Browsers Will Store Credit Card Details Similar To How They Save Passwords

An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.

With the greatest respect: no

With the greatest respect:

How about no.

Re:With the greatest respect: no

[fahrbot-bot]

How about no.

How about YES. It is implausible that this will be any worse than the existing system.

Read TFA. If the payment info is stored in the browser, then *any* website can query your browser for available payment info. In addition, the browser maker - Mozilla, Microsoft, Google, etc... - could (will) have access to this info and any transactions.

As it is now, for me at least, is that, with the exception of Amazon, I don't save my payment information on any website and prefer to re-enter it whenever I make a payment. Furthermore, on sites other than Amazon, I almost always use a virtual credit card (ShopSafe) so the CC info is different for each vendor/purchase - rendering storing it in the browser useless.

Re:With the greatest respect: no

In what world is storing credit card info not worse than not storing credit card info?

Re:With the greatest respect: no

[basecastula+]

Just enter your credit card number? are we that fucking lazy?

Re:With the greatest respect: no

[Mitreya]

If the payment info is stored in the browser, then *any* website can query your browser for available payment info.

I would actually welcome that -- let them access my credit card.
Credit card charge is not like a popup, I can find and roll back unauthorized charges (at a very real cost to the vendor).

In addition, the browser maker - Mozilla, Microsoft, Google, etc... - could (will) have access to this info and any transactions.

Ok, that is bad.

Re:With the greatest respect: no

[ShanghaiBill]

*any* website can query your browser for available payment info.

Nonsense. That is NOT what TFA says, and that is not how it currently works in Chrome. The website can request a popup, just like they can now display an order form. But that does not "query your browser for available payment info". I requires user input before any payment is made, and requires the user to enter the CVV#. In the future, the vendor will never even see the CC#.

In addition, the browser maker - Mozilla, Microsoft, Google, etc... - could (will) have access to this info and any transactions.

I trust Google more than I trust Equifax, or any other random vendor. Google will have a huge incentive to keep this secure, and they have as much expertise as anyone. I don't need to trust Microsoft or Mozilla because I don't use their browsers for ecommerce.

Re:With the greatest respect: no

[scdeimos]

It is implausible that this will be any worse than the existing system.

It's also not going to improve any system. You'll still have zero control over how merchants are handling the CC details at their end - they're probably still going to store them in an unencrypted Acces or MySQL database with an Admin portal using an admin:admin username/password.

I don't store passwords in my browser. I'm sure as heck not storing CC info in my browser, either.

Re:With the greatest respect: no

[fahrbot-bot]

*any* website can query your browser for available payment info.

Nonsense. That is NOT what TFA says, and that is not how it currently works in Chrome.

From TFA:

The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

Though, it's unclear as to what information can be queried. And whatever Chrome has implemented isn't the final API being developed.

Re:With the greatest respect: no

[WaffleMonster]

How about YES. It is implausible that this will be any worse than the existing system.

Having standardized interfaces malware can leverage to trivially extract card details from user systems has the potential to lead to worse outcomes. We already see malware looking for bitcoin wallets which on a realitive basis very few people have. A future in which everyone is storing card details in their browsers does not seem productive.

Neither is encouraging use of dead-end inherently dangerous pull based technology (credit cards) when push based systems (e.g. PayPal) are MUCH safer only leads to worse outcomes for all.

Statements like: "The PaymentRequest API does not directly support encryption of data fields. Individual payment methods may choose to include support for encrypted data but it is not mandatory that all payment methods support this."

Indicates developers of the API are not serious and are just going to punt on security.

They don't seem to care very much about privacy allowing payment type data to be probed without explicit permission at the whim of the browser vendor.

The overall approach is pedestrian. Shoving complex ecommerce workflows and interfaces into browser APIs is a ridiculous nonstarter. Why not work on something useful like native browser support for distributed authorization or common information request profiles? The approach reeks.

Re:With the greatest respect: no

[WaffleMonster]

Nonsense. That is NOT what TFA says, and that is not how it currently works in Chrome. The website can request a popup, just like they can now display an order form. But that does not "query your browser for available payment info". I requires user input before any payment is made, and requires the user to enter the CVV#.

There are multiple API calls at play which provide different information.

Obviously user input is required before sending card data.

