[DRAFT] Web Payments Working Group Charter
The mission of the Web Payments Working Group is to make consumer retail payments easier and more secure on the Web.
Charter Status | See the group status page and detailed change history. |
---|---|
Start date | [dd monthname yyyy] (date of the "Call for Participation", when the charter is approved) |
End date | [dd monthname yyyy] (Start date + 2 years) |
Chairs | Gerhard Oosthuizen (Entersekt); Praveena Subrahmanyam (Airbnb); Nick Telford-Reed, Invited Expert |
Team Contacts | Ian Jacobs (FTE %: 40%) |
Meeting Schedule |
Teleconferences: Every two weeks Face-to-face: Typically 1 per year |
Motivation and Background
A number of recent phenomena and changes to the Web payments ecosystem have shaped this version of the Web Payments Working Group charter, including:
- Regulatory requirements that impact payments (e.g., related to strong authentication, for digital wallets to address both identity and payments use cases). The Working Group seeks to enhance Web payments to align with regulatory requirements.
- Growing ecommerce fraud and new kinds of frauds and scams. At the same time, changes to user agent capabilities (e.g., related to cookies, user agent strings, IP addresses, etc.) have an impact on returning user recognition and fraud mitigation. The Working Group seeks to lower fraud through new browser and OS risk signals that protect user privacy.
- Market expectation of lower friction during checkout to reduce abandonment. The Working Group seeks to improve the user experience through new user agent capabilities designed specifically for payments.
- Evolving user expectations regarding biometrics on mobile devices; users increasingly view them favorably and as providing enhanced security. The Working Group build on Web Authentication, which is now widely available.
Wallets
When this group was first chartered 10 years ago, W3C's vision was that digital wallets could simultaneously improve the usability, security, and privacy of payments on the Web. The Working Group developed and standardized APIs to streamline Web checkout by making it easier for users to interact with both Web-based and native "payment apps" (essentially digital wallets): Payment Method Identifiers, Payment Request API, Payment Handler API, and Payment Method Manifest. These APIs have seen modest adoption, but have not yet resulted in a diverse ecosystem of payment apps.
In recent years, however, the European Commission has renewed the community's interest in digital wallets as a result of European Digital Identity (EUDI) Regulation. This regulation has led to a "parallel track" for wallets on the Web via APIs incubated by several collaborating organizations, including W3C (e.g., the Digital Credentials API, Verifiable Credentials Data Model), the OpenID Foundation, the FIDO Alliance, the IETF, ISO, and others. This new push for digital wallets appears to be primarily aimed at supporting digital identity use cases (e.g., presentation of government issued credentials for authentication scenarios), but the project does extend to payments use cases (e.g., where someone wishes to present a proof of age credential alongside a payment credential). Although this new digital identity ecosystem is still in the early stages, there are encouraging signals of future interoperability across users agents such as shipping code and public expressions of intent to prototype.
Strong Authentication
Both tracks for bringing wallets to the Web include the ability of a site (such as a merchant Web site) to request credentials via the user agent, and the user consenting to return selected credentials to the site. Both tracks also involve strong authentication capabilities.
To address strong authentication needs (and reduce reliance on phishable SMS OTP), this Working Group has developed Secure Payment Confirmation, an API to improve the usability, security, and privacy of strong authentication for Web payments. This API depends today on valuable features enabled by Web Authentication and CTAP, including biometric authentication, cross-device support, and digital signature capabilities. While the Web Authentication has effectively evolved for login use cases (via synched passkeys), SPC has evolved simultaneously to meet payments ecosystem requirements not met through Web Authentication alone. In particular:
- SPC provides a modal window for the user to agree to transaction details. The browser passes the displayed information directly to the authenticator to be signed. The authentication results can play a role in providing cryptographic evidence of user agreement ("transaction confirmation" or "dynamic linking") to the transaction details, as required by some regulation (e.g., PSD2 in Europe).
