[HN Gopher] W3C announces new Web standard for online payments
___________________________________________________________________
W3C announces new Web standard for online payments
Author : serhack_
Score : 151 points
Date : 2023-06-15 15:17 UTC (7 hours ago)
(HTM) web link (www.applemust.com)
(TXT) w3m dump (www.applemust.com)
| bsimpson wrote:
| There's still a W3C?!
|
| I'm kidding on the square, but I thought they'd been effectively
| displaced by WHATWG (and TC39).
| colesantiago wrote:
| [flagged]
| graypegg wrote:
| What's so comical about this is that common-standard digital-
| first micropayments is THE use case pitch for cryptocurrencies.
| They had a... decade-and-a-half head start (?) and didn't make
| that work beyond a random array of digital tokens too expensive
| to purchase anything with, managed via many easily-forged
| browser extensions.
| nwienert wrote:
| ML existed since the middle of the last century but has only
| really found its legs as of late, but I didn't see a lot of
| people make fun of it for not being perfect within a decade.
| nologic01 wrote:
| The comparison of incubation periods, adoption curves etc
| between crypto to ML cannot take us very far.
|
| The reason is that "ML" (as a proxy for algorithmic
| processing of a variety of data) is not particularly
| adversarial to pre-existing technologies. While this is not
| entirely true (there is always a hidden or explicit tension
| between automation and expert assessments) by-and-large
| this tension can be managed. The new tech gets bolted on
| the old.
|
| In contrast crypto sought to _overthrow_ all pre-existing
| monetary and financial system technology with proposals
| that are naive, half-baked and ignore (or reinvent in
| unacknowledged manner) vital aspects.
|
| The practical implication is that crypto cannot carve a
| legitimate niche and keep iterating.
|
| The main outcome of a lot of wasted energy (in all senses)
| is to point out that indeed, digitization opens up the way
| to evolve the financial system.
|
| So much we knew, but now it has been drilled into the heads
| of large swaths of politicos, regulators, bankers etc that
| are completely tech illiterate.
| graypegg wrote:
| Fair point, but machine learning has also been creating
| value thru all of that time. There were products that used
| machine learning in the late 90s for many things. DeepBlue!
|
| I think you're thinking of LLMs which only became possible
| with the shear amount of conversational data we have today.
| They obviously share a linage with ML, but it's a form of
| training that was impossible several years prior. You can't
| say that IBM DeepBlue was an early LLM and measure the
| timelines like that.
|
| If you know of any watershed moment for crypto that needs
| to happen, I would love to hear it! I just don't see
| anything happening on the horizon.
| nwienert wrote:
| I've been getting and continue to get value from crypto
| for a multitude of uses. There's tons of people using it
| actively, so I just wonder why you choose to ignore that.
|
| A lot more than the very marginal value ML did for its
| first decades of existence. DeepBlue came many decades
| after the field came into being.
|
| And I'm very aware of LLM and the different types of ML.
| It still stands that it was very marginal for decades.
| But it would be easy to write some dismissive comment in
| the 80s that the only thing it's done is play chess for
| millions of dollars - exactly like crypto haters do today
| despite it being a completely nascent field.
| graypegg wrote:
| Fair! I know there's lots of wallet activity on any of
| the big chains right now. I'm a little suspicious of that
| representing real economic activity (filling the role of
| a currency, used as units of exchange) and maybe a bit
| more convinced it's a casino poker chip ledger. It seems
| like the simple majority of people trade and transact out
| of their exchange, to my knowledge.
|
| If that simile of ML is like crypto is true, you stand to
| be quite rich! So best of luck! Best comments have net 0
| right, so hopefully you'll think of me and this thread
| when you're a trillionaire eh? ;)
| giantrobot wrote:
| ML was not marginal for decades. It's been in regular use
| in a number of fields for decades. The current hype is an
| artifact of someone putting fun interface in front of an
| ML system. Hype around generative imagery and LLMs is
| new, not the technologies themselves.
|
| Crypto has been around for nearly a decade and a half and
| has been really useful for malware and scammers and not
| much else. It's fundamentally broken as a _currency_
| because most coins are designed to be deflationary so
| they behave like securities. It 's fundamentally broken
| for micro transactions because transactions are
| ridiculously expensive and slow by design.
