General Considerations

• This specification builds on PaymentRequest API.
• It defines mechanisms that may be used to support both Web-based and native payment apps. However, we anticipate that the ecosystem will also include proprietary approaches to some of the functionality defined here (e.g., for payment app registration or invocation).

Decoupling and Trust

• A goal of this system is to decouple the payment methods used to pay from the software (payment apps) that implement those payment methods. By decoupling, merchants (and their payment service providers) can lower the cost of creating a checkout experience, users can have more choice in the software they use to pay, and payment app providers can innovate without imposing an integration burden on merchants.
• Users may choose to use "open" or "proprietary" payment methods, so the payment app ecosystem must support both. Users must be able to register payment apps of their choosing. We expect the user to have greater choice of third party payment apps for open payment methods than for proprietary payment methods. Examples of open payment methods include card payment and SEPA credit transfer.
• For privacy, the design should limit information about the user's environment available to merchant without user consent. That includes which payment apps the user has registered. For open payment methods, the merchant should not receive information about which payment app the user selected to pay unless the user consents to share that information. See issue 224 for discussion about how merchant may track progress of a push payment.
• Although decoupling relieves merchants of implementing some aspects of the checkout experience, one consequence is that they give up some degree of control. This was already the case for proprietary payment methods, but for open payment methods such as cards, merchants (or their PSPs) will be entrusting some portion of data collection to third party payment apps.
• The design therefore includes support for merchants to recommend payment apps and suggest the ordering of payment methods. The design should endeavor not to constrain how user agents make use of this information, only provide guidance to user agent makers about taking into account both merchant and user preferences.
• Here are preferences the system might support:
  • Accepted payment methods (payment methods the merchant accepts, and no others may be used; part of payment request API)
  • Preferred payment methods (payee-specified order part of payment request API)
  • Recommended payment apps (payment apps the merchant prefers, but others may be used)
• The user agent can use this information in conjunction with user preferences to:
  • Filter payment apps (to matching payment methods)
  • Order payment apps (according to merchant specified order)
  • Display recommended payment apps (according to merchant recommended payment app order)

Registration and Unregistration

• Registration provides a way for user agents to remain aware of the user's payment apps across transactions.
• Registration is not a prerequisite for using a payment app. In particular, a user should be able to pay with a payee-recommended payment app that the user has not yet registered. Note: this implies that payment apps (at least in some cases) should be designed to process requests without assuming prior registration. There may also be security implications (since we expect to rely on origin information as a security mechanism at registration).
• When registration is desired it might happen in a variety of ways:
  • This working group will define an API available for all types of payment apps.
  • Native apps and user agents may have platform-specific ways to achieve the same (or similar) result.
• We expect registrations to happen at various times (e.g., outside and inside of checkout), and with differing levels of user consent to modify their configuration within the user agent. In general, explicit consent should not be required while the user is within the context of the payment request UI. Here are some examples:
  • When the merchant recommends a payment app and the user selects it, registration can happen in that moment without additional user action or consent. See notes from Rouslan on registration upon selection of recommended payment app.
  • When browser recommends a payment app and the user selects it, registration can happen in that moment without additional user action or consent.
  • When the user installs native payment app, registration could happen either through platform-specific mechanisms (or through this standard API) without additional user action beyond installation.
  • Users visiting a Web site (e.g., merchant or bank) may wish to explicitly register payment apps, which would require explicit consent from the user. See notes from Rouslan on gating registration on user activation.
• During registration as defined in this specification, information about enabled payment methods and display display details of the payment app is provided to the user agent. The user agent stores this information for subsequent actions (e.g., when matching payee-accepted payment methods). In this proposal, there are no requirements for a payment app to be able to respond to user agent queries for updated registration information. In this proposal, payment apps update the information that a user agent has stored about them by re-calling the registration API. (See issue 36.)
• We expect user agents to distinguish themselves in how they balance different ease of registration and security.
• It is important for merchants and users to be able to trust the authenticity of payment apps. A starting point is to rely on origin information (e.g., if a payment app is registered on a Web site). In contexts where origin binding is not available (e.g., native payment apps) other mechanisms should be considered to help establish authenticity (e.g., origin-bound confirmation of a digital signature of a native payment app).

