logo IPR declaration
FIDO Web Pay
Table of Contents
1 Introduction
2 Scope
3 Terminology
4 Credential Database
5 Enrollment
6 Detailed Operation
    1: Initiate PaymentRequest
    2: Show Payment Authorization UI
    3: Perform User Authorization
    4: Create FWP Assertion
        4.1 Extract PaymentRequest Core Data (PRCD)
        4.2 Create Authorization Data (AD)
        4.3 Create Signed Authorization Data (SAD)
        4.4 Create Encrypted Signed Authorization Data (ESAD)
        4.5 Assemble FWP Assertion
    5: Return FWP Assertion
    6: Process FWP Assertion and Create PSPRequest Object
    7: Send PSPRequest Object
    8: Process PSPRequest and Create IssuerRequest Object
    9: Send IssuerRequest Object
    10: Process IssuerRequest
        10.1 Core Validation
        10.2 Extract Signed Authorization Data (SAD)
        10.3 Validate Request Data
        10.4 Validate Authorization Signature
        10.5 Replay Handling
        10.6 Other Validation Steps
8 Delegated Authorization
    D1: Process PSPRequest and Create AuthorizeRequest Object
    D2: Send AuthorizeRequest Object
    D3: Process AuthorizeRequest
    D4: Return Authorized Data
    D5: Create Payment Instruction
    D6: Invoke "Payment Rails"
    D7: Process Payment Instruction
Security and Privacy Considerations
Integration
Extensions
Implementation Options
Usage of CBOR
Acknowledgements
Document History
Authors
Trademarks
1. Introduction
EMV®link represents the current "Gold Standard" for secure and convenient payments in the physical world.
This document describes FIDO® Web Pay (FWP), which is a Web-adapted version of EMV, combining the technology underpinning FIDO2link with the W3C PaymentRequestlink API and a browser-resident (built-in) payment application.
Apart from obvious data format differences (CBOR/JSON/JavaScript versus ISO7816), this specification introduces two major enhancements to EMV:
  1. By separating account numbers from issuer (bank branch) identifiers, FWP can be used with virtually any account-based payment system, including the eurozone's SEPA Instantlink.
  2. Through encryption of user-authorizations, FWP enables additional security and privacy features:
    • Obviating the need for external tokenization services.
    • Limiting the amount of personally identifiable information (PII) shared with third parties like merchants, to the name of the user's bank and payment network, making FWP intrinsically compliant with PCIlink requirements as well as with GDPRlink.
Since changes in payment systems typically require updating multiple "backend" components and services, FWP was designed from the ground-up to keep the complexity of matching backends at a comparatively modest levellink.
2. Scope
Note that FWP is not a payment system, it is a universal payment authorization method, exclusively dealing with the user's part of the payment process. That is, the backend infrastructure and associated APIs are out of scope for this specification. See also Integration.
However, to guide implementers, this document outlines a sample infrastructure at a "conceptual" level. Note though that regardless of backend design, FWP assertions must (due to the EMV end-to-end security model), always be routed back to the designated issuer "verbatim" (together with other required data) in order to initiate a payment transaction.
3. Terminology
Throughout the rest of this document, actor names are written as Name. The Browser actor is in this specification considered to be equivalent to "User Agent". A PSP (Payment System Provider) is in this specification denoting any service or network acting as a trusted intermediary between a Merchant and an Issuer. In FWP objects, Merchant is referred to as "payee".
In this document CBOR primitives are expressed in CDDL [RFC8610link] notation.
4. Credential Database
The steps outlined in Detailed Operation depend on that the User already have received one or more FWP credentials ("Virtual Cards") in an Enrollment process. FWP credentials are stored in a local database in the client device, where each entry is supposed to contain the following CBOR attributes:
NameLabelTypeDescription
version 1 tstr Since credential data may evolve over time, versioning is necessary. This specification covers version "https://fido-web-pay.github.io/ns/w1" which is compatible with FWP assertions of the type described here ("https://fido-web-pay.github.io/ns/p1").
credentialId 2 bstr FIDO key identifier for creating FWP signatures.
rpId 3 tstr FIDO relying party (domain) identifier for maintaining Issuer isolation.
publicKey 4 map COSE compliant FIDO public key matching the private key associated with credentialId and rpId.
signatureAlgorithm 5 int FIDO key/signature algorithm for FWP signatures.
encryptionKey 6 map COSE compliant Issuer specific (shared) public encryption key. See FWP encryption.
encryptionKeyId 7 "Any" Optional. See FWP encryption.
contentEncryptionAlgorithm 8 int COSE compliant content encryption algorithm. See FWP encryption.
keyEncryptionAlgorithm 9 int COSE compliant key encryption algorithm. See FWP encryption.
accountId 10 tstr Account identifier associated with the credential.
paymentNetworkId 11 tstr URL or predefined short string identifying the associated payment network.
issuerId 12 tstr Bank Identification Number (BIN) or URL associated with the Issuer. The exact definition is specific for each paymentNetworkId. See also Service Discovery.
serialNumber 13 tstr Text string that (with respect to the Issuer), uniquely identifies the payment credential.
cardImage 14 bstr UTF-8 encoded SVG image identifying the payment credential for the User. The content of such images are entirely Issuer specific, but images MUST adhere to certain (TDB), dimensions in order to render properly by the wallet.
Through the use of a dedicated credential database, associated FIDO keys can be freely used by the FWP implementation, while remaining invisible and protected from access by all parties but their respective Issuer.
5. Enrollment
The exact enrollment process is yet to be defined; the assumption is that it could be accomplished by extending the existing W3C Web Authenticationlink enrollment system. The extension would enable the Browser to securely distinguish between "ordinary" FIDO keys, and those targeted for payments which is required for maintaining a database in the Browser holding FWP credentials.
It would be great if the enrollment system could handle multiple credentials in a single operation, because an Issuer may want to support international card networks as well as national or regional payment networks 😎
It MAY be technically feasible using a FIDO key associated with an FWP credential for Web Authentication as well, but this would be a deployment decision by the Issuer.
FWP effectively forms a browser "Wallet", holding an arbitrary number of payment credentials, each representing a specific Issuer, User account, and paymentNetworkId.
For details on a preliminary enrollment system you may take a peek at this documentlink.
6. Detailed Operation
This section describes the different steps needed to authorize a payment operation using FWP. To improve readability, JSON data is "pretty-printed", while CBOR data is provided in "diagnostic notation".
The foundation for the description is the following sequence diagram sample where each step is linked to a clickable number in a box:
FIDO Web Pay - Sample Sequence Diagram User Symbol User Browser Symbol Browser Merchant Symbol Merchant PSP Symbol PSP Issuer Symbol B  A  N  K Issuer PaymentRequest 1 Payment UI 2 Authorization 3 Processing 4 FWP Assertion 5 Processing 6 PSPRequest 7 Processing 8 IssuerRequest 9 Processing 10
Note that the normative part of this specification only covers the steps within the dotted rectangle. That is, how FWP implements the PaymentRequestlink interface.
For brevity return (status) messages are not shown in the diagram.
1
Initiate PaymentRequest
At this point the User is assumed having clicked on an FWP compliant icon like
fwp pay
causing a Merchant Web page to invoke a custom doPaymentRequest() method, like in the following sample:
// FWP sample code

