[DRAFT] Web Payments Working Group Charter

The mission of the Web Payments Working Group is to make consumer retail payments easier and more secure on the Web.

Join the Web Payments Working Group.

Charter Status See the group status page and detailed change history.
Start date [dd monthname yyyy] (date of the "Call for Participation", when the charter is approved)
End date [dd monthname yyyy] (Start date + 2 years)
Chairs Gerhard Oosthuizen (Entersekt); Praveena Subrahmanyam (Airbnb); Nick Telford-Reed, Invited Expert
Team Contacts Ian Jacobs (FTE %: 40%)
Meeting Schedule Teleconferences: Every two weeks
Face-to-face: Typically 1 per year

Motivation and Background

A number of recent phenomena and changes to the Web payments ecosystem have shaped this version of the Web Payments Working Group charter, including:

Wallets

When this group was first chartered 10 years ago, W3C's vision was that digital wallets could simultaneously improve the usability, security, and privacy of payments on the Web. The Working Group developed and standardized APIs to streamline Web checkout by making it easier for users to interact with both Web-based and native "payment apps" (essentially digital wallets): Payment Method Identifiers, Payment Request API, Payment Handler API, and Payment Method Manifest. These APIs have seen modest adoption, but have not yet resulted in a diverse ecosystem of payment apps.

In recent years, however, the European Commission has renewed the community's interest in digital wallets as a result of European Digital Identity (EUDI) Regulation. This regulation has led to a "parallel track" for wallets on the Web via APIs incubated by several collaborating organizations, including W3C (e.g., the Digital Credentials API, Verifiable Credentials Data Model), the OpenID Foundation, the FIDO Alliance, the IETF, ISO, and others. This new push for digital wallets appears to be primarily aimed at supporting digital identity use cases (e.g., presentation of government issued credentials for authentication scenarios), but the project does extend to payments use cases (e.g., where someone wishes to present a proof of age credential alongside a payment credential). Although this new digital identity ecosystem is still in the early stages, there are encouraging signals of future interoperability across users agents such as shipping code and public expressions of intent to prototype.

Strong Authentication

Both tracks for bringing wallets to the Web include the ability of a site (such as a merchant Web site) to request credentials via the user agent, and the user consenting to return selected credentials to the site. Both tracks also involve strong authentication capabilities.

To address strong authentication needs (and reduce reliance on phishable SMS OTP), this Working Group has developed Secure Payment Confirmation, an API to improve the usability, security, and privacy of strong authentication for Web payments. This API depends today on valuable features enabled by Web Authentication and CTAP, including biometric authentication, cross-device support, and digital signature capabilities. While the Web Authentication has effectively evolved for login use cases (via synched passkeys), SPC has evolved simultaneously to meet payments ecosystem requirements not met through Web Authentication alone. In particular:

The community is thus pursuing two tracks in parallel related to credential exchange and authentication. This raises several questions:

Support for diverse payment systems

Beyond the work on digital wallets coming out of the European Commision push, the Working Group recognizes that there are large ecosystems of payment systems, particularly outside of North America and Europe, that are not being served by its current set of APIs. For example, some payment systems rely on 'push' payment from the payment system to a merchant with minimal integration required from the merchant (including no JavaScript). These payment systems may also have different requirements for fraud protection, both due to technical differences in the payment system as well as fraud realities on the ground. Although the Working Group periodically discusses these other payment systems, the users of these payment systems, and the merchants and payment organizations involved in these ecosystems, should be better supported by user agents and this Working Group.

These are the topics and questions that we intend to discuss in this iteration of the Working Group's charter.

Scope

The Working Group seeks to develop technologies that can be used with a wide variety of payment methods, including card payments, credit transfers, open banking architectures, proprietary payment methods, and mobile wallets. See the section on Coordination for a list of Working Group relationships that inform discussions.

Out of Scope

The following features are out of scope, and will not be addressed by this Working Group.

  • User interface specifics are out of scope; this Working Group is chartered to Recommend programming interfaces, not user interface specifics. However, it is in scope for the Working Group to discuss user experience, for example as part of understanding user journeys during a checkout experience.
  • How digital payment schemes register and communicate with payment instruments. Here, a "digital payment scheme" is a set of rules for the execution of payment transactions that are followed by adhering entities (payment service providers, processors, issuers, acquirers, payers and payees). A payment instrument is an account, token, or other means of fulfilling the payment provider’s role in a digital payment scheme. Some digital payment schemes make internal use of payment instruments from other payment schemes.