Payment App Identification

• For recommended payment apps we will need payment app identifiers (PAIs). See discussion around issue 35.
• A PAI should include origin information. This origin information may be used in a variety of ways:
  • The origin information could enable user agents to provide the user with useful services when the user is browsing a site with the same origin (e.g., putting that payment app at the top of a list or otherwise highlighted).
  • For a "proprietary" payment method with an associated origin, the user agent can do some (security) checks by comparing the origin of the payment method and the payment app.
• A PAI should allow for granularity (e.g., payment app versioning) in the form of constrained URLs that includes only the origin and a case-sensitive path without trailing slash .

Payment App Matching

• When the user invokes the Payment Request API (e.g., by "pushing the Buy button"), the user agent computes the intersection between payee-accepted payment methods and user-registered payment methods. It does this by comparing Payment Request API data (from the payee) and data provided during registration, invoking the comparison algorithm defined in [[!METHOD-IDENTIFIERS]]. The result is a list of matching payment options and recommended payment apps.
• Using information provided during registration (e.g., an app name or icon),the user agent displays matching payment options for selection by the user. The user agent may also display payee-recommended and user-agent-recommended payment apps, which are displayed distinctly for the user. This mechanism is intended to support use cases such as a merchant recommending their own payment app to the user, or a payment app that they trust for a proprietary payment method.

  The user agent may offer features to facilitate selection (e.g., launch a chosen payment app or option every time the user wants to pay at a given Web site); those features lie outside the scope of this specification.

• The user selects a payment option to make a payment. The user may also select a recommended payment app.

User Experience

• The system should minimize user interaction for payment app registration, payment app selection, and payment credentials selection. Ideas include:
  • When only one payment app matches, the user agent does not require user selection to launch it.
  • The user agent displays payment options for direct selection by the user, avoiding the need for the user to make a second selection within the payment app context. The payment app provides the user agent with sufficient information to display payment options. It is still possible to launch the payment app upon selection of a payment option, and in some cases the payment app may return a response without further user interaction, depending on the nature of the payment method.
• It is likely that this specification will include guidance rather than requirements about specific user experience optimizations.

Payment App Invocation and Response

• Based on information provided at registration, the user agent "launches" the payment app and provides it with input data drawn from the Payment Request API. See issue 24 for information about launching the payment app in a secure context.
• The user may interact with the payment app in a variety of ways to authorize payment, cancel the transaction, or carry out other activities supported by the payment app. This specification does not address payment app behavior other than accepting requests and returning responses to the user agent.
• This specification defines a means for the user agent to receive a response asynchronously once the user has authorized payment. The response becomes the response of the Payment Request API.

Network Considerations

• This specification only describes communication between the user agent and the payment app. This includes an asynchronous mechanism for a payment app to return a payment response to the user agent. This specification does not (yet) address scenarios where the user agent does not receive the response (e.g., due to a crash or network outage). Network failure may be especially problematic in the case of a push payment; see issue 224, and so the Working Group is considering whether the specification should include a standard way to learn how to query a component for payment state information. For example, many systems use backchannel communications, so one idea is for the payee to provide a callback URL. This would allow (but not require) the payment app to communicate with the payee server until such time as all parties are satisfied they share the same view of the payment response. An alternative would be to provide the payment app and the user agent a channel so that communication continues until all parties are satisfied they share the same view of the payment response. This might involve caching payment responses.
• This specification does not address communication between the payee server and the payee Web app, or between the payment app and other parties (e.g., the payment app distributor, or directly to the merchant).

Payment App Implementation Technology

user agent-based payment app

a payment app that runs in a user agent. User agent-based payment apps may elect to display a user interface, or to operate without any user interaction. This decision is made at runtime, and may vary based on criteria of the app's choosing (such as how long it has been since the user last authenticated themselves).

native payment app

a payment app built with the operating system default technology stack that uses non-Web technologies.

ignored payment app

Need a definition for ignored payment app

payment app identifier

A unique identifier for a payment app (e.g., from a payment method manifest file). This specification defines these identifiers as to be service worker scope URLs. As such, they are not expected to be dereferenced.

payment app window

A service worker WindowClient used by user agent-based payment apps to interact with the user when doing so is necessary to complete the payment transaction.

The Web Payments Working Group intends for this specification to apply to any payment app that may be invoked by the user agent, whatever technologies have been used to implement the payment app.

