Two changes to Secure Payment Confirmation prior to CR

[ianbjacobs]

Wotcher TAG!

I'm requesting a TAG review of Secure Payment Confirmation (SPC) based on two non-editorial changes to the specification since the previous TAG review that was conducted as we approached CR: https://github.com/w3ctag/design-reviews/issues/675

Since that review, the Web Payments Working Group has made or plans to make two non-editorial changes to the specification. We seek your review of these changes as we prepare to go to CR:

• The addition of an opt-out feature, requested by developers to help satisfy GDPR requirements. For background, see issue 172 and the resulting changes to the specification. Experimentation with this feature has demonstrated its utility to at least one organization that has experimented with SPC.

• The expected removal of a requirement that the user agent consume a user activation during authentication. For background, see issue 216, including the Chrome Team's security and privacy consideration notes. Although we have not yet updated the specification to remove the user activation requirement, we seek your review at this time. We would anticipate the actual change to the specification to be small (and it would include the security and privacy considerations).

  • Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md
  • Specification URL: https://w3c.github.io/secure-payment-confirmation/
  • Tests: https://wpt.fyi/results/secure-payment-confirmation/
  • User research: Although we have not done user research in the Working Group, experimental results from a pilot by Stripe showed an increase in conversions of 8% compared to one-time passcodes, as well as authentication times being 3 times faster with SPC compared to one-time passcodes. http://www.w3.org/2021/Talks/spc-pilot-202103.pdf
  • Security and Privacy self-review²: https://github.com/w3c/secure-payment-confirmation/blob/main/security-privacy-questionnaire.md . Note: The template for these reviews has not changed since our initial self-review in 2022. We have updated the self-review for the current review request.
  • GitHub repo (if you prefer feedback filed there): https://github.com/w3c/secure-payment-confirmation/issues/
  • Primary contacts (and their relationship to the specification): Stephen McGruer (editor, Google), Ian Jacobs (team contact, W3C), Gerhard Oosthuizen (Chair, Entersekt), Praveena Subrahmanyam (Chair, Airbnb), Nick Telford-Reed (Chair, IE)
  • Organization(s)/project(s) driving the specification: Google Chrome
  • Key pieces of existing multi-stakeholder review or discussion of this specification: For reviews prior to these two changes, see: https://lists.w3.org/Archives/Public/public-payments-wg/2022Aug/0009.html . All issues raised during those reviews were resolved to the satisfaction of all parties.
  • External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5702310124584960

Further details:

• [✅] I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: Review ideally by 1 February 2023.
• The group where the work on this specification is currently being done: Web Payments Working Group
• Major unresolved issues with or opposition to this specification: None at this time.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

[torgo]

Hi @ianjacobs - this change looks good to us. Thanks for running this by us and thanks to the group for documenting this so well in the issue including the security & privacy considerations and potential abuse cases. We would encourage you to document this in the explainer and in the spec as well and to provide some additional guidance to UA developers about the risks and mitigations.

In particular, we were very happy to see the group ask for us to weigh in on last minute changes; given that there isn't anything mandating this in the process.

We wish you luck with this. Please let us know if we can help with anything else.

[ianbjacobs]

@torgo, thank you and the TAG for the review and the support! I will work with the editors to integrate guidance for developers as you recommend.

[ianbjacobs]

@torgo, we have merged our pull request into the explainer as suggested. https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md

Thank you!