w3c / secure-payment-confirmation

Secure Payment Confirmation (SPC)
https://w3c.github.io/secure-payment-confirmation/
Other
115 stars 39 forks source link

Proposal: Remove `showOptOut` from SPC #274

Open stephenmcgruer opened 3 months ago

stephenmcgruer commented 3 months ago

On the Chrome side, we added support for showOptOut back in 2022 (the original issue is https://github.com/w3c/secure-payment-confirmation/issues/172). Since then, we have seen limited interest in this feature of SPC - we know of only one partner who was using it, and they are (to our knowledge) no longer actively engaged with SPC development.

image

The showOptOut feature does constrain us, particularly in terms of UX development (as all our UX iterations must consider yet-another permutation). As such, we're proposing removing it from the spec and unshipping it from Chrome. As showOptOut was added for regulatory-related reasons, we want to make sure we don't 'silently' regress anyone using it today. Given this, instead of just removing it from the spec, we would make it a constructor-time error if you specify showOptOut: true - SPC would throw, and thus avoid any silent failure.

We'd love to hear input from the community on this proposed removal!

Goosth commented 3 months ago

Hi Stephen, I support this simplification.

Goosth commented 3 months ago

Hi Stephen,

I'm in support of us removing this additional option.

We are already struggling with explaining a complex flow to consumers, and we should try to keep the interface as simple as possible to allow more Consumers to be comfortable with it, more Browsers and issuers/merchants to adopt this. Adding more complexity to an already complex screen and considering all possible permutations can be a challenge that limits adoption.

I believe the regulatory obligations to be forgotten/opt out, can be handled in other places and does not have to be in the midst of the Authentication step.

Kind regards, Gerhard

From: Stephen McGruer @.> Sent: Friday, August 23, 2024 20:58 To: w3c/secure-payment-confirmation @.> Cc: Subscribed @.***> Subject: [w3c/secure-payment-confirmation] Proposal: Remove showOptOut from SPC (Issue #274)

On the Chrome side, we added support for showOptOuthttps://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-showoptout back in 2022 (the original issue is #172https://github.com/w3c/secure-payment-confirmation/issues/172). Since then, we have seen limited interest in this feature of SPC - we know of only one partner who was using it, and they are (to our knowledge) no longer actively engaged with SPC development.

image.png (view on web)https://github.com/user-attachments/assets/754165fc-ba83-40df-be9a-c43ef7ad95b7

The showOptOut feature does constrain us, particularly in terms of UX development (as all our UX iterations must consider yet-another permutation). As such, we're proposing removing it from the spec and unshipping it from Chrome. As showOptOut was added for regulatory-related reasons, we want to make sure we don't 'silently' regress anyone using it today. Given this, instead of just removing it from the spec, we would make it a constructor-time error if you specify showOptOut: true - SPC would throw, and thus avoid any silent failure.

We'd love to hear input from the community on this proposed removal!

- Reply to this email directly, view it on GitHubhttps://github.com/w3c/secure-payment-confirmation/issues/274, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARA57QH3E2LIY24DCFJOR5LZS6A3LAVCNFSM6AAAAABNAWMS66VHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ4DGNZQGQZTOOA. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

sarobrien commented 3 months ago

Hi Stephen,

We would really like to keep this feature, otherwise we would not be able to utilize SPC in our flows. Since our only touchpoint with the end user is transactional we need a way for them to be able to “opt out” or remove their credential/passkey. 

We agree the UX and the messaging needs to be improved but we really advocate to keep the feature.

Thanks, Sarah O’Brien Frontend Engineer (Adyen)

rsolomakhin commented 3 months ago

Hi @sarobrien , do you have any suggestions for improvements to the UX and messaging?

sarobrien commented 3 months ago

Hi @rsolomakhin,

Ideal world, this would be configurable text :) Though I know what has security concerns so I would think off the top of my head (and without the extended context you have) I would think keep it simple, the text right now is too verbose.

I would think a simple line:

"You can remove your passkey if you no longer wish to use this payment method."

Where "remove your passkey" is the hyperlink. If you do need to provide more information for clarity or security reasons maybe include an info icon with a popover to reduce the text in the modal itself.