Payment App Registration States

registered payment app

a payment app that is "known" to the user agent for the purposes of the interactions described in this document.

This specification defines a registration mechanism. Other registration mechanisms might co-exist with this one (e.g., on some platforms there may be a way to register a payment app directly with the operating system).

unregistered payment app

a payment app that is not known to the user agent, either because it has never been registered, or because it has been unregistered.

enabled payment app

A registered payment app with at least one enabled payment method.

Payment App Selection States

matching payment app

An enabled payment app that:

• has at least one enabled payment method that the payee accepts.
• is not an ignored payment app.

recommended payment app

a payment app suggested by the payee that may be used to handle a specific payment request.

The Working Group has not yet agreed that the system should support recommended payment apps. Inclusion might involve small changes to payment request API. The group has also discussed the idea of user agent-recommended payment apps, for example, when the user agent is aware of an app for a proprietary payment method.

displayed payment app

A matching payment app or recommended payment app with at least one selectable payment option (i.e. presented by the user agent for user selection).

selected payment app

the payment app whose option has been selected by the user to make a payment, but not yet invoked.

invoked payment app

the selected payment app that the user agent has invoked (executed) and passed payment app input data.

Payment Options

We need a clearer introduction to the concept of a payment option, and how it relates to payment apps.

available payment option

a payment option from a registered payment app available for selection, corresponding to at least one enabled payment method.

matching payment option

an available payment option that has at least one enabled payment method accepted by the payee, or a recommended payment app with at least one supported payment method accepted by the payee.

selectable payment option

a matching payment option for which information has been displayed by the user agent to facilitate user selection, but that has not yet been selected. Note: Information about selectable payment apps may be displayed in a variety of modalities, including visual and aural.

selected payment option

the payment option selected by the user to handle the payment request.

Payment Method Support

supported payment method

a payment method that a payment app has been designed to support. This payment method may or may not currently be enabled. A payment app MAY support more than one payment method.

unsupported payment method

a payment method that cannot be enabled by a payment app. Updates to a payment app may cause an unsupported payment method to become supported, or vice-versa.

enabled payment method

a supported payment method that a registered payment app is able to handle. The payment app must have at least one available payment option with the corresponding enabled payment method.

The difference between supported and enabled payment methods is one of design-time vs runtime consideration. A payment app supports all the payment methods it was designed to support; however at runtime only a subset may be enabled due to configuration or other runtime requirements that may not have been met for all supported payment methods.

Payment App Invocation and Response Data

payment app request data

data provided to the invoked payment app by the user agent to initiate a payment request. This data is a subset of data input to the Payment Request API.

The data passed between the user agent and the payment app will be serialized as JSON data.

payment app response data

data returned by an invoked payment app to the user agent, typically after payment authorization or other action taken through the payment app. This data, which will vary according to payment method, is then returned to the payee via the Payment Request API as part of the payment response.

Extensions to the ServiceWorkerRegistration interface

The Service Worker specification defines a ServiceWorkerRegistration interface [[!SERVICE-WORKERS]], which this specification extends.

        partial interface ServiceWorkerRegistration {
          readonly attribute PaymentAppManager paymentAppManager;
        };
      

PaymentAppManager interface

      interface PaymentAppManager {
        Promise<void> setManifest(PaymentAppManifest manifest);
        Promise<PaymentAppManifest> getManifest ();
      };
      

PaymentAppManifest interface

      dictionary PaymentAppManifest {
        DOMString label;
        DOMString? icon;
        sequence<PaymentAppOption> options;
      };
      

label member

The label member is a string that represents the label for this payment app as it is usually displayed to the user.

icon member

The iconmember defines an icon for this payment app as it is usually displayed to the user.

Need to define how an icon would be represented in this data. Url? Data URL? Size options? Web App Manifest may be used for inspiration.

options member

The options member lists the payment method identifiers of the payment methods enabled by this option.

Options are an extra layer of abstraction, because they allow flattening of payment apps. The flattening may result in unique UX challenges. For example, if two payment apps both have "Visa ending in ***4756" payment option, then users may be confused when they see two such labels in UI. One solution is to prepend the payment app name, e.g., "ExampleApp Visa ending in ***4756". However, when only one app is installed, the text "ExampleApp" is redundant.