- Synched passkeys remove "device bound" possession factor that is often required by payments regulators. SPC adds back a device bound factor to complement the passkey.
- For most merchants, payments are handled by third parties who frequently operate from code running in an iframe. In addition, some payment system rules (e.g., from the PCI Security Standards Council) reinforce the desire to separate the merchant context from the payment context. For this reason, SPC has enabled both credential creation and authentication from an iframe. This behavior initially deviated from Web Authentication behavior, but Web Authentication has evolved in L2 and L3 to align with SPC behavior.
- Whereas Web Authentication limits credential usage to the relying party that created the credential, SPC allows other parties to use another relying party's credentials (with their permission). This decoupling of "authentication ceremony" from "validation of the results" enables a variety of arrangements among various payment ecosystem stakeholders, such as (but not limited to):
- Bank-initiated authentication using their own credential
- Merchant-initiated authentication using a bank's credential, where the results are sent to the bank on the backend for validation.
- Merchant-initiated authentication using a merchant's own credential or one owned by their payment service provider (i.e., "delegated authentication").
As one example of the diversity of SPC-supported flows, the EMV® 3-D Secure specification refers normatively to SPC and leverages this "decoupling" feature of SPC to enable multiple flows.
The community is thus pursuing two tracks in parallel related to credential exchange and authentication. This raises several questions:
- If adopted interoperably, would the new digital wallet APIs subsume the functionality of Payment Request, Web Authentication, and SPC? Or would they be complementary? For example, one set of standards might more readily support use cases involving strong national identity credentials, while the other might support lighterweight authentication scenarios or be more useful in environments where wallets are fragmented or not widely adopted.
- If the two tracks both prove relevant for different use cases, can they be aligned in some ways for the benefit of developers? For example, could they share argument lists?
Support for diverse payment systems
Beyond the work on digital wallets coming out of the European Commision push, the Working Group recognizes that there are large ecosystems of payment systems, particularly outside of North America and Europe, that are not being served by its current set of APIs. For example, some payment systems rely on 'push' payment from the payment system to a merchant with minimal integration required from the merchant (including no JavaScript). These payment systems may also have different requirements for fraud protection, both due to technical differences in the payment system as well as fraud realities on the ground. Although the Working Group periodically discusses these other payment systems, the users of these payment systems, and the merchants and payment organizations involved in these ecosystems, should be better supported by user agents and this Working Group.
These are the topics and questions that we intend to discuss in this iteration of the Working Group's charter.
Scope
- Digital wallets, identity, and payments: this relates both to maintaining and enhancing the group's existing approaches to payment apps, and to conversations about other approaches for bringing digital wallets to the Web for use cases related to identity and payments.
- Authentication: authentication —including strong customer authentication— for a selected payment instrument. This Working Group coordinates closely with the Web Authentication Working Group.
- User identification: simplifying user access to accounts and payment instruments while protecting user privacy.
The Working Group seeks to develop technologies that can be used with a wide variety of payment methods, including card payments, credit transfers, open banking architectures, proprietary payment methods, and mobile wallets. See the section on Coordination for a list of Working Group relationships that inform discussions.
Out of Scope
The following features are out of scope, and will not be addressed by this Working Group.
- User interface specifics are out of scope; this Working Group is chartered to Recommend programming interfaces, not user interface specifics. However, it is in scope for the Working Group to discuss user experience, for example as part of understanding user journeys during a checkout experience.
- How digital payment schemes register and communicate with payment instruments. Here, a "digital payment scheme" is a set of rules for the execution of payment transactions that are followed by adhering entities (payment service providers, processors, issuers, acquirers, payers and payees). A payment instrument is an account, token, or other means of fulfilling the payment provider’s role in a digital payment scheme. Some digital payment schemes make internal use of payment instruments from other payment schemes.
Deliverables
Updated document status is available on the group publication status page.
Draft state indicates the state of the deliverable at the time of the charter approval.
Normative Specifications
The Working Group will deliver the following W3C normative specification.
- Secure Payment Confirmation
-
Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.
