Payment Method Identifiers (original) (raw)

Abstract

This specification defines payment method identifiers and how they are validated, and, where applicable, minted and formally registered with the W3C. Other specifications (e.g., the Payment Request API) make use of these identifiers to facilitate monetary transactions on the web platform.

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

The working group demonstrates implementation experience by producing an implementation report. The report shows two or more independent implementations passing each mandatory test in the test suite (i.e., each test corresponds to a MUST requirement of the specification).

There has been no change in dependencies on other workings groups during the development of this specification.

This document was published by the Web Payments Working Group as a Recommendation using theRecommendation track.

W3C recommends the wide deployment of this specification as a standard for the Web.

A W3C Recommendation is a specification that, after extensive consensus-building, is endorsed byW3C and its Members, and has commitments from Working Group members toroyalty-free licensing for implementations. Future updates to this Recommendation may incorporatenew features.

This document was produced by a group operating under the1 August 2017 W3C Patent Policy.W3C maintains apublic list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes containsEssential Claim(s) must disclose the information in accordance withsection 6 of the W3C Patent Policy.

This document is governed by the2 November 2021 W3C Process Document.

Table of Contents

  1. Abstract
  2. Status of This Document
  3. 1. Payment method identifiers (PMIs)
    1. 1.1 Validity
  4. 2. URL-based payment method identifiers
    1. 2.1 Validation
    2. 2.2 Comparison
    3. 2.3 Fetching (dereferencing)
  5. 3. Standardized payment method identifiers
    1. 3.1 Validity
    2. 3.2 Comparison
  6. 4. Registry of standardized payment methods
  7. 5. URL-based PMI and third-party payment handlers
  8. 6. Security considerations
  9. 7. Privacy considerations
  10. 8. Conformance
  11. A. Index
  12. A.1 Terms defined by this specification
  13. A.2 Terms defined by reference
  14. B. References
  15. B.1 Normative references
  16. B.2 Informative references

A payment method identifier (PMI) is either a:

Specifications that rely on payment method identifiers MUST specify their own rules for handling invalid payment method identifiers.

The steps to validate a payment method identifier with a string pmi are given by the following algorithm. It returns true if the pmi is valid.

  1. Let url be the result of running the basic URL parser with pmi.
  2. If url is failure, validate a standardized payment method identifier with pmi and return the result.
  3. Otherwise, validate a URL-based payment method identifier passing url and return the result.

A URL-based payment method identifier is aURL that is valid as per the steps to validate a URL-based payment method identifier.

Note

Developers wanting to use a URL-based payment method identifier for a third party payment handler are encouraged to read the Payment Method Best Practice document.

The steps to validate a URL-based payment method identifier are given by the following algorithm. The algorithm takes a URL url as input and returns true if the URL is valid:

  1. If url's scheme is not "https", return false.
  2. If url's username or password is not the empty string, return false.
  3. Otherwise, return true.

Example 1

: valid and invalid URL-based PMIs 

const valid = [
  {
    supportedMethods: "https://example.com/pay",
  },
  {
    supportedMethods: "https://example.com/pay?version=1",
  },
  {
    supportedMethods: "https://example.com/pay/version/1",
  },
];

const invalid = [
  {
    // ❌ Uses http://, a username, and a password.
    supportedMethods: "http://username:password@example.com/pay",
  },
  {
    // ❌ Uses unknown URI scheme.
    supportedMethods: "unknown://example.com/pay",
  },
];

User agents MUST perform comparisons of URL-based payment method identifiers using [URL]'s equal.

It is OPTIONAL for user agents to fetch a URL-based payment method identifier.

A standardized payment method identifier is a string that represents a standardized payment method.

The syntax of a standardized payment method identifier is given by the following [ABNF]:

stdpmi = part *( "-" part )
part = 1loweralpha *( DIGIT / loweralpha )
loweralpha =  %x61-7A

User agents MAY support zero or more standardized payment method identifiers listed in section 4. Registry of standardized payment methods.

The steps to validate a standardized payment method identifier are given by the following algorithm. The algorithm takes a string as input and returns true if the identifier is valid:

  1. Return true if string conforms to the syntax of a standardized payment method identifier. Otherwise, return false.

For standardized payment method identifiers, user agents MUST perform string comparisons using is.

This section is non-normative.

A standardized payment method is a payment method that has undergone standardization at the W3C, and is listed in this registry.

At this time there are no standardized payment method identifiers.

This section is non-normative.

Developers wanting to use a URL-based payment method identifier for a third party payment handler are encouraged to read thePayment Method Manifest specification and the Payment Method Best Practice wiki page. Together, these documents describe how to manage the ecosystem of authorized payment handlers for a payment method, including just-in-time payment handler installation by the browser.

This specification does not introduce any new security considerations.

There are no known privacy or security concerns to be taken into considerations at this time.

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, and OPTIONAL in this document are to be interpreted as described inBCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

[ABNF]

Augmented BNF for Syntax Specifications: ABNF. D. Crocker, Ed.; P. Overell. IETF. January 2008. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc5234

[fetch]

Fetch Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://fetch.spec.whatwg.org/

[infra]

Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/

[RFC2119]

Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119

[RFC8174]

Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174

[URL]

URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/

[payment-method-manifest]

Payment Method Manifest. Dapeng(Max) Liu; Domenic Denicola; Zach Koch. W3C. 12 December 2017. W3C Working Draft. URL: https://www.w3.org/TR/payment-method-manifest/

[payment-request]

Payment Request API. Marcos Caceres; Rouslan Solomakhin; Ian Jacobs. W3C. 30 September 2021. W3C Proposed Recommendation. URL: https://www.w3.org/TR/payment-request/