It may be simpler for implementers to remove payment options from this spec. A medium level of complexity is to specify payment options, but give user agents choice of whether payment options are supported.

PaymentAppOption dictionary

      dictionary PaymentAppOption {
        DOMString label;
        DOMString? icon;
        DOMString id;
        sequence<DOMString> enabledMethods;
      };
      

label member

The label member is a string that represents the label for this option as it is usually displayed to the user when selecting a payment app.

icon member

Need to define how an icon would be represented in this data. Url? Data URL? Size options? Web App Manifest may be used for inspiration.

id member

The id member is an identifier, unique within the PaymentAppManifest, that will be passed to the payment app to indicate which PaymentAppOption the user selected.

enabledMethods member

The enabledMethods member lists the payment method identifiers of the payment methods enabled by this option.

Payment App Manifest Location

Aside from ServiceWorker registration, it's useful for user agents to download the payment app manifest from a well defined location. This allows for merchants to recommend payment apps via the URL of the payment app.

Registration Example

The following example shows how to register a user agent-based payment app:

         navigator.serviceWorker.register('/exampleapp.js')
         .then(function(registration) {
           return registration.paymentAppManager.setManifest({
             label: "ExampleApp",
             icon: "...",
             options: [
               {
                 label: "Visa ending ****4756",
                 icon: "...",
                 id: "dc2de27a-ca5e-4fbd-883e-b6ded6c69d4f",
                 enabledMethods: ["basic-card#visa"]
               },
               {
                 label: "My Bob Pay Account: john@example.com",
                 icon: "...",
                 id: "c8126178-3bba-4d09-8f00-0771bcfd3b11",
                 enabledMethods: ["https://bobpay.com/"]
               },
               {
                 label: "Add new credit/debit card to ExampleApp",
                 icon: "...",
                 id: "new-card",
                 enabledMethods: [
                   "basic-card#visa",
                   "basic-card#mastercard",
                   "basic-card#amex"
               }
             ]
           });
         }).then(function() {
           console.log("Installed payment app from /paymentapp.js"); // Success!
         }).catch(function(error) {
           console.log(error);
         });
     

The Editors will update the payment method identifier syntax in this and other examples to align with [[!METHOD-IDENTIFIERS]], once a final format has been agreed upon.

Native App Registration

Information required for payment apps should be present in the payment app manifest under an extension point. For example, information for Android native payment apps may live under "android" section of the app manifest. This specification does not define the contents of native app descriptions. This is defined elsewhere.

What else, if anything, should we say about registering native payment apps?

Native payment apps on some platforms (e.g., on Android) can claim ownership of their origins. To verify origin ownership, user agents need to perform extra steps that are not defined in this specification.

Selectable App Information Display

After matching the user agent will have a list of payment options that the user can select to handle the payment request. How will these be ordered when they are displayed to the user, where do recommended apps fit in to the order and how do we treat apps that are both registered and recommended?

What information is needed by the user agent to display selectable apps/options? This needs to be captured during registration.

The output of the payment method matching algorithm will be a list of matching payment options from registered payment apps and a list of recommended payment apps. The user agent will present this list of options to the user so they can select how they want to handle the payment request.

• The user agent MUST display all matching payment options.
• The user agent MAY display recommended payment apps.
• In its display, the user agent MUST distinguish recommended payment apps from payment options from registered payment apps.
• The user agent MAY allow the user to configure the display of matching payment options to control the ordering and define preselected defaults.
• The user agent MUST display matching payment options in an order that corresponds to the order of supported payment methods supplied by the payee, except where the user agent enables the user to override this order.
• The user agent SHOULD display any payee-recommended apps in the order specified by the payee.

Selection by the User

• The user agent MUST enable the user to select any displayed payment app.
• If the user selects an unregistered recommended payment app, the user agent SHOULD offer the user an opportunity to register it.

