A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online.

Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords.

Websites will be able to use the standard to create one-click buttons that allow the user to buy a product without entering his payment details on each and every site on the Internet.

New Payment Request API makes buying stuff a lot easier

A popup will appear showing payment and shipping details. The user can then select the payment and shipping method of his liking, along with a delivery address, both previously saved in the browser.

Payment Request API

Payment Request API

Payment Request API

You can test Payment Request API demos here.

Chrome and Edge already support it

Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month, with the release of Chrome 61.

Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it.

Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.

Under the hood, the Payment Request API works by providing a vendor-agnostic system for handling financial transactions.

When a user places an order, the website makes an API call to the user's browser, forwarding details about the order. The browser then takes over, prompting the user with a popup, asking for card details (if none exist) and a delivery/shipping address that is also stored in the browser's autofill section.

With these details selected, the browser — and not the website — contacts the user's payment handler, which can be Visa, Mastercard, or any of the other major credit card providers.

Once the payment has gone through, the browser sends back a response to the website, which records the transaction and moves forward with shipping the product, knowing that money is already in its bank account.

Payment Request API modus operandi

Online stores don't need to store card data anymore

Payment providers like PayPal or Amazon might not be on board with this new API since it makes them obsolete, but almost everyone else is. The Payment Request API is one of the few World Wide Web Consortium standards where most of the major technology firms have chipped in suggestions.

The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked.

By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user.

Of course, this also opens the door for malware, such as password dumpers and infostealers, which would be able to extract the card information and pilfer it, along with the user's passwords.

Privacy fears exist

In many ways, the Payment Request API is a much secure method of handling online transactions, but it's not perfect either.

For starters, browser makers now have a full view of your finances and transactions, a situation that some people might not like, and will refuse to store any such information in their browser.

This leads to situations where the Payment Request API will not be able to replace classic payment methods in full and will be just another stick in a pile of payment options and W3C standards.

In addition, since the API is still under development, bugs that are not addressed now will make it through in the final implementation.

Two such issues were recently discovered by Dr. Lukasz Olejnik, independent cybersecurity and privacy researcher, affiliatee of Princeton’s Center for Information Technology Policy.

The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

"I believe both issues might have their origin in the specification," said Olejnik, who reported both issues to the appropriate W3C group.

Work on the Payment Request API is expected to conclude by the end of the year, which gives participants enough time to iron out problematic issues.