Secure Payment Confirmation on Chrome Android

Stephen McGruer
Stephen McGruer

Overview

Secure Payment Confirmation (SPC) is a proposed web standard that allows customers to authenticate with a credit card issuer, bank, or other payment service provider using a platform authenticator—typically activated with a device's screen unlock feature such as a fingerprint sensor. This usually happens during a payments authentication protocol such as EMV 3-D Secure or Open Banking. EMV 3-D Secure, for example, has support for SPC in its v2.3 spec release. We previously announced that SPC was launched for Google Chrome on macOS and Windows and provided developer guides for both registration and authentication.

As of M109 (currently on the Beta channel), SPC will also be available on Google Chrome on Android. Users will be able to use their device's screen lock to complete the payment verification process on merchant sites that use SPC.

A user is paying on Chrome using the Secure Payment Confirmation.

If you are interested in experimenting with SPC, feel free to try it out on our demo website, or ask your Payment Service Provider if they plan to support it for authenticating user payments.

Strong authentication for payments

Authentication plays an important role in payment fraud prevention. However, payment authentication today often uses either weak (for example, CVC code) or frictionful (for example, SMS OTP) verification methods. These authentication methods can either leave users vulnerable to fraud, or cause cart abandonment due to friction.

SPC builds on top of Web Authentication (WebAuthn) to bring strong authentication to payment transactions, using platform authenticators that are built into users' devices. The authenticating party (known as the relying party in WebAuthn), such as the issuing bank or a payment service provider, registers the user in a one-time process either on their website or during a traditionally-authenticated transaction. They may then use the registration to authenticate the user in subsequent payment flows.

As long as the relying party is the same (for example, the same issuing bank), the user should be able to use one registration for all future payments with that relying party across any merchant that integrates SPC.

API changes

Developers can follow the existing implementation guide written for desktop integration to learn how the API works.

navigator.credentials.create({  
  publicKey: {  
    ...,  
    authenticatorSelection: {  
      residentKey: 'preferred',  
      ...,  
    },
    extensions: {
      payment: {  
        isPayment: true,  
      } 
    },
  }  
});

The payment property indicates that this is an SPC credential. See the previous registration guide to learn how to use it.

Currently this code creates non-discoverable credentials which work for SPC. Once discoverable credentials are supported by SPC for Google Chrome on Android, this code will automatically switch to creating discoverable credentials instead.

Resources

Learn how to implement Secure Payment Confirmation

Photo by Franck on Unsplash