A new web standard will add another layer of security to online payment services like Appl...

Posted:
in General Discussion

The World Wide Web Consortium is working to further secure online payments in browsers with a new technology that works alongside other payment services like Apple Pay, Google Pay, and more.

W3C announces a standard for secure online payments
W3C announces a standard for secure online payments



Known as Secure Payment Confirmation (SPC), it allows various entities like merchants, banks, payment service providers, and card networks to reduce the obstacles associated with strong customer authentication (SCA) and generate cryptographic proof of user consent. These factors are crucial in meeting regulatory obligations such as Europe's Payment Services Directive (PSD2).

To address the increasing incidence of online payment fraud, Europe and other regions have initiated requirements for multifactor authentication in certain payment scenarios. While multi-factor authentication effectively reduces fraud, it also tends to create additional complexity during checkout, which can result in customers abandoning their shopping carts.

Secure Payment Confirmation



Secure Payment Confirmation introduces an additional layer of "user consent" on top of web authentication. During a transaction, SPC prompts the user to consent to the payment terms through a "transaction dialog" governed by the browser.

The transaction dialog lets a user review and confirm the transaction details. The user's FIDO authenticator signs the transaction details, allowing the bank or relevant entity to verify the authentication outcome cryptographically.

The cryptographic verification ensures that the user has indeed consented to the payment terms, as required by the Payment Services Directive 2 (PSD2), under the concept of "dynamic linking."

The Web Payments Working Group started the development of Secure Payment Confirmation in 2019 to meet the Strong Customer Authentication requirements while minimizing checkout difficulties. Stripe conducted a trial using an initial implementation of SPC, and in March 2020, it was observed that SPC authentication resulted in an 8% boost in conversions compared to one-time passcodes (OTP).

Additionally, the checkout process was three times faster with SPC authentication. SPC could extend beyond card payments and encompasses other payment ecosystems as well.

Currently, SPC is accessible on Chrome and Edge platforms across macOS, Windows, and Android, which doesn't include Apple's Safari browser. But as the Web Payments Working Group enters the Candidate Recommendation phase, efforts will be made to extend SPC implementation to other browsers and platforms.

Read on AppleInsider

Comments

  • Reply 1 of 16
    rob53rob53 Posts: 3,246member
    Currently just works with malware-providers Chrome and Edge on the Mac. Is W3C "owned" by Google or Microsoft? If it's being pushed by the EU, I can see why Safari isn't included.
    williamlondonwatto_cobraappleinsideruserjony0
  • Reply 2 of 16
    avon b7avon b7 Posts: 7,655member
    rob53 said:
    Currently just works with malware-providers Chrome and Edge on the Mac. Is W3C "owned" by Google or Microsoft? If it's being pushed by the EU, I can see why Safari isn't included.
    Remember that it isn't absolutely necessary in the EU as PSD2 has been in force since around 2019 and seems to have been successful. 

    The store passes me to the gateway where I input card details. Click OK, open my bank app and the authorisation is waiting for me there. Click OK and instantly the store confirms the transaction. 

    Fast and fluid. 

    On top of that I use a virtual card for online payments that I 'charge' right before the purchase with the required amount. 

    That card actually exists as a physical card too but with no printed number and a dynamic CVV. 

    Not all online purchases have to use this system. Amazon has the 'buy now' button and as soon as you hit that, everything goes through. 




    edited June 2023
  • Reply 3 of 16
    anonymouseanonymouse Posts: 6,860member
    rob53 said:
    Currently just works with malware-providers Chrome and Edge on the Mac. Is W3C "owned" by Google or Microsoft? If it's being pushed by the EU, I can see why Safari isn't included.
    The W3C is the World Wide Web Consortium: https://www.w3.org

    See also: https://en.wikipedia.org/wiki/World_Wide_Web_Consortium

    It is not "owned" by Google or Microsoft, but Google, Microsoft and Apple are all members: https://www.w3.org/Consortium/Member/List
    williamlondonwatto_cobra
  • Reply 4 of 16
    coolfactorcoolfactor Posts: 2,241member
    rob53 said:
    Currently just works with malware-providers Chrome and Edge on the Mac. Is W3C "owned" by Google or Microsoft? If it's being pushed by the EU, I can see why Safari isn't included.

