Man
Professional
- Messages
- 3,083
- Reaction score
- 623
- Points
- 113
In June 2023, the W3C consortium announced a new standard for confirming financial transactions, Secure Payment Confirmation (SPC), which, if adopted, will simplify online payments. For now, the standard is published as a Candidate Recommendation. SPC makes Web Authentication
(WebAuthn), a browser-based cryptography, the standard for financial transactions . These are payments by fingerprint/face scan/PIN code, etc. Now, instead of a code or SMS, you can present a fingerprint to confirm a 2FA transaction.
The new standard should simplify user authentication, provide strong client authentication (SCA) and obtain cryptographic proof of consent. Having cryptographic proof is an important aspect of regulatory requirements and regulations in different countries, including the Payment Services Directive (PSD2) in Europe.
In general, SPC relies on WebAuthn technology and works approximately on the same mechanism as the recently introduced passwordless authentication standard Google Passkeys (access keys), which allows you to log in to an account without a password, but by finger, face, local PIN or hardware key. That is, to log in using the same method by which the user logs in to the operating system. This is considered sufficient cryptographic proof of consent for both authentication on a remote server and for payment.
It is not surprising that Google is one of the developers of SPC technology.
As we mentioned in our recent article on Passkeys, fingerprint scanning is the easiest and most secure authentication method, according to user surveys:
Source: Multimodal User Authentication in Smart Environments: A User Attitude Survey
Fingerprint and/or face scanning is present in most modern smartphones.
The adoption of SPC as a candidate recommendation indicates that the feature set “is stable and has received broad consideration,” according to a W3C press release. The consortium now needs to receive additional pilot implementations of SPC before making final edits and adopting the final version of the standard.
W3C notes the relevance of the new standard in connection with the widespread use of e-commerce and increased requirements for payment security. While in the 90s, entering a credit card number in a form with a POST request was enough to make a payment, this is a rarity now. Moreover, in Europe and other countries, this method has been banned by law, introducing mandatory multi-factor authentication for some types of payments. This is where the problem comes in.
While multi-factor authentication reduces fraud, it also makes the payment process more difficult and increases transaction abandonment (for example, see the results of Microsoft's SCA experiment under PSD2):
In 2019, the W3C Web Payments Working Group began working on a secure payment confirmation standard that would provide strong customer authentication (SCA) but be easier to use. Stripe piloted SPC in March 2020. In the Stripe experiment,After a regular transaction, the user is prompted to make future payments using a fingerprint:
The browser then verifies the corresponding cryptographic primitives:
This completes the procedure:
The next time after entering card details, the browser prompts you to confirm the transfer using a fingerprint:
After verification in the browser, the payment is completed.
Compared to one-time passwords (OTP), SPC authentication increased conversion by 8% and accelerated the authentication procedure threefold: from 36 to 12 seconds.
SPC was developed with the participation of the Web Payment Security Interest Group , which includes W3C, FIDO Alliance and EMVCo. As a result, the new standard is compatible with the current two-factor authentication protocols EMV 3-D Secure (version 2.3) and EMV Secure Remote Commerce (version 1.3).
Support for SPC technology requires changes to browsers to implement WebAuthn. It is currently available in Chrome and Edge browsers on macOS, Windows and Android platforms. The W3C Web Payments Working Group will help bring the technology to other browsers.
The W3C is currently overseeing other pilot programs, including a second Stripe experiment. Results are expected by September 2023, before final standardization is possible.
SPC payments are expected to be more convenient for everyone. For users, it is an easier way to pay, and for merchants, it is an increase in conversion.
Source