Deliverables

Updated document status is available on the group publication status page.

Draft state indicates the state of the deliverable at the time of the charter approval.

Normative Specifications

The Working Group will deliver the following W3C normative specification.

Secure Payment Confirmation

Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It is designed to scale authentication across merchants, to be used within a wide range of authentication protocols, and to produce cryptographic evidence that the user has confirmed transaction details.

Draft state: Candidate Recommendation. The Working Group is enhancing support for a device-bound signal and seeking additional implementations.

Expected completion: Q4 2026

Latest publication: 2025-02-13

Exclusion Draft: https://www.w3.org/TR/2023/CR-secure-payment-confirmation-20230615/
Exclusion period began on 2023-06-15 and ended on 2023-08-14.

Exclusion Draft Charter: Produced under Working Group Charter: https://www.w3.org/Payments/WG/charter-2022.html

The following specifications do not yet have sufficient cross-browser implementation experience to advance to Recommendation. However, the implementation in Chromium browsers enables experimentation and the Working Group intends to maintain them as Working Drafts. If the implementation landscape changes, the Working Group will revisit the question of advancement to Recommendation and re-charter as needed.

Payment Method Manifest

This specification defines the machine-readable manifest file, known as a payment method manifest, describing how a payment method participates in the Web Payments ecosystem, and how such files are to be used.

Draft state: Working Draft

Expected completion: Q4 2026

Latest publication: 2017-12-12

Exclusion Draft: https://www.w3.org/TR/2017/WD-payment-method-manifest-20171212/
Exclusion period began on 2017-12-12 and ended on 2018-05-11.

Exclusion Draft Charter: Produced under Working Group Charter: http://www.w3.org/Payments/WG/charter-201510.html

Payment Handler API

The Payment Request API provides a standard way to initiate payment requests from Web pages and applications. User agents implementing that API prompt the user to select a way to handle the payment request, after which the user agent returns a payment response to the originating site. This specification defines capabilities that enable Web applications to handle payment requests.

Draft state: Working Draft

Expected completion: Q4 2026

Latest publication: 2023-01-25

Exclusion Draft: https://www.w3.org/TR/2017/WD-payment-handler-20170518/
Exclusion period began on 2017-05-18 and ended on 2017-10-15.

Exclusion Draft Charter: Produced under Working Group Charter: http://www.w3.org/Payments/WG/charter-201510.html

Payment Request API

This specification standardizes an API to allow merchants (i.e. web sites selling physical or digital goods) to utilize one or more payment methods with minimal integration. User agents (e.g., browsers) facilitate the payment flow between merchant and user.

Draft state: Candidate Recommendation. Note: Payment Request was first published as a Recommendation in 2022. The Candidate Recommendation adds back features that were removed in order for the document to advance to Recommendation, but that had already been implemented inteorperably. The Working Group republished the features in CR form in order to resolve previous issues, at which point the group expects to advance the updated specification to Recommendation.

Expected completion: Q4 2026

Latest publication: 2024-09-09

Exclusion Draft: https://www.w3.org/TR/2024/CR-payment-request-20240806/
Exclusion period began on 2024-08-07 and ended on 2024-10-06.

Exclusion Draft Charter: Produced under Working Group Charter: https://www.w3.org/Payments/WG/charter-2023.html

Payment Method Identifiers is a W3C Recommendation. The Working Group will maintain this specification.

Tentative Deliverables

Depending on the incubation progress, interest from multiple implementers, and the consensus of the Group participants, the Working Group may adopt the following ideas into a Rec-track specification:

Facilitated Payment link type in HTML

Through the APIs published by this Working Group, merchants request payment and receive responses through Payment Request API. Users respond through payment apps (including Web-based payment apps via the Payment Handler API). The proposal envisions another way for users to respond via payment apps, but not through Payment Request API. Whereas Payment Request API is triggered by buttons in the merchant page, with this proposal the browser takes on the role of presenting candidate payment apps to the user. This approach has the advantage of not requiring merchants to change their checkout UX. Because there is no Payment Request "pipe" for the response, payment apps invoked through a facilitated payment link are expected to be limited to scenarios where the payment data is sent to a backend server rather than returned to the calling context.