| mattdesl wrote:
| AI and machine learning has had several decades to mature
| --and it had multiple "winters" where interest and
| funding waned.
|
| It's possible in 60 years we might see similar leaps from
| distributed ledgers, zero knowledge proofs, verifiable
| computation, fully homomorphic encryption, and other tech
| being spearheaded by the crypto sector.
| graypegg wrote:
| It's always possible! I'm no fortune teller. Many people
| have been wrong and maybe one day I'll be laughing at my
| naivety. But for my own projects for the foreseeable
| future as measured right now, I'll avoid. I just don't
| see it becoming more than poker chips at your exchange of
| choice.
| giantrobot wrote:
| None of those things were invented or really developed by
| the "crypto sector" merely utilized by it. That's not a
| bad thing but it's disingenuous the crypto sector is
| really advancing any state of the art. It's implementing
| existing technologies mostly to facilitate scams and tax
| evasion.
| mattdesl wrote:
| All of these are primarily being funded and advanced by
| crypto. "Distributed ledger technology" hardly existed
| before blockchains/Bitcoin. Similar story with ZKP, which
| has gone from academic theory to real-world application
| (see: ZKSNARK) in the last decade primarily from
| blockchain research and funding streams.
| dbmikus wrote:
| There is a max comment depth for me for some reason so I
| cannot reply to graypegg directly...
|
| ZK-proofs are more advanced than just cryptographic
| signatures. The important point is being able to prove
| something without revealing the proof itself. Classic
| example is proving that you have a solution to a sudoku
| board without revealing the solution.
|
| Most ZK proofs actually rely on proving something with
| some probability. That means I don't prove to you with
| 100% certainty that I know the sudoku solution, but
| rather the chance of me lying about knowing a solution is
| < 0.00000001%. Traditionally, zk proofs required many
| iterations to justify the probability of the proof.
| Blockchain use cases advanced research in "succinct"
| proofs. If you search for ZKSNARK, ZKPLONK, and ZKSTARK
| you will find some examples.
|
| To compare to a cryptographic signature, I can use
| classic cryptography to prove that I know a value by
| sharing a signed hash of that value. However, you can
| only verify my proof when I reveal the pre-image. Doing
| the proof entirely on encrypted data is homomorphic
| encryption, and modern zk proofs make use of homomorphic
| encryption to prove things about arbitrary computation.
| graypegg wrote:
| Aren't zero knowledge proofs cryptographic signatures? I
| might be missing something, but that's very much been in
| active use as part of any flavour RSA cryptography going
| back decades.
|
| Distributed ledger technology, though yes that is clearly
| a blockchain technology that wouldn't exist otherwise.
| Fair point.
| bearjaws wrote:
| Well when 90% of your budget goes to marketing and covering
| up your ponzi scheme, doesn't leave a whole lot to
| engineering.
| dylan604 wrote:
| which kind of proves the point that crypto wasn't about the
| everyday person making daily transactions. it was a pipe
| dream of a way to handle large amounts of money while
| minimizing the fees/taxes associated with fiat monies.
|
| if crypto was about the everyday person, it would have been
| made useful
| DaiPlusPlus wrote:
| > What's so comical about this is that common-standard
| digital-first micropayments is THE use case pitch for
| cryptocurrencies
|
| I had been following BTC since ~2009 (when a CS PhD friend of
| mine at uni introduced me to it, as his research project was
| on distributed ledgers) - but from the very start it was made
| clear to me that projects like Bitcoin would never be
| suitable for microtransactions due to the reasons that became
| clear to everyone since then: at the values of
| microtransactions (i.e. under $3 USD) the cost of committing
| that transaction within reasonable time-frame for a
| microtransaction (say, less than a minute for a mobile-game
| IAP purchase) is simply prohibitive and makes the legacy
| incumbent card networks (Visa, Mastercard, etc) seem like
| nimble, customer-pleasing startups.
| spraveenitpro wrote:
| [dead]
| toomim wrote:
| You can use payment channels for microtransactions.
