Browsers Will Store Credit Card Details Similar To How They Save Passwords

An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.

Not for anybody who cares for privacy/security

[El+Cubano]

... just like they currently do with passwords

I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card? In fact, I don't even let merchants store my credit card if at all possible (I either choose the option not to save the card or manually delete the card after the purchase).

It seems like nobody who understands and actually values privacy and security would do this.

Re:Not for anybody who cares for privacy/security

[ShanghaiBill]

I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card?

Because the alternative to sharing your password is to keep it secret and type it each time you need it. But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

Re:Not for anybody who cares for privacy/security

[Gaygirlie]

This is why I use PayPal: the merchant never receives my card-details at all, only PayPal has them. The merchant only receives a token from PayPal that can be used for drawing the agreed-upon amount of money from your account via PayPal's API and unless the token is a subscription-token, it can't be used by the merchant to draw more money from your account at a later date. It's a million times safer than just giving your card-details to this and that website and hoping they're trustworthy -- which they most likely aren't!

PCI DSS Requirements

Does this mean that browsers are going to have to be PCI DSS certified?

That would certainly be interesting, because PCI for example prohibits using anything less than TLS1.2 for secure comms, which might bleed-over into general communications. Could this be the end of non-HTTPS web traffic and SSL/TLS before v1.2? Will browser vendors have to choose between interoperability with (old, shitty) servers and providing storage and transmission of credit card info?

It would be kind of awesome if one DID imply the other, because the internet would get a lot less shitty really quickly.

Re:With the greatest respect: no

[fahrbot-bot]

How about no.

How about YES. It is implausible that this will be any worse than the existing system.

Read TFA. If the payment info is stored in the browser, then *any* website can query your browser for available payment info. In addition, the browser maker - Mozilla, Microsoft, Google, etc... - could (will) have access to this info and any transactions.

As it is now, for me at least, is that, with the exception of Amazon, I don't save my payment information on any website and prefer to re-enter it whenever I make a payment. Furthermore, on sites other than Amazon, I almost always use a virtual credit card (ShopSafe) so the CC info is different for each vendor/purchase - rendering storing it in the browser useless.