Secure Payment Confirmation

From MgmtWiki
Revision as of 11:18, 27 May 2024 by Tom (talk | contribs) (Solutions)

Jump to: navigation, search

Full Title

W3C standard stating "Secure Payment Confirmation (SPC), available through the Payment Request API, provides a mechanism for strong customer authentication and consent of payment during checkout, helping to protect against online payment fraud."

Context

  • Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.
  • Using Secure Payment Confirmation is a Mozilla page to protect against online payment fraud, where it is common to authenticate the account holder. Strong authentication lowers the risk of fraud, but increases the likelihood that friction during checkout will lead to shopping cart abandonment. Banks, merchants, payment services providers, and other entities in a payments ecosystem therefore consider a number of factors when deciding what type and strength of authentication to use for each transaction, including the amount, the items being purchased, the user's payment history, which party bears liability in the case of fraud, and regulatory requirements (such as European Payment Services Directive 2 requirements for strong customer authentication and evidence of user consent).

Problems

  • In 2022 versions of Chrome/Edge there is a Secure Payment Confirmation API which requires you to handover your card number in CLEAR to merchants. In addition to violating GDPR, it is based on a misguided concept: Merchants do not need card numbers, they need a payment confirmation which they only can get from the specific payment network.

Solutions

  • SPC Design Choices for Flexibility and Scale 2021-10-06 Ian Jacobs
  • SPC is designed to enable streamlined strong customer authentication (SCA) in a variety of payment systems, and to provide cryptographic evidence that the user has consented to the terms of a transaction. When the API is called, the browser displays elements of the transaction in a dialog box: the name of the merchant, payment instrument, and amount and currency of payment.

References