the work of both the FIDO Alliance and EMVCo."
Secure Payment Confirmation shipping today
Secure Payment Confirmation adds a "user consent layer" above Web Authentication. At transaction time, Secure Payment Confirmation prompts the user to consent to the terms of a payment through a "transaction dialog" that is governed by the browser; the Chrome implementation of the transaction dialog is shown above. The transaction details are signed by the user's FIDO authenticator, and the bank or other party can validate the authentication results cryptographically, and thus that the user has consented to the terms of the payment (a requirement under PSD2 called "dynamic linking"). EMV® 3-D Secure and other protocols can be used to communicate the authentication results to banks or other parties for this validation.
SPC is currently available in Chrome and Edge on MacOS, Windows, and Android. During the Candidate Recommendation period the Web Payments Working Group will seek implementation in other browsers and environments.
About the World Wide Web Consortium
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.
W3C's vision for "One Web" brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. W3C is a public-interest non-profit organization incorporated in the United States of America, led by a Board of Directors and employing a global staff across the globe. For more information see https://www.w3.org/.
End Press Release
Amy van der Hiel, W3C Media Relations Coordinator <email@example.com>
+1.617.453.8943 (US, Eastern Time)
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
Testimonials from W3C members and Liaisons
"Fighting checkout friction is key to businesses delivering a convenient digital shopping experience. Our work initiative with W3C and FIDO Alliance continually seeks to streamline customer authentication and aligns with our broader commitment to support evolving payment habits without compromising security. Collaborative industry work to enhance the interoperability of technologies, such as the Web Payment Security Interest Group, are crucial in delivering smoother, safer checkout experiences for consumers."
Arman Aygen, Director of Technology, EMVCo
"At Entersekt, we are excited to see Secure Payment Confirmation (SPC) advancing to Candidate Recommendation, and the very real advancements it brings to our common goal of keeping global organisations safer, without compromising user experience. W3C and the FIDO Alliance have done tremendous work to promote and mature WebAuthentication. Google, Apple and Microsoft have rolled out support for passkeys to make this available on a global scale. Payments makes up a critical part of a banking customer's journey and SPC now provides for it. EMVCo has already included support for Secure Payment Confirmation in its EMV® 3-D Secure 2.3.1 specification, to enable secure and compliant card payments. We look forward to roll out Secure Payment Confirmation to all our FIDO clients in the banking sector, as a seamless part of our industry leading Context Aware Authentication platform. As one of the Web Payment Working Group chairs, I'm also eager to see how we use the SPC foundation as a stepping stone to further build out other payment and banking related use-cases."
Gerhard Oosthuizen, CTO, Entersekt
"For online payment transaction, the consumer is highly solicited, increasing the risk of abandonment. In parallel, laws across the world are imposing stronger authentication of the user during a transaction to strengthen security. SPC technology is an effective solution to this dilemma, providing a robust authentication method for browser, without degrading the user experience. At Fime, we are thrilled to see the industry benefit from such a technological breakthrough."
Raphael Guilley, CTO, Fime
"Mastercard is committed to ensuring security and trust across the payments ecosystem, while also providing an exceptional consumer experience. As e-commerce continues to reach new heights around the world, we welcome the introduction of the World Wide Web Consortium’s SPC standardization to support streamlined authentication of consumers across merchants and payment use cases. It’s more important than ever that the online checkout experience is seamless and safe, and this standard is a positive and productive step in scaling our innovative technology that supports this space."
Pablo Fourez, Executive Vice President, Network and Digital Payment Services, Mastercard
"In times of rising card-not-present fraud and users' expectations for more convenient payment approvals, Nok Nok is pleased to collaborate with the World Wide Web Consortium (W3C) on the new Secure Payment Confirmation (SPC) solution that addresses both of these challenges. Nok Nok already supports the new SPC solution and passkeys that streamline user authentication and enhance payment security in the latest release of the Nok Nok S3 Suite announced in April 2023."
Dr. Rolf Lindemann, Vice President, Products, Nok Nok
"Worldline’s R&D team has always supported the W3C payments workgroup mission to combine frictionless UX with clear and strong controls. As such the Secure Payment Confirmation is a major leap forward to create an open standard that brings a clear consent to the user, a frictionless conversion rate to Merchants and continued Strong Customer Authentication control for the user's bank that remains responsible for the applied SCA.
I'm proud that my team is an active contributor to this new proposed standard which allows to support our customers to quickly adopt these payment innovations."
Stephan Blachier, Head of Worldline Labs