Secure Payment Confirmation 2023-01-11 > 2023-02-01

[ianbjacobs]

• name of spec to be reviewed: Secure Payment Confirmation (SPC)

• URL of spec: https://www.w3.org/TR/2023/WD-secure-payment-confirmation-20230111/

• What and when is your next expected transition? Candidate Recommendation, Q1 2023

• What has changed since any previous review?

In August 2022 the Web Payments Working Group requested pre-Candidate Recommendation horizontal review of Secure Payment Confirmation (SPC). All reviews led to satisfactory outcomes. Thank you for the privacy review and discussion: https://github.com/w3cping/privacy-request/issues/101 Since then, the Web Payments Working Group has made or plans to make two non-editorial changes to the specification that we seek to include in the forthcoming Candidate Recommendation: * The addition of an opt-out feature, requested by developers to help satisfy GDPR requirements. For background, see [issue 172](https://github.com/w3c/secure-payment-confirmation/issues/172) and the resulting [changes to the specification](https://github.com/w3c/secure-payment-confirmation/pull/215). Experimentation with this feature has demonstrated its utility to at least one organization that has experimented with SPC. * The expected removal of a requirement that the user agent consume a user activation during authentication. For background, see [issue 216](https://github.com/w3c/secure-payment-confirmation/issues/216), including the Chrome Team's security and privacy consideration notes. Although we have not yet updated the specification to remove the user activation requirement, we seek your review at this time. We would anticipate the actual change to the specification to be small (and it would include the security and privacy considerations).

• Does your document have an in-line Privacy Considerations section, ideally one separate from the Security Considerations? https://w3c.github.io/secure-payment-confirmation/#sctn-privacy-considerations
• Where and how to file issues arising? https://github.com/w3c/secure-payment-confirmation/issues
• Pointer to any explainer for the spec? https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md

Other comments:

• Updates self-review based on Security and Privacy questionnaire: https://github.com/w3c/secure-payment-confirmation/blob/main/security-privacy-questionnaire.md

Thank you!

[ianbjacobs]

Hi all,

I wanted to check to see whether you have this request on an upcoming agenda. Thank you,

Ian

[samuelweiler]

@ianbjacobs It's on the agenda for this Thursday, April 6. What discussion has there been of https://github.com/w3c/secure-payment-confirmation/issues/154 in the intervening months?

[ianbjacobs]

Hi @samuelweiler,

We have not had conversations lately about https://github.com/w3c/secure-payment-confirmation/issues/154. It is my understanding that the CTAP WG at FIDO has agreed to add the special "cross-origin" bit, but I am not aware of a public draft that includes it. I think discussion within the WebAuthn WG would continue once the feature is defined in CTAP.

[pes10k]

linking this issue bc it came out of discussion on the PING call https://github.com/w3c/secure-payment-confirmation/issues/237

(thank you @stephenmcgruer!)

[samuelweiler]

Closing review request. New issue as above.