    Apple tends to be more cautious with implementing new features into Safari. They do have a Technology Preview version of Safari, but it doesn't have any sign of SPC yet. Maybe the spec has been too raw to touch?
    watto_cobrajony0
  • Reply 5 of 16
    jdwjdw Posts: 1,331member
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    williamlondonappleinsideruser
  • Reply 6 of 16
    XedXed Posts: 2,533member
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    williamlondonStrangeDaysMplsP
  • Reply 7 of 16
    jdwjdw Posts: 1,331member
    Xed said:
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    What an odd question, asked like you don't even know the answer.  But the answer is: Everything.  My iPhone bugs me to enable 2FA with every single iOS update.  My Macs leave me alone.

    It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it.  I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it.  I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
  • Reply 8 of 16
    chutzpahchutzpah Posts: 392member
    jdw said:
    Xed said:
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    What an odd question, asked like you don't even know the answer.  But the answer is: Everything.  My iPhone bugs me to enable 2FA with every single iOS update.  My Macs leave me alone.

    It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it.  I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it.  I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
    Why on earth would you feel more vulnerable with an additional layer of security?
    muthuk_vanalingamMplsP
  • Reply 9 of 16
    jdwjdw Posts: 1,331member
    chutzpah said:
    jdw said:
    Xed said:
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    What an odd question, asked like you don't even know the answer.  But the answer is: Everything.  My iPhone bugs me to enable 2FA with every single iOS update.  My Macs leave me alone.

    It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it.  I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it.  I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
    Why on earth would you feel more vulnerable with an additional layer of security?
    Fear of getting locked out ONLY because 2FA is enabled.  With it disabled, I have no such fears at all.  Zero.  None!
  • Reply 10 of 16
    chutzpahchutzpah Posts: 392member
    How peculiar.
    muthuk_vanalingamjony0
  • Reply 11 of 16
    avon b7avon b7 Posts: 7,655member
    jdw said:
    chutzpah said:
    jdw said:
    Xed said:
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    What an odd question, asked like you don't even know the answer.  But the answer is: Everything.  My iPhone bugs me to enable 2FA with every single iOS update.  My Macs leave me alone.

    It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it.  I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it.  I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
    Why on earth would you feel more vulnerable with an additional layer of security?
    Fear of getting locked out ONLY because 2FA is enabled.  With it disabled, I have no such fears at all.  Zero.  None!
    Your fears should be very real because if you get hacked you will probably be able to eventually get access back, but at what cost? 

    Ironically, I have some accounts with ridiculously weak passwords and without 2FA. They are active and around twenty years old, and at this point they are 'open' to attack out of curiosity on my part.

    I'm surprised they haven't been swiped but there you have it. Pure luck? Maybe.

    Anything tied to Google, Huawei, Apple etc in an ID or financial sense has 2FA activated apart from other protections that are in place. 
  • Reply 12 of 16
    MplsPMplsP Posts: 3,921member
    Not clear to me how this is any better than ApplePay which is incredibly slick and convenient.
    jony0
  • Reply 13 of 16
    jdwjdw Posts: 1,331member
    I don't have any ridiculously weak passwords on accounts I care about.  Some very old forums I never participate anymore, perhaps, but certainly nothing that would expose my sensitive personal data or bank account information.  Any weak passwords I created for those old forums I deliberately made weak (so as to remember them easier) because the content they protected wasn't worth protecting.  I simply was forced to create an account with a password to post in a given forum.

