Secure Payment Confirmation on Chrome Android
Update, March 2023
As of Chrome 112, the technical limitation that led authenticatorSelection.residentKey
to be preferred
instead of required
has been lifted. Documents have been updated following the change.
Overview
Secure Payment Confirmation (SPC) is a proposed web standard that allows customers to authenticate with a credit card issuer, bank, or other payment service provider using a platform authenticator—typically activated with a device's screen unlock feature such as a fingerprint sensor. This usually happens during a payments authentication protocol such as EMV 3-D Secure or Open Banking. EMV 3-D Secure, for example, has support for SPC in its v2.3 spec release. We previously announced that SPC was launched for Google Chrome on macOS and Windows and provided developer guides for both registration and authentication.
As of M109 (currently on the Beta channel), SPC will also be available on Google Chrome on Android. Users will be able to use their device's screen lock to complete the payment verification process on merchant sites that use SPC.
If you are interested in experimenting with SPC, feel free to try it out on our demo website, or ask your Payment Service Provider if they plan to support it for authenticating user payments.
As SPC is specialised in payment authentication, you can use this API directly only if you are a credit card issuer, bank, or other payment service provider. Otherwise, please reach out to your credit card issuer, bank or payment service provider if you are interested in using this feature.
Strong authentication for payments
Authentication plays an important role in payment fraud prevention. However, payment authentication today often uses either weak (for example, CVC code) or frictionful (for example, SMS OTP) verification methods. These authentication methods can either leave users vulnerable to fraud, or cause cart abandonment due to friction.
SPC builds on top of Web Authentication (WebAuthn) to bring strong authentication to payment transactions, using platform authenticators that are built into users' devices. The authenticating party (known as the relying party in WebAuthn), such as the issuing bank or a payment service provider, registers the user in a one-time process either on their website or during a traditionally-authenticated transaction. They may then use the registration to authenticate the user in subsequent payment flows.
The FIDO standard mandates the device not to transmit any biometric data outside of itself, so that the user verification only happens locally
As long as the relying party is the same (for example, the same issuing bank), the user should be able to use one registration for all future payments with that relying party across any merchant that integrates SPC.
API changes
Developers can follow the existing implementation guide written for desktop integration to learn how the API works.
navigator.credentials.create({
publicKey: {
...,
authenticatorSelection: {
residentKey: 'preferred',
...,
},
extensions: {
payment: {
isPayment: true,
}
},
}
});
The payment
property indicates that this is an SPC credential. See the previous registration guide to learn how to use it.
Currently this code creates non-discoverable credentials which work for SPC. Once discoverable credentials are supported by SPC for Google Chrome on Android, this code will automatically switch to creating discoverable credentials instead.
The SPC specification does not allow passing `discouraged` for the residentKey parameter - this is still the case for SPC for Google Chrome on Android.
Resources
Learn how to implement Secure Payment Confirmation