Overview
Secure Payment Confirmation (SPC) is a proposed web
standard that allows
customers to authenticate with a credit card issuer, bank, or other payment
service provider using a platform authenticator—typically activated with a
device’s screen unlock feature such as a fingerprint sensor. This usually
happens during a payments authentication protocol such as EMV 3-D
Secure or Open
Banking. EMV 3-D Secure, for example,
has support for SPC in its v2.3 spec
release.
We previously announced that SPC was
launched for Google Chrome on macOS and Windows and provided developer guides
for both registration and
authentication.
As of M109 (currently on the Beta channel), SPC will also be available on Google
Chrome on Android. Users will be able to use their device’s screen lock to
complete the payment verification process on merchant sites that use SPC.
If you are interested in experimenting with SPC, feel free to try it out on our
demo website, or ask your Payment Service
Provider if they plan to support it for authenticating user payments.
As SPC is specialised in payment authentication, you can use this API directly
only if you are a credit card issuer, bank, or other payment service provider.
Otherwise, please reach out to your credit card issuer, bank or payment service
provider if you are interested in using this feature.
Strong authentication for payments
Authentication plays an important role in payment fraud prevention. However,
payment authentication today often uses either weak (for example, CVC code) or
frictionful (for example, SMS OTP) verification methods. These authentication
methods can either leave users vulnerable to fraud, or cause cart abandonment
due to friction.
SPC builds on top of Web Authentication
(WebAuthn) to bring strong authentication to payment transactions, using
platform authenticators that are built into users’ devices. The authenticating
party (known as the relying party in WebAuthn), such as the issuing bank or a
payment service provider,
registers
the user in a one-time process either on their website or during a
traditionally-authenticated transaction. They may then use the registration to
authenticate
the user in subsequent payment flows.
The FIDO standard mandates the device not to transmit any biometric data outside
of itself, so that the user verification only happens locally
As long as the relying party is the same (for example, the same issuing bank),
the user should be able to use one registration for all future payments with
that relying party across any merchant that integrates SPC.
API changes
Developers can follow the existing implementation
guide
written for desktop integration to learn how the API works. There is only one
API change that developers need to be aware of with this launch. Due to a
technical limitation at time of launch, SPC for Google
Chrome on Android does not yet support discoverable
credentials.
This limitation is being worked on, but will not be available in M109.
Due to this, developers should pass preferred
(instead of required
) for the
residentKey
parameter at credential creation time, when creating credentials for SPC:
navigator.credentials.create({
publicKey: {
...,
authenticatorSelection: {
residentKey: 'preferred',
...,
},
extensions: {
payment: {
isPayment: true,
}
},
}
});
The payments
property indicates that this is an SPC credential. See the
previous registration
guide
to learn how to use it.
Currently this code creates non-discoverable credentials which work for SPC.
Once discoverable credentials are supported by SPC for Google Chrome on Android,
this code will automatically switch to creating discoverable credentials
instead.
The SPC specification does
not allow passing `discouraged` for the residentKey parameter – this is still
the case for SPC for Google Chrome on Android.
Resources
Learn how to implement Secure Payment Confirmation
This post is also available in: English