Draft state: There is not yet a draft specification, only a proposal. Note that because this proposal involves a new link type in HTML, this Working Group would coordinate with the WHATWG.

Digital credentials for payments
Some discussions have taken place regarding a payments profile within the digital credentials ecosystem. If the community seeks standardization of such a profile at W3C, such work would be in scope for this charter.

Other Deliverables

Other non-normative documents may be created such as:

  • Use case and requirement documents;
  • Test suite and implementation report for the specification;
  • Documents to support web developers when designing applications.

Timeline

The timeline for advancing Secure Payment Confirmation beyond Candidate Recommendation depends on identifying a second implementation, and is not yet known.

Success Criteria

In order to advance beyond Candidate Recommendation, each normative specification is expected to have at least two independent interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites.

There should be testing plans for each specification, starting from the earliest drafts. To promote interoperability, all changes made to specifications should have tests.

Each specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users. A key security consideration is the ability to prove message integrity and authentication of all message originators. The Working Group will work with the organizations listed in the Coordination section of the charter to help ensure API security.

Protection of the privacy of all participants in a payment is important to maintaining the trust that payment systems are dependent upon to function. A payment process defined by this group should not disclose private details of the participants' identity or other sensitive information unless required for operational purposes, by legal or jurisdictional rules, or when deliberately consented to (e.g., as part of a loyalty program) by the owner of the information.

Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximizing accessibility in implementations.

This Working Group expects to follow the TAG Web Platform Design Principles.

Coordination

For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.

Additional technical coordination with the following Groups will be made, per the W3C Process Document.

W3C Groups

Web Authentication Working Group
For discussion of strong authentication.
Web Payment Security Interest Group
For discussions about Web payment security and use cases.
Federated Identity Working Group
For discussions about payments use cases coupled with identity (e.g., providing a credential related to an age or location requirement).

External Organizations

EMVCo
EMVCo administers many specifications known collectively as EMV®, including specifications about network tokenization, 3-D Secure, and Secure Remote Commerce.
FIDO Alliance
For discussions of strong authentication.
OpenID Foundation
For discussions related to digital wallets for identity and payments.
WHATWG
For discussion of a facilitated-payment link type in HTML.

Participation

To be successful, this Working Group is expected to have 10 or more active participants for its duration, including representatives from the key implementors of the group's specifications, and active Editors for each specification. The Chairs and specification Editors are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.

The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.

The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.

Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.

Communication

Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.

Information about the group (e.g., deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Payments Working Group home page.

This group primarily conducts its work on GitHub and the public mailing list public-payments-wg@w3.org (archive).

The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.

Decision Policy

This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.

However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.

To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (e.g., email, GitHub issue or web-based survey), with an appropriate response period depending on the chair’s evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.

All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.

This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.

Patent Policy

This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.

Licensing

This Working Group will use the W3C Software and Document license for all its deliverables.

About this Charter

This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.

Charter History

The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):

Charter Period Start Date End Date Changes
2015 (Initial) Charter 21 October 2015 31 December 2017 N/A
Charter Extension 1 January 2018 1 March 2018 None (Rechartering)
2018 Charter 9 March 2018 31 December 2019 Deliverables under consideration since the previous charter are listed in section 1.2.
2020 Charter 19 December 2019 31 December 2021 Deliverables under consideration since the previous charter are listed in section 1.2.
2022 Charter 8 November 2022 31 December 2024 Added SPC. Completed version 1 of Payment Request and Payment Method Identifiers and moved them to maintenance mode. Reset expectations about Payment Handler and Payment Method Manifest timelines. Deprecated Basic Card Payment Method. Dropped SRC Payment Method. Use "this version" URLs for links to Payment Request API and Payment Method Identifiers Recommendations instead of GitHub URLs.
2023 Charter 2 August 2023 31 July 2025 Restored text indicating user interface specifics are out of scope, updated milestones. Boilerplate text was updated to match the current charter template.
2025 Charter N/A N/A There are now complementary "tracks" within W3C related to payments on the Web: the "Payment Request ecosystem" created by this group and "the digital wallet ecosystem" which is a joint effort involving W3C, OIDF, IETF, and other SDOs. This charter has been revised to account for this evolution.

Change log

Changes to this document are documented in this section.