What is explicitly NOT mandated by the current work is requests for available pay methods. This is explicitly allowed to be answered without prompting the user first.

In the future, the vendor will never even see the CC#.

The future... WTF ... It's 2017... why is there NEW work on shit that is obviously not fit for purpose out of the gate?

Re:With the greatest respect: no

[thegarbz]

If the payment info is stored in the browser, then *any* website can query your browser for available payment info. In addition, the browser maker - Mozilla, Microsoft, Google, etc... - could (will) have access to this info and any transactions.

Okay so since this features has been available for a while why not look at how it actually works:

- The browser implementation never hands over the CC info without checking with the user.
- The browser does not hand over the CVV code.
- Google's implementation at least handles the CC info exactly the same was as it does on Google's Play store so if you already have a mobile phone and purchased an app on it, you're level of trust does not change between using this new system vs buying an app on your phone.
- Additionally Google's implementation won't hand over any CC info if the security chain isn't perfect which is a damn sight better and more secure than how the vast majority of users handle their credit card online.

As it is now, for me at least, is that, with the exception of Amazon, I don't save my payment information on any website and prefer to re-enter it whenever I make a payment.

Then you should love this system.

Furthermore, on sites other than Amazon, I almost always use a virtual credit card (ShopSafe) so the CC info is different for each vendor/purchase - rendering storing it in the browser useless.

Why? I know the USA lack all sorts of basic consumer protection laws, but I was under the impression that your quite well covered for credit card fraud.

Re:With the greatest respect: no

[thegarbz]

Just enter your credit card number? are we that fucking lazy?

Do you write your pin code on your credit card?
Do you post-it your password to your screen?

I honestly can't believe you would carry around a card with a bunch of numbers on it that allows someone to buy something without any additional checks. Lazy doesn't come into it. I can't remember 19 digits, but I can remember 3 (CVV code) and when I do then I can stop carrying a stealable physical item around that anyone who pick pocket me can use to run up charges.

What has this got to do with lazy?

Not for anybody who cares for privacy/security

[El+Cubano]

... just like they currently do with passwords

I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card? In fact, I don't even let merchants store my credit card if at all possible (I either choose the option not to save the card or manually delete the card after the purchase).

It seems like nobody who understands and actually values privacy and security would do this.

Re:Not for anybody who cares for privacy/security

[ShanghaiBill]

I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card?

Because the alternative to sharing your password is to keep it secret and type it each time you need it. But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

Re:Not for anybody who cares for privacy/security

[fahrbot-bot]

Because the alternative to sharing your password is to keep it secret and type it each time you need it. But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

Unless you specifically ask the website to store your CC info, it's not saved beyond that transaction (or it's not suppose to be saved). This is why you need to re-enter it otherwise. With the data stored in the browser, then *any* website can query your stored payment info.

Re:Not for anybody who cares for privacy/security

yes, it is very stupid to store stuff like this in the browser; but you're fooling yourself if you believe that by not 'saving' the card or by 'deleting' the card at the merchant site you're preventing the merchant from retaining the card details. they ALL store that shit anyway, regardless of what the user does. and a lot of them also retain cvv security code as well, even though they aren't supposed to.

the only thing you can do is use virtual numbers (like what paypal used to offer years ago, or what a few banks provide today) that you can expire or set limits on directly with the issuer.

Re:Not for anybody who cares for privacy/security

[fahrbot-bot]

With the data stored in the browser, then *any* website can query your stored payment info.

Bullcrap. This is totally wrong. RTFA ... or download the latest Chrome and try it.

From TFA:

The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

Though, it's unclear as to what information can be queried. Furthermore, whatever Chrome has implemented isn't the final API being developed.

Re:Not for anybody who cares for privacy/security

[Gaygirlie]

This is why I use PayPal: the merchant never receives my card-details at all, only PayPal has them. The merchant only receives a token from PayPal that can be used for drawing the agreed-upon amount of money from your account via PayPal's API and unless the token is a subscription-token, it can't be used by the merchant to draw more money from your account at a later date. It's a million times safer than just giving your card-details to this and that website and hoping they're trustworthy -- which they most likely aren't!

HELL NO!

[Templer421]

In NO way should ANY browser store Credit Cards!