Draft state: Candidate Recommendation. The Working Group is enhancing support for a device-bound signal and seeking additional implementations.
Expected completion: Q4 2026
Latest publication: 2025-02-13
Exclusion Draft: https://www.w3.org/TR/2023/CR-secure-payment-confirmation-20230615/
Exclusion period began on 2023-06-15 and ended on 2023-08-14.Exclusion Draft Charter: Produced under Working Group Charter: https://www.w3.org/Payments/WG/charter-2022.html
The following specifications do not yet have sufficient cross-browser implementation experience to advance to Recommendation. However, the implementation in Chromium browsers enables experimentation and the Working Group intends to maintain them as Working Drafts. If the implementation landscape changes, the Working Group will revisit the question of advancement to Recommendation and re-charter as needed.
- Payment Method Manifest
-
This specification defines the machine-readable manifest file, known as a payment method manifest, describing how a payment method participates in the Web Payments ecosystem, and how such files are to be used.
Draft state: Working Draft
Expected completion: Q4 2026
Latest publication: 2017-12-12
Exclusion Draft: https://www.w3.org/TR/2017/WD-payment-method-manifest-20171212/
Exclusion period began on 2017-12-12 and ended on 2018-05-11.Exclusion Draft Charter: Produced under Working Group Charter: http://www.w3.org/Payments/WG/charter-201510.html
- Payment Handler API
-
The Payment Request API provides a standard way to initiate payment requests from Web pages and applications. User agents implementing that API prompt the user to select a way to handle the payment request, after which the user agent returns a payment response to the originating site. This specification defines capabilities that enable Web applications to handle payment requests.
Draft state: Working Draft
Expected completion: Q4 2026
Latest publication: 2023-01-25
Exclusion Draft: https://www.w3.org/TR/2017/WD-payment-handler-20170518/
Exclusion period began on 2017-05-18 and ended on 2017-10-15.Exclusion Draft Charter: Produced under Working Group Charter: http://www.w3.org/Payments/WG/charter-201510.html
- Payment Request API
-
This specification standardizes an API to allow merchants (i.e. web sites selling physical or digital goods) to utilize one or more payment methods with minimal integration. User agents (e.g., browsers) facilitate the payment flow between merchant and user.
Draft state: Candidate Recommendation. Note: Payment Request was first published as a Recommendation in 2022. The Candidate Recommendation adds back features that were removed in order for the document to advance to Recommendation, but that had already been implemented inteorperably. The Working Group republished the features in CR form in order to resolve previous issues, at which point the group expects to advance the updated specification to Recommendation.
Expected completion: Q4 2026
Latest publication: 2024-09-09
Exclusion Draft: https://www.w3.org/TR/2024/CR-payment-request-20240806/
Exclusion period began on 2024-08-07 and ended on 2024-10-06.Exclusion Draft Charter: Produced under Working Group Charter: https://www.w3.org/Payments/WG/charter-2023.html
Payment Method Identifiers is a W3C Recommendation. The Working Group will maintain this specification.
Tentative Deliverables
Depending on the incubation progress, interest from multiple implementers, and the consensus of the Group participants, the Working Group may adopt the following ideas into a Rec-track specification:
- Facilitated Payment link type in HTML
-
Through the APIs published by this Working Group, merchants request payment and receive responses through Payment Request API. Users respond through payment apps (including Web-based payment apps via the Payment Handler API). The proposal envisions another way for users to respond via payment apps, but not through Payment Request API. Whereas Payment Request API is triggered by buttons in the merchant page, with this proposal the browser takes on the role of presenting candidate payment apps to the user. This approach has the advantage of not requiring merchants to change their checkout UX. Because there is no Payment Request "pipe" for the response, payment apps invoked through a facilitated payment link are expected to be limited to scenarios where the payment data is sent to a backend server rather than returned to the calling context.
Draft state: There is not yet a draft specification, only a proposal. Note that because this proposal involves a new link type in HTML, this Working Group would coordinate with the WHATWG.
