Phone/Lock/Safe.

Secure Payment Confirmation on Chrome Android

Published on Updated on

Update, March 2023

As of Chrome 112, the technical limitation that led authenticatorSelection.residentKey to be preferred instead of required has been lifted. Documents have been updated following the change.

Overview

Secure Payment Confirmation (SPC) is a proposed web standard that allows customers to authenticate with a credit card issuer, bank, or other payment service provider using a platform authenticator—typically activated with a device's screen unlock feature such as a fingerprint sensor. This usually happens during a payments authentication protocol such as EMV 3-D Secure or Open Banking. EMV 3-D Secure, for example, has support for SPC in its v2.3 spec release. We previously announced that SPC was launched for Google Chrome on macOS and Windows and provided developer guides for both registration and authentication.

As of M109 (currently on the Beta channel), SPC will also be available on Google Chrome on Android. Users will be able to use their device's screen lock to complete the payment verification process on merchant sites that use SPC.

A user is paying on Chrome using the Secure Payment Confirmation.

If you are interested in experimenting with SPC, feel free to try it out on our demo website, or ask your Payment Service Provider if they plan to support it for authenticating user payments.

As SPC is specialised in payment authentication, you can use this API directly only if you are a credit card issuer, bank, or other payment service provider. Otherwise, please reach out to your credit card issuer, bank or payment service provider if you are interested in using this feature.

Strong authentication for payments

Authentication plays an important role in payment fraud prevention. However, payment authentication today often uses either weak (for example, CVC code) or frictionful (for example, SMS OTP) verification methods. These authentication methods can either leave users vulnerable to fraud, or cause cart abandonment due to friction.

SPC builds on top of Web Authentication (WebAuthn) to bring strong authentication to payment transactions, using platform authenticators that are built into users' devices. The authenticating party (known as the relying party in WebAuthn), such as the issuing bank or a payment service provider, registers the user in a one-time process either on their website or during a traditionally-authenticated transaction. They may then use the registration to authenticate the user in subsequent payment flows.

The FIDO standard mandates the device not to transmit any biometric data outside of itself, so that the user verification only happens locally

As long as the relying party is the same (for example, the same issuing bank), the user should be able to use one registration for all future payments with that relying party across any merchant that integrates SPC.

API changes

Developers can follow the existing implementation guide written for desktop integration to learn how the API works.

navigator.credentials.create({  
publicKey: {
...,
authenticatorSelection: {
residentKey: 'preferred',
...,
},
extensions: {
payment: {
isPayment: true,
}
},
}
});

The payment property indicates that this is an SPC credential. See the previous registration guide to learn how to use it.

Currently this code creates non-discoverable credentials which work for SPC. Once discoverable credentials are supported by SPC for Google Chrome on Android, this code will automatically switch to creating discoverable credentials instead.

The SPC specification does not allow passing `discouraged` for the residentKey parameter - this is still the case for SPC for Google Chrome on Android.

Resources

Learn how to implement Secure Payment Confirmation

Photo by Franck on Unsplash

Updated on Improve article

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.