Read the 3-D Secure 2 with Payment Request API specification.
w3c / 3ds Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Read the 3-D Secure 2 with Payment Request API specification.
Here's an outline of my thoughts after reviewing the draft spec. I'll close this issue after we discuss these at today's meeting.
Request data
- requestLevel cases
separate into two things: is 3ds required? is challenge required/not allowed/don't care?
merchant likely doesn't know which until address entered
references to "step up" should be changed to "challenge flow", which is the official 3DS spec term
- handler for 3DS will need to receive or collect shipping address for physical goods
merchant needs a way to mark whether shipping is needed or not
merchant needs events to listen on shipping changes and possibly change 3DS config
where do we specify "stuff the 3DS module requires of its host payment method?"
- handler will need to gather email and
- payee data
order number, merchant id, acquirer id, acquirer merchant id, merchant name,
opt in to encrypted or tokenized card number
Response data
- cases of ThreeDSResponse
(See Cardinal's 3DS2 result test cases at https://cardinaldocs.atlassian.net/wiki/spaces/CCen/pages/412712961/3DS+2.0+Test+Cases)
if we add a requestLevel=never3DS, then returned data shape is different
is the shape of returned data then specified by the host payment method?
if there's an error during 3ds, or ACS is unavailable or times out
if 3ds required, handler should prompt for another form of payment
if 3ds not required, handler maybe falls back to returnign card/token without performing 3ds.
there are lots of case intersections, for example:
if 3ds is required but merchant specifies frictionless, what do we do if frictionless denied?
give up and ask for another payment method from the customer?
try 3ds again and allow a challenge?
Privacy/data gathering
- points in the spec still stand: we don't know what to do here, probably need browsers to make a suggestion
- how we will load method_url, or get around the need to, is the biggest question for this spec
Footnote
- Should 3DS reference point to a specific version of the spec rather than a landing page that will point to the latest 3DS-related specs and change over time?
Hi all,
Based on discussion at the Singapore face-to-face meeting, @marcoscaceres articulated some wishes to get a better picture of how to connect 3DS with payment request. With his permission, I copy his notes here for discussion.
======
From @marcoscaceres:
Following up from the w3c face to face meeting, basically what we need is either test HTTP endpoints or JSON responses for (apologies, I don't know the precise terminology for these - or if I'm missing
steps):
The example in the spec has a requestLevel
field in the data
object within the Payment Request methodData
. Can this field be "mixed in" with any arbitrary payment method (basic-card, tokenized-card, SEPA, Interledger, etc.)?
What if the merchant or network wants to require a 3DS flow for some payment methods (say, basic-card) but not others (say, SEPA)?
And is requestLevel
too generic (i.e., would something like authRequestLevel
or 3DSRequestLevel
be clearer)?
3DS supports no-friction flows and merchants may even accept a liability shift in order to have zero friction flows. Risk engines today fingerprint the browser and determine whether a frictionless flow suffices. Changes in browsers are (by design) going to make the fingerprinting more difficult.
WebAuthn supports low-friction, but not no-friction flows.
What browser capabilities could support no-friction flows without adding to the fingerprinting surface?
See some previous discussion about browser-generated IDs:
https://www.w3.org/2019/Talks/ij_risk_20190808/index.html?full#10
[This is a super rough draft! Comments/revisions/rewrites very welcome.]
The goal of this task force is to create browser standards that allow the authentication of online credit card payments.
At the 27 June 3DS task force call, we briefly discussed the idea of explicitly mentioning user agent support for a user preference for strong authentication, which presumably would mean less data exposure and thus useful for those with strong privacy preferences.
@stpeter suggested we gather more information about the range of user preferences before specifying a feature (e.g., it may not be useful to have a simple on/off switch).
In regards to the draft spec's requestLevel
member, I would recommend:
requestLevel
in response to payment sheet events like shipping address changes.CB schema (Carte Bancaire in France) latest communication identify following specificities:
Should be interesting to identify specificities for other schemas.
I'm posting some flow diagrams and rough thoughts here so that they can be seen publicly during tomorrow's call. These diagrams leave out a lot of detail and are incorrect in some details. But I'm trying to make a few points about how, even at a very coarse level of detail, there are some conflicts between them that we need to work out before starting to think of a strategy for moving forward.
Also note that these thoughts so far seem pretty negative, since they mostly point out challenges rather than solutions. But I'm actually super excited to try to find solutions: I just want to point out the challenges so we can start tackling them right away.
So what can the WPWG do to make 3DS compliance easier on merchants while requiring only a reasonable level of browser involvement? I see a couple directions but also problems with each of them:
At yesterday's 3DS task force call [1], it was suggested that if a browser or third party payment handler initiates 3DS flows, it may be necessary to include additional data (above and beyond token data, for example) in the response, namely: 3DS crypto and XID data.
This issue is a place-holder for that discussion.
Ian
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.