Slashdot Mirror

← Back to Stories (view on slashdot.org)

W3C Sets Up Web Payments Standards Group To Improve Check-Out Security

Posted by timothy on from the click-here-to-pay dept.

campuscodi writes to note that the World Wide Web Consortium has launched a Working Group to help streamline the online "check-out" process and make payment by internet easier and more secure. The proposed standards will support a wide array of existing and future payment methods, including debit, credit, mobile payment systems, escrow, and Bitcoin and other distributed ledger technologies. The group estimates that the new payments API will reach browsers by the end of 2017. For more details, you can consult the Web Payments Working Group Charter, and the group's wiki FAQ page.

30 comments

  1. Food stamps by Anonymous Coward · · Score: -1

    This won't help the poor and needy people who don't have access to debit cards and bitcoin wallets.

    We should force rich CEOs to give out debit cards from their bank accounts, so that everyone can be free. It's only fair.

    1. Re:Food stamps by Anonymous Coward · · Score: 0

      Anyone with a Internet-connected computer or smartphone can have multiple Bitcoin wallets. It's filling them that's the problem.

      Here's a website where you have a chance to win up to USD$200 worth of Bitcoin every hour, for free!

    2. Re:Food stamps by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I much prefer this one, the prizes may be tiny in comparison but the game is fun to play.

    3. Re:Food stamps by laie_techie · · Score: 1

      This won't help the poor and needy people who don't have access to debit cards and bitcoin wallets.

      We should force rich CEOs to give out debit cards from their bank accounts, so that everyone can be free. It's only fair.

      Some states offer a debit card interface for unemployment and food stamps.

    4. Re:Food stamps by jellomizer · · Score: 1

      Which is the part about bitcoins which is scary. All those questionable bitcoin sources. I had did some calculation, you wouldn't even make minimum wage with these things.
      Legit sources of Bit Coins will also offer you normal cash. Which is often still easier to deal with in the real world.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Food stamps by U2xhc2hkb3QgU3Vja3M · · Score: 1

      The goal of these things isn't to make minimum wage, it's to be able to get free fractions of bitcoins in the hopes that it ever gets much higher than it is right now. It did get from 14 cents up to 1200 dollars once, so we never know what might happen in the future.

    6. Re:Food stamps by KGIII · · Score: 1

      When BTC opened up to the world, I mined 48 (I'm pretty sure) BTC on a headless box that chugged away in my 'server closet.' Rather than deal with the taxes, I simply donated them to EFF. They were worth some $11,000+ (total) when I donated them. I'm not sure when/if they cashed them in.

      Yes, tax avoidance is legal. Tax evasion is illegal. I didn't feel like dealing with putting them on my tax statements which would be public information and subject to scrutiny as I'm running for the State Senate in 2016. No, the donation will not be written off. Yes, this is legal. No, I don't feel it is immoral.

      Anyhow, if the spikes happen and one pays attention (and is not in dire need for funds with an immediacy) then they may well work out for a select few. I'd actually completely forgotten about the BTC's that I'd mined - like completely and totally forgotten until someone here mentioned how much they were worth. I have no idea how long they'd taken to mine. The server had been powered down for years. However, it's not like you can't do other things besides mine them - you don't have to sit and watch the server. It works on its own once configured.

      --
      "So long and thanks for all the fish."
  2. Fantastic! by Anonymous Coward · · Score: 3, Funny

    In 10 to 15 years we'll have a standard.

    1. Re: Fantastic! by Anonymous Coward · · Score: 2

      Nah, we'll have a standard in about 5, but Google and Mozilla will jump the gun and implement it (badly) in 2, just to show how progressive they are. Then they'll abandon it and put forward their own implementation, which is incompatible. Oh, and it doesn't work on Android yet. Well, it does, but only on the very latest version which you can't install on YOUR device. Again, just being progressive and all that.

      And in 5 years they'll end up adopting the standard anyway because that's what everyone will do.

      Meanwhile, nobody will touch it with a 10 foot pole until it is supported by IE*, which should happen by 2025, once they iron out the wrinkles on IE12. Oh, and Apple doesn't care either way, so they'll implement once everyone stops bickering...if they feel like it.

      Meanwhile, the people who's living actually depend on this shit will do what we've always done: use some third party JS and PHP, liberally sprinkled with some in-house hacks to handle this crap and hope that we don't get hacked too much.