Payment App Request Data

      dictionary PaymentAppRequestData {
        DOMString origin;
        sequence<PaymentMethodData> methodData;
        PaymentItem total;
        sequence<PaymentDetailsModifier> modifiers;
        DOMString optionId;
      };
    

origin attribute

This attribute a string that indicates the origin of the payee web page. It MUST be formatted according to the "Unicode Serialization of an Origin" algorithm defined in section 6.1 of [[!RFC6454]].

methodData attribute

This attribute contains PaymentMethodData dictionaries containing the payment method identifiers for the payment methods that the web site accepts and any associated payment method specific data. It is populated from the PaymentRequest using the Method Data Population Algorithm defined below.

total attribute

This attribute indicates the total amount being requested for payment. It is initialized with a structured clone of the total field of the PaymentDetails provided when the corresponding PaymentRequest object was instantiated.

modifiers attribute

This sequence of PaymentDetailsModifier dictionaries contains modifiers for particular payment method identifiers (e.g., if the payment amount or currency type varies based on a per-payment-method basis). It is populated from the PaymentRequest using the Modifiers Population Algorithm defined below.

optionId attribute

This attribute indicates which PaymentAppOption the user selected. It corresponds to the id field provided during payment app registration.

Payment App Invocation

Payment apps are invoked when a payee requests a payment by calling PaymentRequest.show() and the user selects a payment app (or has one implicitly selected by previously established user preferences). If the user selects a user agent-based payment app to service the request, the service worker corresponding to that application receives an event with the PaymentAppRequestData containing information about the payment being requested. The event also contains a function that allows the payment app to provide a payment response back to the payee. This process is formally described in the following sections.

        partial interface ServiceWorkerGlobalScope {
          attribute EventHandler onpaymentrequest;
        };
      

      [Exposed=ServiceWorker]
      interface PaymentRequestEvent : ExtendableEvent {
        readonly attribute PaymentAppRequestData data;
        void respondWith((Promise<PaymentResponse>
        or PaymentResponse) r);
      };
      

Payment App Display

Payment Apps that require user input can open a payment window using the clients.openWindow() method defined in [[!SERVICE-WORKERS]]. Absent user preferences that override such behavior, user interaction is required during payment requests, in the form of payment app selection. As a consequence, the user agent MUST treat a paymentrequest event as user interaction for the purposes of determining whether the service worker is allowed to open a window.

The actual rendering of a payment app window is a user agent implementation detail. While opening an entirely new window is possible, it is more likely that the contents will be rendered in a way that makes it more obvious that the interactions pertain to the payment transaction. This is an area for potential user agent experimentation and differentiation. The opening of a payment app window versus other types of windows can be distinguished based on the event type the user agent is using to grant permission to open a window.

The remainder of this section is a non-normative explanation of how the service worker WindowClient class can be used to interact with users.

Upon calling clients.openWindow(), the payment app receives a Promise which resolves to a WindowClient. For the purposes of this discussion, we will refer to this WindowClient as client. The payment app can use the client.postMessage() method to send messages to the payment app window.

When a payment app window receives the message event from the payment app, this event will contain a source attribute which indicates the payment app's service worker. The payment app window can then call source.postMessage() to send a response to the payment app. Once the payment app window has complete its interaction with the user, it closes the window and uses this postMessage() call to return information to the payment app.

In order for this approach to work, we have to treat a paymentrequest as permission to open a popup, which is a formal property relied up on by [[!SERVICE-WORKERS]]. We need to be careful that this does not become an end-run around exiting pop-up protections.

Do we want to define a new FrameType for payment app windows? This requires input from someone with detailed knowledge of service worker design.

Payment App Response

The user agent receives a successful response from the payment app through resolution of the Promise provided to the respondWith function of the corresponding PaymentRequestEvent dictionary. The application is expected to resolve the Promise with a PaymentResponse dictionary instance containing the payment response information.

When this Promise is resolved, the user agent MUST run the user accepts the payment request algorithm as defined in [[!PAYMENT-REQUEST-API]], replacing steps 6 and 7 with these steps or their equivalent:

1. Set appResponse to the PaymentResponse used to resolve the PaymentRequestEvent.respondWith Promise.
2. If appResponse.methodName is not present or not set to one of the values from PaymentRequestEvent.data, reject the Promise created by PaymentRequest.show() with DOMException whose value "InvalidStateError" and terminate these steps.
3. Create a structured clone of appResponse.methodName and assign it to response.methodName.
4. If appResponse.details is not present, reject the Promise created by PaymentRequest.show() with a DOMException whose value is "InvalidStateError" and terminate these steps.
5. Create a structured clone of appResponse.details and assign it to response.details.

The user agent receives a failure response from the payment app through rejection of the Promise. The user agent MUST use the rejection reason to reject the Promise that was created by PaymentRequest.show().