Re:HELL NO!

[eneville]

In NO way should ANY browser store Credit Cards!

Why not?

I'd rather have someone steal my credit card info than my slashdot credentials.

I can always cancel (and get a full refund for) any fraudulent CC charges. But a slashdot post under my name is permanent.

Have you ever tried to cancel a payment? It can take many months. During this time you will no doubt have to get a new card/account details, update regular payments and quite likely be without any spending cash for several days. I think the inconvenience factor and being observant enough to catch fraud before you're rendered bankrupt far out weighs potential gain vs risk.

PCI DSS Requirements

Does this mean that browsers are going to have to be PCI DSS certified?

That would certainly be interesting, because PCI for example prohibits using anything less than TLS1.2 for secure comms, which might bleed-over into general communications. Could this be the end of non-HTTPS web traffic and SSL/TLS before v1.2? Will browser vendors have to choose between interoperability with (old, shitty) servers and providing storage and transmission of credit card info?

It would be kind of awesome if one DID imply the other, because the internet would get a lot less shitty really quickly.

And for payments outside the browser.

[fahrbot-bot]

From TFA:

Payment providers like PayPal or Amazon might not be on board with this new API since it makes them obsolete, but almost everyone else is.

Or because, in the case of something like Amazon Payments or "Pay with Amazon" they actually need to store your payment information to process transactions that occur outside the browser. If I'm using that, I don't need my browser to handle it too.

In many ways, the Payment Request API is a much secure method of handling online transactions, but it's not perfect either.

For starters, browser makers now have a full view of your finances and transactions, a situation that some people might not like, and will refuse to store any such information in their browser.

Ya think? I imagine the above will be a non-starter for many. Like I want Mozilla, Microsoft or Google accessing my CC transactions.

Sniffing the browser for CC info.

[fahrbot-bot]

Saw this after posting above. Also from TFA:

The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

Just great. Then any website could query your browser for available payment information.

Re:Sniffing the browser for CC info.

[thegarbz]

Saw this after posting above. Also from TFA:

The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

Just great. Then any website could query your browser for available payment information.

And? Note that they just say payment information. They don't say anything about credit card details, which don't get handed over without user interaction, and in the case of Chrome still needs a CVV code manually entered. Whether or not you have 1 VISA, or 1 Mastercard and 1 PayPal as a payment option really doesn't matter much. Tracking users is already done with near perfect success. It's kind of hard to get worked up about the leak of trackable information.

Re:These days saving a CC number doesn't last for.

[Waffle+Iron]

very long since we have to change numbers pretty often because of fraud. With my Chase card, I think my number changed three times since I got it six years ago. With my Barclays card, I've already changed number three times just this year! Neither card has a chip, so I swipe them at a lot of places. Food trucks seem to be the worst since twice immediately after I bought something from a taco truck, I had charges from FAST STOP 1107 in Texas three different times.

The government has a program in place that you can take advantage of to prevent credit card fraud at high-risk situations like taco trucks. It's a paper certificate called a "Federal Reserve Note", and it's now widely available.

Yes..

[thesupraman]

Do you even need to ask that question?

The funz will really start when they extend the APIs to allow for recurring charges, one of the common billing scams - it wont be long I am sure.

'WE JUST NEED TO VERIFY YOUR CCARD WITH A $0.01 CHARGE TO VALIDATE YOU' (tinyprint hidden, we will also start charging you $39.95 per month for an email telling you our monthly lucky numbers, and it is basically impossible to cancel).

So yes, the ONLY valid answer to this if 'NO F'in WAY'

The API is news but not the functionality

[execthis]

This story is not news. I've stored my credit cards along with information for other important accounts in Lastpass for a long time using it's "form fills" feature. And, better than storing it in a browser, it is available across all browsers I use on all devices as well as with the standalone app.

In addition to bank accounts it's very convenient to store things like your AAA account info, insurance accounts, etc. This way it's always readily available to you on any device.

Again, remember: it's not really about you

[fahrbot-bot]

From Simpler web payments: Introducing the Payment Request API (and I read similar on Mozilla, Google and W3.org pages):

Conversion rates in the checkout flow are a key measure for ecommerce sites. 46% of e-commerce shoppers abandon the checkout process during the payment phase, signaling frustration with the complexity and redundancy of re-entering form data or tracking down payment information. Even a small increase in the success rate of checkout make a direct impact on your site’s bottom line, while improving the shopping experience for customers.