      * yes, IE will still be around by then and you'll still have to support it. Despair.

    2. Re: Fantastic! by U2xhc2hkb3QgU3Vja3M · · Score: 2

      Or people will simply continue to use what works today, which are simple PayPal links and Bitcoin wallet addresses.

    3. Re: Fantastic! by itamihn · · Score: 2

      > Oh, and Apple doesn't care either way, so they'll implement once everyone stops bickering...if they feel like it.

      You forgot to mention that they will launch in a world event and sell billions of devices thanks to their innovation.

    4. Re: Fantastic! by FreezerJam · · Score: 1

      Looks like a strong overlap with RFC 2801 - http://www.rfc-editor.org/info...

      That would be "Internet Open Trading Protocol - IOTP Version 1.0, April 2000"

    5. Re:Fantastic! by Anonymous Coward · · Score: 0

      Better than it arriving in 16 years...

  3. 1%er solutions by Anonymous Coward · · Score: 0

    What payments challenges are of interest to W3C?
    7. Merchant interest in loyalty coupons and other commerce tools, as well as smoother integration of payments into buying patterns that include search and social;

    One of the primary goals of this initiative is to make it easier for merchants to track purchases and payments. Or for parties like google to profile you.

    This initiative is not intended to benefit the consumer. It is all about benefitting big money interests.

  4. Fix the real problem by CastrTroy · · Score: 5, Interesting

    I say that we should fix the real problem. The real problem is that I have to give my credit card number, or debit card number, or bank routing information to the store that I want to make a purchase from. I would much prefer to have a system, more like PayPal, where I can authorize a payment to an online store and not give them any information that would allow them to access my account to create further payments.

    As soon as I submit my credit card number to a store, there's any number of things that could go wrong after that time that would cause my account to become compromised. Doubly so for things like debit cards or account routing information that would cause me to lose money from my actual account.

    I'm not saying that PayPal should take over. However, there should be a standard way to make a one-time payment from any financial institution and it should work similarly to PayPal in that the money gets transferred to the seller without giving them any information that could be used to make another transaction that isn't verified by me.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Fix the real problem by Anonymous Coward · · Score: 0

      You are describing something like 3C Payments

    2. Re:Fix the real problem by Shadow+IT+Ninja · · Score: 1

      I like Bitcoin as my solution to this problem. I just recently bought some stuff and the site emailed me back my password in clear text. Idiots! That's the point where I was really glad I had paid in Bitcoin.

    3. Re:Fix the real problem by omnichad · · Score: 2

      Get a CC from a bank that allows a one time use virtual CC number. You have a lot of choices, (e.g. Citi, BofA), but there are some downsides in the implementation.

      And yes - there are competitors to Paypal, such as Android Pay and Apple Pay. But those only really work for NFC.

    4. Re:Fix the real problem by Anonymous Coward · · Score: 0

      Discover used to offer single use credit card numbers. That was an awesome feature for buying stuff online.

    5. Re:Fix the real problem by Anonymous Coward · · Score: 1

      Indeed, the payment info should go the the customer (payment of $X to at ), who then signs it with their private key, sends it on to their bank.

      Bank verifies that the signature is valid with the public key, and that the payment isn't a replay (the exact same payment), and that the funds are available; they sign it with their private key, sends it back so it gets to the merchant.

      Merchant gets the payment information, verifies the bank's signature with the public key, sends merchandise.

    6. Re:Fix the real problem by Martin+Blank · · Score: 1

      The path as shown in the WG's wiki suggests the possibility of this. It provides the option for payment processing to happen on the payee side or on the payor side. Once it gets to "Send Payment Response," the payee has the option of performing processing, and if not, it goes to the payor to be processed, perhaps using a signed, token-based architecture. A payment-complete notification is then sent to the payee, completing the transaction.

      This seems like it would fulfill your requirements.

      --
      You can never go home again... but I guess you can shop there.
    7. Re:Fix the real problem by Anonymous Coward · · Score: 1

      That's not the real problem. You demand a technical solution to a legal problem. If banks were required by law to refund any unauthorized withdrawals immediately, including all fees, interest etc. incurred (including any you may have had to pay to third parties if the bank declined any cheques / transfers), you just wouldn't have to care. Why should it ever be your problem if your bank permits unauthorized parties to access you account?