The following example shows how to respond to a payment request:

      paymentRequestEvent.respondWith(new Promise(function(accept,reject) {
        /* ... processing may occur here ... */
        accept({
          methodName: "basic-card#visa",
          details: {
            card_number :  "1232343451234",
            expiry_month : "12",
            expiry_year :  "2020",
            cvv :          "123"
           }
        });
      });
    

Some payment methods might require a back channel to guarantee payment response delivery (especially push payment methods). Should it be part of the generic portion of paymentRequest and paymentResponse? [Ed Note: the "complete()" attribute of the "PaymentResponse" interface would serve this purpose quite cleanly.]

Example using HTTP POST

This example codes shows how to use this API via a scheme in which a POST is sent to a URL with the payment request as a body. The response is allowed to be either application/json (which is inferred to contain a payment response), or text/html (which contains content to be rendered to the user).

      var contentType;
      var paymentPromise;
      /* Handle payment request from a payee */
      self.addEventListener('paymentrequest', function(e) {
        paymentPromise = new Promise(function(accept, reject) {
          fetch("https://www.example.com/bobpay/process",
            { method: "POST",  body: JSON.stringify(e.data) })
          .then(function(response) {
            contentType = response.headers.get("content-type");
            if (!contentType) {
              throw new Error("No content type header");
            }
            return response.text();
          }).then(function(body) {
            if(contentType.indexOf("application/json") !== -1) {
              /* Respond to the payment request with the received body */
              accept(JSON.parse(body));
            } else if (contentType.indexOf("text/html") !== -1) { {
              /* Open a new payment window and populate it with the
                 document returned from the response */
              var url = "data:text/html;base64," + btoa(body);
              clients.openWindow(url).then(function(windowClient) {
                windowClient.postMessage(e.data);
              });
            } else {
              throw new Error("Unexpected value in content type header");
            }
          }).catch(function(err) {
            reject(err);
          });
        e.respondWith(paymentPromise);
      });

      /* Handle payment response from a payment app window */
      self.addEventListener('message', function(e) {
        if (e.data.hasOwnProperty('name')) {
          paymentPromise.reject(e.data);
        } else {
          paymentPromise.resolve(e.data);
        }
      });
    

Using the simple scheme described above, a trivial HTML page that is loaded into the payment app window to implement the basic card scheme might look like the following:

<html> <body> <form id="form">
<table>
  <tr><th>Card Number:</th><td><input name="card_number"></td></tr>
  <tr><th>Expiration Month:</th><td><input name="expiry_month"></td></tr>
  <tr><th>Expiration Year:</th><td><input name="expiry_year"></td></tr>
  <tr><th>CVV:</th><td><input name="cvv"></td></tr>
  <tr><th></th><td><input type="submit" value="Pay"></td></tr>
</table>
</form>

<script>
window.addEventListener("message", function(e) {
  var form = document.getElementById("form");
  /* Note: message sent from payment app is available in e.data */
  form.onsubmit = function() {
    var details = {};
    ["card_number","expiry_month","expiry_year","cvv"].forEach(function(field) {
      details[field] = form.elements[field].value;
    });
    e.source.postMessage({
      methodName: "basic-card#visa",
      details: details
    });
    window.close();
  }
});
</script> </body> </html>
    

Design Considerations

• The API does not share information about the user's registered payment methods or payment apps with the payee. The only information that is shared is the result of user selection.

Secure Communications

• See Service Worker security considerations
• Payment method security is outside the scope of this specification and is addressed by payment apps that support those payment methods.

Payment App Authenticity

• To avoid problems such as phishing-type attacks on payee sites, we want to be able to ensure the authenticity of payment apps. In general we expect to rely on origin information for establishing payment app authenticity. In contexts where payment apps are referenced other than on their origin, we are considering additional measures to help establish authenticity. Examples: validate a digital signature prior to launching a recommended app or an installed native app without associated origin information.

Data Validation

• Payees should validate that the data they have received through the paymentRequest API is what they expect (e.g., the total that was paid, etc.).

Private Browsing Mode

• When the Payment Request API is invoked in a "private browsing mode," the user agent should launch user agent-based payment apps in a private context. This will generally prevent sites from accessing any previously-stored information. In turn, this is likely to require either that the user log in to the payment app or re-enter payment instrument details.