| graypegg wrote:
| Well said. It's a fine line right? I'm not cheering on Visa
| and Mastercard. But they really do have the most customer
| pleasing product. If I'm betting with my own money and
| projects on the future of something, hard to drift towards
| the "universal crypto adoption".
| dbmikus wrote:
| Crypto gets actual real (non-trading/non-gambling) usage in
| parts of LatAm.
|
| This blog post[1] from Vitalik explains a little:
|
| > Unlike wealthy countries like the United States, where
| financial transactions are easy to make and 8% inflation is
| considered extreme, in Argentina and many other countries
| around the world, links to global financial systems are more
| limited and extreme inflation is a reality every day.
| Cryptocurrency often steps in as a lifeline
|
| Some of the users are on battle tested decentralized
| solutions like Ethereum and its rollups. Others transact
| through centralized exchanges because fees are cheaper. And
| others use more centralized blockchain networks such as Tron
| to avoid high fees. On one hand, using central exchanges
| doesn't match up to the decentralized promise of the
| blockchain. On the other hand, it's cool to see people using
| crypto without caring that it's crypto. They just want to
| have access to more stable currencies for payments and
| transactions!
|
| I've seen this myself, from talking to LatAm businesses and
| from a friend in Argentina.
|
| [1]: https://vitalik.ca/general/2022/12/05/excited.html
| olalonde wrote:
| What's comical is when people assume that upending
| established financial systems, such as centuries-old fiat
| currencies and banks, should be a walk in the park. Such
| transformation doesn't merely involve introducing a
| disruptive technology, but necessitates overcoming many legal
| and societal challenges.
|
| If you'd have told anyone in 2009 that an open source
| decentralized currency would eventually become a trillion
| dollar market, or that it would be recognized as legal tender
| in some countries, no one would have believed you. Yet here
| we are with people complaining about how it hasn't yet
| obsoleted the US dollar.
| graypegg wrote:
| Totally fair, it's obviously a bit of a "no true scotsman"
| argument for me to move the goals posts to "crypto is only
| a success if it replaces X".
|
| However if im making bets for my own projects, with my own
| money, I'm not seeing the incentives for the sort of
| massive change to actually happen. Love it or hate it, you
| can't just burn down the world and start over, so something
| has to be aligned with the gate keepers to make this work.
| I don't think it is. Without adoption it's ceases to be
| valuable to those outside the magic circle, which means
| it's not worth adopting.
| pppppkkkkkkkk wrote:
| [flagged]
| F2hP18Foam wrote:
| On the one hand seems convenient, but on the other, I'm not a fan
| of tech that lowers the friction between my money and my pocket.
| wahnfrieden wrote:
| Let's go back to mailing personal checks to shareware companies
| [deleted]
| thecosas wrote:
| Don't forget to mail them the floppies to load up and send
| back :-)
| tantalor wrote:
| What are you going to use the money for, if not spend it on
| something?
|
| Are you going to make a pile of gold and sit on it like a
| dragon?
| theandrewbailey wrote:
| > Are you going to make a pile of gold and sit on it like a
| dragon?
|
| If you want to buy a house, yes. A pile of gold is also handy
| to start a business.
| bern4444 wrote:
| Some people like to save and invest instead of spending every
| single cent they have.
|
| We'd be a much more stable society if the majority of the
| population wasn't one paycheck away from being financially
| ruined.
|
| 37% of Americans don't have enough savings to cover a $400
| emergency[0]. That percentage goes up as the amount goes up
| and a $400 emergency is easy to hit - medical bill, moving
| expense, car repair, etc. It becomes 68% at $1,000[1].
|
| [0]https://fortune.com/2023/05/23/inflation-economy-consumer-
| fi... [1]https://fortune.com/recommends/banking/57-percent-
| of-america...
| uoaei wrote:
| Saving and investing are not realistic options for you if
| you're living paycheck to paycheck. That's why it's called
| that, because you have no money left over after paying for
| your necessities. Sometimes you don't even get to cover all
| your bills and you start racking up debt or are forced to
| be clever with frugality (read: giving up recurring
| payments like healthcare).
| dantheman wrote:
| Those studies are horribly misinterpreted. Look at the
| original data, it includes using a credit card as not
| having the money...