    8. Re:Fix the real problem by radarskiy · · Score: 2

      If banks were required by law to refund any unauthorized withdrawals immediately, they would require everyone to use single-use account numbers.

    9. Re:Fix the real problem by thegarbz · · Score: 2

      The real problem is that I have to give my credit card number, or debit card number, or bank routing information to the store that I want to make a purchase from

      I just moved to the Netherlands and my first online purchase was met with "Pay with iDeal" as the only option. I freaked out and after I was done I was left thoroughly impressed. It's a bank agnostic payment system processed by the banks themselves with your account. I.e. just like paypal the actual payment is handed over to the financial institute and the store never sees your credit card (or in this direct-debit) details. Then the actual process of paying depends on you bank security (in my case I have the option of SMS verification or using a little card reader with my debit card along with my pin code in a challenge response type situation where I type my pin and their challenge number into a little device and then type the response into the bank's website.

      At first I thought it was a pain, but then I thought I really can't think of a more secure system.

    10. Re:Fix the real problem by John.Banister · · Score: 1

      Sure, but you haven't explained how MC & Visa will make 2% of every transaction. If your new, technologically superior payment system doesn't include that feature, they will use their not inconsiderable resources to see to it that anything that pays them more gets used instead.

    11. Re:Fix the real problem by KGIII · · Score: 0

      Not a bank - a credit union. I find that some of them are ahead of the curve. It's also a lot nicer when you've got some skin in the game and own shares instead of just being a tool to be wielded or customer.

      Full disclosure: I've numerous accounts and sit on the board at my local credit union.

      --
      "So long and thanks for all the fish."
    12. Re:Fix the real problem by CastrTroy · · Score: 1

      Yeah, it really does seem to be the best solution. Other commenters said that people should just get an account that allows them to generate 1 time use credit card numbers. But that is usually a cumbersome task and requires a lot more effort than most people are willing to go through to make an online payment.

      A properly designed customer initiated payment can be almost as simple as using a credit card, and much more secure. Plus there are ways you could allow ongoing/subscription payments, which one time card numbers would be unable to accomplish. One time card numbers are just a hack bolted on to an insecure system.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    13. Re:Fix the real problem by Lennie · · Score: 1

      I've never had the need to (because I'm careful where I use it online) so I don't know if this is true.

      But iDeal has no refund, at all.

      The band transfers the money and it's gone.

      If you don't get what you asked for, you might be out of luck.

      Something like Bitcoin would allow for a mutually agreed up on third party to do arbitration with a contract.

      --
      New things are always on the horizon
    14. Re:Fix the real problem by thegarbz · · Score: 1

      That could be very true but is true of every direct debit / cash / check transaction. Online protection is something provided by individual credit card companies complying with LOCAL credit card laws.

      iDeal is generally protected at present since it is unique to the Netherlands, registered businesses, and thus subject to consumer protection laws. This would be quite different if the system is expanded internationally, but again while we're postulating possible solutions a similar such solution could simply be laws requiring the same kind of protection for debit transactions as credit transactions. The specifics of such a law may be more difficult though since you're dealing with actual money and not just fancy number games and loans.

  5. Who can I make recommendations to? by Anonymous Coward · · Score: 0

    For about 20 years we've been begging users not to hit the submit button more than once, we've been hacking up javascript to hide the submit button, disable the submit button, and so on...

    Can we please just add an attribute to HTML5.1 or whatever this will be in that indicates that the element should disable itself after use? I just discovered that onclick="this.disabled=true; dosubmissionthing();" will not, in fact, disable the button immediately and Chrome will queue up a second click if a customer double-clicks hard enough on a slow and shitty computer, because the DOM isn't updated until the handler is finished. I propose an attribute once (or once=once for the pedants): Prior to handling any other user requests, the User Agent SHALL set disabled to true for the element, then execute its onclick handler and/or default action if any. The attribute should be valid for any element that may have either an onclick event handler (eg almost all of them) or a default action (a,input[type=submit],input[type=image],etc)

    If for some reason the user should need to use that element again, the element can have disabled set back to false.

    This is something that honestly should have been done decades ago. Now is the time to fix it rather than expecting everyone to continue to halfass it in javascript incorrectly.