Use Case: 3DS 1.0 flows and invoking PR API from inside an iFrame

[adrianhopebailie]

This is issue is here to track progress on a use case that was highlighted during the Web Payments Security Interest group meetings at TPAC.

The use case is as follows:

• When a merchant initiates a card transaction using 3DS they will get back a URL which they will render in an iframe. This content is hosted by the user's card issuer (or their behalf) in a system called the ACS.
• The user provides some interaction with the ACS-hosted content through which they authenticate themselves (and authorise the transaction).
• The user interaction may involve providing an OTP that was sent to the user via another channel (e.g. SMS) or providing a biometric credential etc.

Current notes/challenges with this case are:

1. The ability to invoke Payment Request from within the iframe
2. The ability to invoke webAuthN from within the iframe
3. The need for the PR API to be invoked by the ACS (as opposed to the merchant which is the original intent

cc @rsolomakhin @ianbjacobs @jeremywagemans @btidor-stripe

[TG1999]

I will like to work on this issue, please can someone guide me to resolve this issue :)

[k2snowman69]

Would this issue be part of https://github.com/w3c/3ds instead? Or is that only handling 3ds 2.0 scenarios?

[ianbjacobs]

Hi @k2snowman69,

We are not currently working on a 3DS-specific payment method. Instead we've taken up SRC as an umbrella; see:
https://github.com/w3c/src/wiki

I think this issue is mostly for us to track Web Authentication version 2 capabilities with respect to some use cases where PR API or authentication are called from iframes.

[ianbjacobs]

Closing this in light of work on SPC. We can reopen if needed.