| Tade0 wrote:
| That still counts in my book. If you have to borrow money
| then you don't actually have it.
| EGreg wrote:
| Saving money is basically buying into the baning industry's
| narrative of a fat bank account, or of borrowing money in
| order to pay it off for 30 years.
|
| Now _investing_ is another story! Buy durable things with
| your cash that hold value over time!
| koprulusector wrote:
| That's what I ask all the 401k nerds. You could literally die
| next week. Sure seems like a great way to live; when you're
| young and in your prime, live below your means to max out
| your 401k, which there's a fair risk you won't live to see or
| enjoy, or... just stop hoarding money and live your life (I'm
| not saying be financially ignorant or irresponsible).
|
| 17.27% of men don't live to age 60, and another ~6%, or
| 23.57% of men overall, don't make it to age 65.[1] For
| reference, one must typically be age 59.5 before they can
| withdraw from their 401k without penalty.
|
| So, if you save for 40 years, live below your means so you
| can maybe have a chance at enjoying all that money you've
| socked away. Pretty crazy to think that nearly a quarter of
| us won't live to see or use the money beyond 5 or 6 years
| after retirement.
|
| * [1] - https://www.ssa.gov/oact/STATS/table4c6.html
| Mordisquitos wrote:
| > 17.27% of men don't live to age 60, and another ~6%, or
| 23.57% of men overall, don't make it to age 65.[1] For
| reference, one must typically be age 59.5 before they can
| withdraw from their 401k without penalty.
|
| You are making the almost certainly mistaken assumption
| that the population of men who _" live below [their] means
| to max out [their] 401k"_ are representative of the overall
| population of American men with regards to life expectancy.
| ndriscoll wrote:
| There are a few ways you can withdraw from your 401k early
| without penalty. The best is probably Roth conversion
| laddering, which requires that you plan your withdrawals 5
| years ahead of time. If you have a spouse and children,
| then it also makes sense to consider what will help you
| best set them up for a good life; you might not get to
| benefit much from that savings, but maybe your children
| will be able to avoid starting their adulthood as debt/rent
| slaves.
| shadowgovt wrote:
| As someone who spends quite a bit of his time counting the
| sand in the hourglass that is one of his relatives'
| retirement funds...
|
| There's no definite win-strategy here. It is possible to
| die young. It is possible to outlive your savings and live
| a miserable final years. We can't guarantee a happy
| solution.
|
| (Well, TBF, we could _decrease_ the misery of the one
| option by deeply funding social security, not to sustain it
| but to raise to a higher standard of living than previous
| generations ever knew because we currently live in a world
| with a higher productive capacity than previous generations
| ever knew. So I 'm speaking of transient political reality
| and not concrete laws of the universe.)
| theandrewbailey wrote:
| > www.ssa.gov
|
| Interesting you cite Social Security, the mandatory pyramid
| scheme that every American pays into and many/most retirees
| rely on for income. If you die before you retire, you get
| nothing from Social Security. If you have a 401k and die
| before using all the money in it, your beneficiaries (the
| people who inherit your stuff when you die) keep it;
| nothing like that happens to your Social Security benefits.
| dragonwriter wrote:
| > If you die before you retire, you get nothing from
| Social Security. If you have a 401k and die before using
| all the money in it, your beneficiaries (the people who
| inherit your stuff when you die) keep it; nothing like
| that happens to your Social Security benefits.
|
| Social security has both death and survivors benefits,
| actually.
| uoaei wrote:
| I think maybe the focus of GP was on impulse purchases, but
| more likely it was just a cheeky comment.
| ricardobayes wrote:
| That friction could use some lubrication, at least in Europe. I
| loathe outdated/misconfigured card payment terminals outright
| declining payments that go over the 100EUR cumulative total on
| contactless. The better configured ones just ask for a PIN and
| that's it. But there are many which just decline the
| transaction, leaving both me and the shopkeeper frustrated
| requiring me to "try again".
| doublerabbit wrote:
| Contactless in the UK lets you use the card five times before
| you have to Chip&Pin and too reset.
|
| Pointless and all is displayed is "Declined". Embarrassing if
| your paying in the party.
| lozenge wrote:
| That's not my experience, it lasts many more times for me
| and it says "INSERT CARD". Which is also what it says when
| you haven't got money to cover the payment.
