Slashdot Mirror
Browsers Will Store Credit Card Details Similar To How They Save Passwords (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.
With the greatest respect:
How about no.
Conversion rates in the checkout flow are a key measure for ecommerce sites. 46% of e-commerce shoppers abandon the checkout process during the payment phase, signaling frustration with the complexity and redundancy of re-entering form data or tracking down payment information. Even a small increase in the success rate of checkout make a direct impact on your site’s bottom line, while improving the shopping experience for customers.
From Payment Request API
Many problems related to online purchase abandonment can be traced to checkout forms, which are user-intensive, difficult to use, slow to load and refresh, and require multiple steps to complete.
Sure, this API may make things simpler for you -- the purchaser -- but it seems the focus is on benefiting the seller. Perhaps a narrow distinction, but one that may matter if/when push comes to shove and a side must be chosen by the developers.
Another thing to consider: Since this is implemented in the browser, if you use multiple browsers to shop, then you'll have to store your information in each browser rather than once on the websites on which you shop -- unless the browser vendors can cooperate on a single, shared data storage method.
It must have been something you assimilated. . . .
The browser is the one component in my system I trust less. I mean: its job is to go around the Intratubes picking up every bit of dirt out there and *executing it*?
I don't put my banking data into that now. Much less when there's a standard with a clear label on it "BANKING DATA HERE".
"But, but" "Sandboxes". Yeah, right. Ponies. Rainbows. Farts.
No. Fucking. Way.
Saw this after posting above. Also from TFA:
The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.
Just great. Then any website could query your browser for available payment information.
And? Note that they just say payment information. They don't say anything about credit card details, which don't get handed over without user interaction, and in the case of Chrome still needs a CVV code manually entered. Whether or not you have 1 VISA, or 1 Mastercard and 1 PayPal as a payment option really doesn't matter much. Tracking users is already done with near perfect success. It's kind of hard to get worked up about the leak of trackable information.