Browsers can use something called the Payment Request API to save users’ credit card data and shipping information as they would passwords.
The API in essence designates browsers as intermediaries in an online transaction. When a “payer” makes a purchase at an online store operated by a “payee” using a supported web browser like Google Chrome or Microsoft Edge, the Payment Request API constructs a popup that asks the payer to fill in their payment card details and billing/shipping information. The browser then contacts the payer’s “payment handler,” or payment card provider like Visa or MasterCard, so that it can authorize the transaction.
Upon completion of that transaction, the browser sends proof of the transaction to the payee so that it can move forward with completing the purchase. It also stores the payer’s pieces of information in the Autofill settings for future use.
You can check out demos of the API in action here.
Looks pretty nifty, right?
Catalin Cimpanu of Bleeping Computer notes that the Payment Request API is more than just a pretty face for completing online transactions. He also points out that the API comes with some potential security benefits for payees:
“The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked.
“By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user.”
Of course, that shift in responsibility comes with its own problems. Users might not like browsers’ ability to store more information on them. To help convince those who are conscientious of their security, browsers will need to ramp up their data security policies to protect users’ passwords and data collected by the Payment Request API against infostealers and similar malware.
Even so, there’s still the challenge of attackers exploiting issues in Payment Request API, such as the ability to profile users and detect incognito mode.
The Payment Request API also demands that users take greater responsibility for their data security. As such, users should keep an eye out for malicious emails, and they should be careful about what sites they visit, especially if they’re looking to make a purchase.
Support for Firefox and Safari of the API is expected to roll out in the coming months.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Do you trust your browser to save your credit card data and shipping info?”
Security minded individuals are going to flood the 800 numbers of businesses. They will soon find out they have to hire more people because users will not trust their browsers.
Which users are likely to "…take greater responsibility for their data security"? All the users who encrypt their email? All the users who subscribe to security newsletters? All the users who apply all patches conscientiously, and back up regularly, and never click on links in emails from untrusted sources? All the users who even THINK about security?
I doubt that such users are representative of the broad masses, which partly explains why there was over $3 billion in email-related theft last year, and that's only a fraction of the total losses from cybercrime…a number that isn't even fully known, but apparently increases daily.
There are three relevant points here:
1. People won't (can't) take action on things they don't understand, or aren't even aware of in the first place. In my experience, security illiteracy is almost as epidemic as science and math illiteracy.
2. Taking greater responsibility is exactly what people don't want to do. The vendors might be happy that the pressure's off them, but putting the responsibility on users is just transferring the problem to a repository of even greater ignorance and incompetence (see Point 1). And eventually, when that comes home to roost…
3. The predictable result of more widespread theft due to users' inability to secure their systems will raise a public outcry that The Government Should Do Something™. At that point, the politicians get involved. They usually are at least as ignorant and incompetent as the people who elect them, but are only too happy to pass new laws that fail to solve the problem but succeed brilliantly in restricting everyone's freedom of choice.
So, while I think it would be great if users took more responsibility (and some will), most won't. The solution is going to have to come from the browser developers. They're already the most qualified to tackle the problem.
Of course, no application is bulletproof. And browsers can’t make up for irresponsible behavior. The solution to that is education, but education takes time, and mass education is difficult at best.
Thanks for a very informative article. I only wish that those who read it were the norm, not the exception.
Agree entirely with Pete. Why has it took 3 years for me to read it?