    I think there's more risk of me getting locked out due to stupid 2FA than being hacked.  I say that because I've been online since my 300 baud modem and dial-up BBS's back in the early 80's, and to this day I've never been hacked because I religiously use good passwords and maintain them well.  I also don't visit places that expose me to potential hacks, and I don't foolishly click on links in emails.  I'm pretty adept at spotting phishing attempts. 

    With silly 2FA, if you don't happen to have a device on which your 2FA code or confirmation can be done, you're out of luck.  That restricts my freedom, and I dislike that tremendously.  That is why I keep 2FA switched off.  People who rely on 2FA can't imagine that to be safe, but I am here to say, it actually is.  It's called good password management combined with strong passwords.  I have the key passwords needed for access memorized, and the rest I can access online when needed, in a safe way.
    Dogperson
  • Reply 14 of 16
    XedXed Posts: 2,533member
    jdw said:
    Xed said:
    jdw said:
    I hate complexity and refuse to use anything that might lock me out.  Passwords are fine, and I still use 1Password to manage them.  But 2FA?  No!  Absolutely not.  I still refuse to switch it on when it comes to my Apple ID.  That means I can't use some Apple services, but so be it.  I hate it with a passion.  For what if I am accessing something from a computer without my iPhone?  Seriously!  To force me to have an iPhone is wrong.  So I keep 2FA switched off. 

    Whatever solution these people come up with had better not force me to need anything other than a password.  I don't mind fingerprints and biometric access, but not ever computer has that.  Passwords really are the only decent solution that isn't complex, assuming you can remember your passwords or have 1Password save in Dropbox which can be accessed from anywhere.
    What does your iPhone have to do with 2FA? I am a very heavy Mac user who only ever uses their iPhone when on the go, and I have 2FA enabled for every single account possible and those one-time passwords are saved in 1Password so I don't even have to do anything special to put them in. And for the occasional websites that use 2FA via SMS or email, that all comes to my Mac, too.
    What an odd question, asked like you don't even know the answer.  But the answer is: Everything.  My iPhone bugs me to enable 2FA with every single iOS update.  My Macs leave me alone.

    It's clear though that you actually like 2FA and think it makes you much safer, and so you are trying to defend it.  I hate 2FA and feel more vulnerable with it enabled, so I am clearly not going to be convinced by your support of it.  I can only be thankful that Apple still allows me the freedom go find the tiny text link back door which allows me to escape the 2FA madness by keeping that horrid thing switched off.
    You are clearly misguided by saying you "feel" more vulnerable to a hack by using a 2nd factor to authenticate a device, like a one-time password built into a password manager.

    In another post you claim that you "religiously use good passwords" but everything you're saying says that you don't, especially with claims that you have "ridiculously easy passwords" on accounts you don't care about.

    Even though I have worked in IT security for a very long time I don't  think you have to have my perspective before understanding that using simple, short, memorable, repeated (or slightly varied) passwords across so-called accounts you don't care about is a good idea. All my passwords are unique and they aren't doing things like changing an 'E' to a '3' which only makes it more complex for you to type (especially on a virtual keyboard) than it would be to crack.

    PS: 2FA or not, all logins that use a password have the potential to lock you out, but you claim that you "refuse to use anything that might lock me out". Posting on this forum means that you are clearly don't do that, and I bet you don't even see how silly your claim is.
    edited June 2023 williamlondon
  • Reply 15 of 16
    jdwjdw Posts: 1,331member
    When you've been doing something for YEARS with success as I have, you stick with it regardless of what some guy on the internet says.  In the end, I use what works for me and I don't waver even when faced with ridicule.  In fact, mockery only works to reinforce what I already believe.  So thank you! :-)
    Dogperson
  • Reply 16 of 16
    chutzpahchutzpah Posts: 392member
    jdw said:
    In fact, mockery only works to reinforce what I already believe.  
    That’s pretty damn stupid. 
Sign In or Register to comment.