| resfirestar wrote:
| I think this would add friction on the whole, adding an
| authentication step to transactions where you currently just
| type in your card number and hit submit. It reduces friction
| compared to an alternative where you confirm transactions with
| SMS codes, but I don't think that is very common.
| sofixa wrote:
| It's mandatory in the EU since PSD2 to have an extra
| validation step like authorising in the bank's app or via
| SMS.
| mcv wrote:
| It's not clear to me from the article how this is supposed to
| work.
|
| My favourite payment system is still the Dutch iDeal: marchant
| creates a payment request, redirects the user to their own bank,
| the user uses thhe bank's authorization system to authorize the
| payment, informs the merchant that payment is successful, and
| then redirects the user back to the merchant who now knows the
| transaction is successful, without having to know anything about
| how the user paid.
| naillo wrote:
| Seems like something stripe should be pretty worried over
| ceejayoz wrote:
| This doesn't threaten Stripe at all. They already process Apple
| Pay payments.
| jaywalk wrote:
| Nope, not at all.
| graypegg wrote:
| > Stripe conducted a pilot with an early implementation of SPC
| and, in March 2020 reported that, compared to one-time
| passcodes (OTP), SPC authentication led to an 8% increase in
| conversions at the same time checkout was 3 times faster.
|
| They seem pretty excited about it.
| edwinwee wrote:
| Yep, Stripe partnered with W3C on this. Built into Stripe
| Checkout (and now Link).
| scrollaway wrote:
| Unlike many companies out there such as Intuit, stripe doesn't
| rely on the world continuing to suck in order to exist.
| data-ottawa wrote:
| Stripe is where the money goes to and handles getting it to
| your bank, this is better and faster authentication of
| purchase.
|
| It should reduce fraud and apparently improve conversion rates,
| so that's a big win for Stripe.
| kevinsundar wrote:
| https://www.w3.org/blog/wpwg/2021/03/26/secure-payment-confi...
|
| This describes Stripe's early involvement in the spec.
| gigatexal wrote:
| lol that url applemust is a bit much. Really cool that there
| might be some standards incoming though
| amielucha wrote:
| W3C should standardize cookie policy banners, and popups. This
| monstrosity of a feature should have always been a browser
| feature, not a burden for web developers.
| laszlokorte wrote:
| I never understood why websites are required to inform about
| cookies if it's acutally the browsers who store the cookies on
| the device and send them back to the server.
|
| How about a domain.tld/.well-known/cookies.txt file that
| contains a description about each cookie-key and then let the
| browser provide the UI for displaying that information and
| being configurable on which individual cookies to store for how
| long? (and for example discard all cookies that are not
| described in the cookies.txt file)
| danShumway wrote:
| Interesting that this is built on top of FIDO/webauthn.
|
| I'm still somewhat worried about webauthn but recent news around
| it has (imo) been moving in a more positive direction and I'm
| less worried about it than I used to be. So I would really love
| to be cautiously optimistic about this.
|
| Assuming webauthn turns out well, this seems to be a pretty
| natural and pretty useful extension.
| dlisboa wrote:
| Edit: looks like I made a fool of myself. I didn't know about
| Apples other implementation of a similar feature.
|
| It seems nice but I think Apple will never implement this for
| Safari, even if standardized. It'd bypass their AppStore and make
| the web even more "app-like", which they already aren't crazy
| about.
| madeofpalk wrote:
| SPC does not handle payments, it handles authentication. SPC is
| designed to work in scenarios like Plaid and 3D Secure, not for
| what Apple Pay (or the app store) does.
|
| I believe SPC comes out of the Authn working group.
|
| > _This specification defines an API that enables the use of
| strong authentication methods in payment flows on the web. It
| aims to provide the same authentication benefits and user
| privacy focus as [webauthn-3] with enhancements to meet the
| needs of payment processing._
|
| https://www.w3.org/TR/secure-payment-confirmation/
| scarface_74 wrote:
| Apple has supported the Payments Request API for five years
|
| https://developer.mozilla.org/en-US/docs/Web/API/Payment_Req...
|
| https://webkit.org/blog/8182/introducing-the-payment-request...
