Browsers can use something called the Payment Request API to save users’ credit card data and shipping information as they would passwords.
The API in essence designates browsers as intermediaries in an online transaction. When a “payer” makes a purchase at an online store operated by a “payee” using a supported web browser like Google Chrome or Microsoft Edge, the Payment Request API constructs a popup that asks the payer to fill in their payment card details and billing/shipping information. The browser then contacts the payer’s “payment handler,” or payment card provider like Visa or MasterCard, so that it can authorize the transaction.
Upon completion of that transaction, the browser sends proof of the transaction to the payee so that it can move forward with completing the purchase. It also stores the payer’s pieces of information in the Autofill settings for future use.
You can check out demos of the API in action here.
Looks pretty nifty, right?
Catalin Cimpanu of Bleeping Computer notes that the Payment Request API is more than just a pretty face for completing online transactions. He also points out that the API comes with some potential security benefits for payees:
“The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked.
“By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user.”
Of course, that shift in responsibility comes with its own problems. Users might not like browsers’ ability to store more information on them. To help convince those who are conscientious of their security, browsers will need to ramp up their data security policies to protect users’ passwords and data collected by the Payment Request API against infostealers and similar malware.
Even so, there’s still the challenge of attackers exploiting issues in Payment Request API, such as the ability to profile users and detect incognito mode.
The Payment Request API also demands that users take greater responsibility for their data security. As such, users should keep an eye out for malicious emails, and they should be careful about what sites they visit, especially if they’re looking to make a purchase.
Support for Firefox and Safari of the API is expected to roll out in the coming months.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.