From Payment Request API

Many problems related to online purchase abandonment can be traced to checkout forms, which are user-intensive, difficult to use, slow to load and refresh, and require multiple steps to complete.

Sure, this API may make things simpler for you -- the purchaser -- but it seems the focus is on benefiting the seller. Perhaps a narrow distinction, but one that may matter if/when push comes to shove and a side must be chosen by the developers.

Another thing to consider: Since this is implemented in the browser, if you use multiple browsers to shop, then you'll have to store your information in each browser rather than once on the websites on which you shop -- unless the browser vendors can cooperate on a single, shared data storage method.

NO.

The browser is the one component in my system I trust less. I mean: its job is to go around the Intratubes picking up every bit of dirt out there and *executing it*?

I don't put my banking data into that now. Much less when there's a standard with a clear label on it "BANKING DATA HERE".

"But, but" "Sandboxes". Yeah, right. Ponies. Rainbows. Farts.

No. Fucking. Way.

Watch the credit card companies mod this post down

There is an insidious and non-obvious way that it will likely be worse than the existing system. In the current system, when your credit card number is stolen and misused, you usually are not responsible to pay because the credit card company would have to prove that it was your computer that was compromised rather than the merchant. That would require an expensive forensic investigation. But with these new systems like ShopSafe, Verified by Visa, or this new browser API, the merchant never gets your card number, and so they can't be blamed for losing your card number. That means it was either your system or the card company's system that was compromised. Of course they're sure it wasn't their system that was compromised. So that just leaves yours.

Of course in the bold print they claim there is zero dollar deductible fraud coverage on your card. However, in the fine print, the contract you agreed to, says it doesn't apply if you fail to protect your password. And if you dispute their demand that you pay, you have agreed to go before an arbitrator who the card company has probably kept track of his record for "business friendly" decisions. And when you lose the dispute, you get to pay thousands of dollars for the arbitrator's fee, and for the expensive forensic investigation of your computer as well.

It would be a great security improvement to the system to eliminate the merchants as possible leak points for payment credentials. The existing system, where you give lots of random merchants and their untrustworthy employees, all they need to take money from your account, is crazy insecure. But operating systems like Windows, Linux, Android, IOS etc. are far too complicated to ever have much hope they can be made secure for consumers. The only way I can think of for a reasonably secure system, is something to connect to your computer, with an extremely simple operating system, like a smart card, but with a display to verify who the payment will go to, and a physical button or pin to authorize the transaction. Only an extremely simple operating system, or better, no real operating system at all, has a hope of being reasonably secure. Although even smart cards have been compromised in a number of instances, they do a tolerably secure job, and much better than general purpose computer operating systems. I would feel sorry for the credit card companies taking losses from compromise of consumer computers, except they have the power to secure the system by the only known way, but they won't give us secure payment devices with a display and buttons.

They'll push this hard

[hyades1]

I read quite a few of the comments, and noticed that people here are well aware of the problems with having a browser store this kind of information. And yet, I have a bad, bad feeling that in a few years, it's going to be ubiquitous, perhaps even compulsory. I'm surprised they actually spelled it out so clearly:

"By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user."

That's it right there. The banks and credit card companies have been trying ever since plastic was invented to make consumers responsible for losses due to fraud and theft. This is their ticket to paradise.

So watch for deep discounts. Watch for a flood of trolls masquerading as coolest-of-the-cool tech lords explaining how everybody who isn't a doddering old fool is using it. Watch for laws drafted to force you to use it. Like when you have to renew your driver's license, you get a choice of waiting in an endless line during business hours at a single tiny government office, or bringing your smart phone and an app to a no-wait kiosk in a mall, or doing it from home...ONLY if you use the browser function. Watch for more and more stores refusing to accept bills larger than $10 for cash transactions "because counterfeit" or "because security".

I'm sure there's a dozen more ways, all based around that "well, nobody's forcing you" lie that's been used so often and so well.

Let's hope that for once people get together and shut this down before it gets started. Right now liability for fraudulent financial transactions is right where it belongs. We need to keep it that way.