| refulgentis wrote:
| Correct. The article is about a new standard.
| scarface_74 wrote:
| The conjecture was that Apple wouldn't support the new
| standard because it would give an "app like experience".
|
| The closest similarity we have is that Apple supported the
| existing payment standard relatively early on.
| joombaga wrote:
| Does the existing standard make the web more app-like?
| scarface_74 wrote:
| The existing one, you click on a button on the web and it
| takes you through the same Apple Pay process flow that
| you go through when you pay in app with Apple Pay for
| something like Uber.
|
| In app purchases - Apple takes 30% for electronic goods
| in the App Store
|
| Apple Pay - Apple charges standard credit card fees on
| the web or via the App Store.
|
| As mentioned above, you can use Apple Pay in app if you
| sell physical goods.
| cormacrelf wrote:
| I think you might be forgetting that Apple Pay exists and has
| worked on the web for years. This looks like a standardised
| version of Apple Pay.
| refulgentis wrote:
| Incorrect. The standardized version of Apple Pay is the
| Payments Request API, which has been in place for years.
| DrBenCarson wrote:
| And has been supported by Apple for 5 years.
| refulgentis wrote:
| You're absolutely correct, and there's privacy concerns for
| Apple in the spec, e.g. the users info is now sent with
| transactions.
|
| c.f. example of how merchants M1 and M2 could collide to
| identify payment method P1 and P2 are connected to the same
| user
|
| EDIT: Throttled on new comments
|
| I agree: I'd take up more detailed Qs with the article writer &
| spec/proposal, they seem sure its different.
|
| I also agree if the new proposal is the same as the old
| proposal, it does seem likely Apple would implement it.
|
| I don't understand why the W3C would make a new proposal that
| was the same as the old one, but...forget it Jake, it's
| Chinatown web specs.
| scarface_74 wrote:
| The user's info is sent with the existing Payments Request
| API. If you use Apple Pay on the web, it will send your name
| and address if requested for shipping physical goods.
| coffeedoughnuts wrote:
| ApplePay in-the-web has existed since the inception of the
| feature. I'm not sure how the App Store is relevant here?
| refulgentis wrote:
| This is a new web standard, it's not Apple Pay.
| scarface_74 wrote:
| No one is disputing that this is a new standard. The
| dispute is that Apple wouldn't support it because it would
| take away from some hypothetical App Store revenue. Apple
| already supports the existing standard showing the argument
| doesn't hold.
| refulgentis wrote:
| Article & spec mention privacy issues re: connecting
| users to payments, that seemingly would allow someone to
| pay for an app subscription without going through the
| store, since the payment receiver gets user details
| madeofpalk wrote:
| This is possible already with Apple-supported Payment
| Request API (and even without those APIs, like just
| logging into a website). This is how Netflix on iOS
| works, which is explicitly supported (though with stupid
| cavets) by Apple.
| w_for_wumbo wrote:
| Let's hope you can't just pass through "NoNe" as the algorithm
| and break the entire thing like _some_ JWTs
| skilled wrote:
| The W3 press release and a relevant Chrome link,
|
| https://www.w3.org/2023/06/pressrelease-spc-cr.html.en
|
| https://developer.chrome.com/articles/secure-payment-confirm...
| SoftTalker wrote:
| Since I'm getting 500 errors, https://www.w3.org/TR/secure-
| payment-confirmation/
| Brendinooo wrote:
| How is it different than the Payment Request API?
| koprulusector wrote:
| This is explicitly to authenticate payment, cryptographically
| sign/verify user consent. It's about authentication and less
| about the paying.
| EGreg wrote:
| Whew. I saw the word crypto... and figured that the W3C is
| running a ponzi scam. No one is above ridicule the moment I
| see crypto involved! It has no good use cases and that's
| final
| nightpool wrote:
| Adds integration with WebAuthn to skip 3DSecure/SCA popups in
| cases where the user has a biometric authenticator that's been
| registered with the bank
| dbbk wrote:
| Sounds like it's Payment Request API + the biometric
| verification, so no more "open your bank app to approve this
| transaction"
___________________________________________________________________
(page generated 2023-06-15 23:01 UTC)