- Digital credentials for payments
- Some discussions have taken place regarding a payments profile within the digital credentials ecosystem. If the community seeks standardization of such a profile at W3C, such work would be in scope for this charter.
Other Deliverables
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Test suite and implementation report for the specification;
- Documents to support web developers when designing applications.
Timeline
The timeline for advancing Secure Payment Confirmation beyond Candidate Recommendation depends on identifying a second implementation, and is not yet known.
Success Criteria
In order to advance beyond Candidate Recommendation, each normative specification is expected to have at least two independent interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites.
There should be testing plans for each specification, starting from the earliest drafts. To promote interoperability, all changes made to specifications should have tests.
Each specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users. A key security consideration is the ability to prove message integrity and authentication of all message originators. The Working Group will work with the organizations listed in the Coordination section of the charter to help ensure API security.
Protection of the privacy of all participants in a payment is important to maintaining the trust that payment systems are dependent upon to function. A payment process defined by this group should not disclose private details of the participants' identity or other sensitive information unless required for operational purposes, by legal or jurisdictional rules, or when deliberately consented to (e.g., as part of a loyalty program) by the owner of the information.
Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximizing accessibility in implementations.
This Working Group expects to follow the TAG Web Platform Design Principles.
Coordination
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
Additional technical coordination with the following Groups will be made, per the W3C Process Document.
W3C Groups
- Web Authentication Working Group
- For discussion of strong authentication.
- Web Payment Security Interest Group
- For discussions about Web payment security and use cases.
- Federated Identity Working Group
- For discussions about payments use cases coupled with identity (e.g., providing a credential related to an age or location requirement).
External Organizations
- EMVCo
- EMVCo administers many specifications known collectively as EMV®, including specifications about network tokenization, 3-D Secure, and Secure Remote Commerce.
- FIDO Alliance
- For discussions of strong authentication.
- OpenID Foundation
- For discussions related to digital wallets for identity and payments.
- WHATWG
-
For discussion of a
facilitated-payment
link type in HTML.
Participation
To be successful, this Working Group is expected to have 10 or more active participants for its duration, including representatives from the key implementors of the group's specifications, and active Editors for each specification. The Chairs and specification Editors are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (e.g., deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Payments Working Group home page.
This group primarily conducts its work on GitHub and the public mailing list public-payments-wg@w3.org (archive).
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (e.g., email, GitHub issue or web-based survey), with an appropriate response period depending on the chair’s evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Working Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
Charter Period | Start Date | End Date | Changes |
---|---|---|---|
2015 (Initial) Charter | 21 October 2015 | 31 December 2017 | N/A |
Charter Extension | 1 January 2018 | 1 March 2018 | None (Rechartering) |
2018 Charter | 9 March 2018 | 31 December 2019 | Deliverables under consideration since the previous charter are listed in section 1.2. |
2020 Charter | 19 December 2019 | 31 December 2021 | Deliverables under consideration since the previous charter are listed in section 1.2. |
2022 Charter | 8 November 2022 | 31 December 2024 | Added SPC. Completed version 1 of Payment Request and Payment Method Identifiers and moved them to maintenance mode. Reset expectations about Payment Handler and Payment Method Manifest timelines. Deprecated Basic Card Payment Method. Dropped SRC Payment Method. Use "this version" URLs for links to Payment Request API and Payment Method Identifiers Recommendations instead of GitHub URLs. |
2023 Charter | 2 August 2023 | 31 July 2025 | Restored text indicating user interface specifics are out of scope, updated milestones. Boilerplate text was updated to match the current charter template. |
2025 Charter | N/A | N/A | There are now complementary "tracks" within W3C related to payments on the Web: the "Payment Request ecosystem" created by this group and "the digital wallet ecosystem" which is a joint effort involving W3C, OIDF, IETF, and other SDOs. This charter has been revised to account for this evolution. |
Change log
Changes to this document are documented in this section.