The Basic Card Payment specification describes the data formats used by the PaymentRequest API [[!PAYMENT-REQUEST-API]] to support payment by payment cards such as credit or debit cards.

The working group maintains a list of all bug reports that the group has not yet addressed. Pull requests with proposed specification text for outstanding issues are strongly encouraged.

This specification was derived from a report published previously by the Web Platform Incubator Community Group.

Sending comments on this document

If you wish to make comments regarding this document, please raise them as GitHub issues. Only send comments by email if you are unable to raise issues on GitHub (see links below). All comments are welcome.

Introduction

This specification is a Payment Method specification for use with the PaymentRequest API [[!PAYMENT-REQUEST-API]]. With it, merchants can collect the basic card details (card holder name, card number, etc.) through the PaymentRequest API that they have traditionally collected through Web forms, but with an improved user experience.

The Web Payments Working Group is also investigating payment methods that offer greater security (e.g., through tokenization).

Dependencies

This specification relies on several other underlying specifications.

Payment Request API
The terms PaymentRequest constructor, and PaymentAddress are defined by the PaymentRequest API specification [[!PAYMENT-REQUEST-API]].
Payment Method Identifiers
The term Payment Method Identifier is defined by the Payment Method Identifiers specification [[!METHOD-IDENTIFIERS]].
Web IDL
The IDL in this specification is defined by Web IDL [[!WEBIDL]].

Payment Method Identifier

The payment method identifier string for the Basic Card Payment method is basic-card.

Payment Method Specific Data for the PaymentRequest constructor

This section describes payment method specific data that is supplied as part of the data argument to the PaymentRequest constructor.

BasicCardRequest

        enum BasicCardType { "credit", "debit", "prepaid" };

        dictionary BasicCardRequest {
          sequence<DOMString> supportedNetworks;
          sequence<BasicCardType> supportedTypes;
        };
      

The BasicCardRequest dictionary contains the following fields:

supportedNetworks
The supportedNetworks field contains a sequence of identifiers for card networks that the merchant accepts.
supportedTypes
The supportedTypes field contains a sequence of card types that the merchant accepts. Implementations will determine how to match the type values credit, debit, and prepaid.

The supportedNetworks and supportedTypes fields are both optional. If neither is provided then any card may be returned. If only supportedNetworks is provided then any card type may be returned provided it matches one of the networks. If only supportedTypes is provided then a card may be returned from any network provided it matches one of the types.

Payment Method Response

The BasicCardResponse dictionary contains the response from the PaymentRequest API when a user accepts payment with a Basic Payment Card payment method.

BasicCardResponse

        dictionary BasicCardResponse {
          DOMString cardholderName;
          required DOMString cardNumber;
          DOMString expiryMonth;
          DOMString expiryYear;
		  DOMString cardSecurityCode;
		  
          PaymentAddress? billingAddress;
        };
      

The BasicCardResponse dictionary contains the following fields:

cardholderName
The cardholderName field contains the cardholder's name as it appears on the card.
cardNumber
The cardNumber field contains the primary account number (PAN) for the payment card.
expiryMonth
The expiryMonth field contains a two-digit string for the expiry month of the card in the range 01 to 12.
expiryYear
The expiryYear field contains a four-digit string for the expiry year of the card in the range 0000 to 9999.
cardSecurityCode
The cardSecurityCode field contains a three or four digit string for the security code of the card (sometimes known as the CVV, CVC, CVN, CVE or CID).

Security and Privacy Considerations

Owners of web sites SHOULD NOT store the payer's card information except where warranted, such as storage for future and recurring payments. When card information is stored, web site owners SHOULD take measures to prevent its disclosure.

Note: Implementers may be subject to PCI DSS or other regulations, but discussion of those considerations lies outside the scope of this document.