New secure payment feature in upcoming versions of Google Chrome

As part of the latest beta version of Chrome 95, Google announced the inclusion of a feature for secure payment, basing its operation on connecting to the web authentication API in order to implement an additional web-based layer of security.

The feature adds a new “payment” extension to such an API, allowing institutions such as banks to optionally offer a PublicKeyCredential. A seller or service provider can query this credential during payment transactions through the Payment Request API using the “Secure Payment Confirmation” payment method.

Secure payment confirmation enables FIDO-based authentication. Users enroll a payment instrument using biometric data on the device, in addition to creating a FIDO credential that can be delivered to a payment service provider, such as Stripe; this credential can be used in subsequent transactions for users authentication.

This new feature can also generate a signed challenge that includes the value of the transaction. According to Google, in the testing stage the secure payment confirmation “provided a higher conversion rate and faster authentication time” than the latest version of 3-D Secure authentication flows.

Google also claims that this approach is considered to be a more efficient and secure method than WebAuthn and other alternatives for browser-based authentication. This technology comes at a very opportune time, considering that entities such as the European Union are establishing stricter measures for the support of online payments.

The beta version of Chrome 95 was released a week ago, while the most recent general version of Chrome will arrive to browser users on October 19; this release will remove the U2F API for interaction with security keys.

The beta version has also got rid from support for FTP URLs, a little-used legacy technology that has been replaced by more efficient FTP clients.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.