const methodData = [{
  supportedMethods: "fido-web-pay/v1",
  data: {
    payeeName: "Space Shop",  // Shown in the UI
    networks: [{
      id: "https://mastercard.com/fwp"
    },{
      id: "https://visa.com/fwp"
    },{
      id: "https://banknet2.org",
      networkOptions: "additional stuff..."
    }]
  }
}];

const request = new PaymentRequest(methodData, {
  id: "7040566321",   // Mandatory for FWP
  total: {label: null, amount: {currency: "EUR", value: "435.00"}}
});

async function doPaymentRequest() {
  const response = await request.show();
  await response.complete("success");
  return response.details;
}
When the PaymentRequest constructor is invoked, the Browser (FWP implementation) MUST perform the following checks:
Any deviations MUST throw an exception.
Note that the id properties in the networks array denote the actual payment networks, corresponding to the paymentNetworkId attribute in FWP credentials.
Note that the PaymentRequest.canMakePayment() method MUST return true if the User have one or more FWP credentials, regardless if they match the associated PaymentRequest list or not; else it MUST return false.
2
Show Payment Authorization UI
After successful invocation of the PaymentRequest.show() method, the Browser responds with a payment authorization UI like the following:
Payment UI
Non-normative UI in "dark mode".
If the User has no matching payment credentials, the Browser MUST indicate that and give the User an option to return to the Merchant "Checkout" page.
If the User has multiple matching payment credentials, the Browser MUST provide a way to select a specific credential. In the sample UI shown above, the User can swipe credentials to the left and right, while arrow symbols are used to show if there are more credentials available. That is, if there is no left arrow, the credential selector is at the left end point.
If a selected credential is associated with an external token which is currently not available, the User should be asked to insert it.
3
Perform User Authorization
At this point the User authorizes the request with a fingerprint, PIN, or similar. A successful user authorization causes the next step to be performed.
4
Create FWP Assertion
At this point the Browser creates an FWP assertion which requires the following substeps to be performed:
4.1 Extract PaymentRequest Core Data (PRCD)
Create a CBOR representation of the core payment request data supplied by the Merchant. For the sample code this should result in the following object:
{
  1: "Space Shop",
  2: "7040566321",
  3: "435.00"
  4: "EUR"
}
Definition:
NameLabelTypeDescription
payeeName 1 tstr Merchant common name.
requestId 2 tstr Merchant request Id. Copy of details.id.
amount 3 tstr Amount of money requested by the Merchant.
currency 4 tstr The type of currency requested by the Merchant.
This object is subsequently referred to as PaymentRequest Core Data (PRCD).
Note that throughout this specification, attributes are referred to by their symbolic name rather than by their CBOR label.
4.2 Create Authorization Data (AD)
Create a CBOR object representing the data to authorize. For the sample code this should result in the following object:
{
  1: {
    1: "Space Shop",
    2: "7040566321",
    3: "435.00",
    4: "EUR"
  },
  2: "spaceshop.com",
  3: "FR7630002111110020050014382",
  4: "https://banknet2.org",
  5: "0057162932",
  6: "additional stuff...",
  7: {
    1: {
      3: "Android",
      4: "12.0"
    },
    2: {
      3: "Chrome",
      4: "108"
    }
  },
  8: [40.74844, -73.984559],
  9: "2023-02-16T10:14:07+01:00",
  -1: {
    1: -7,
    2: {
      1: 2,
      -1: 1,
      -2: h'e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b5',
      -3: h'9826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8'
    }
  }
}
Definition:
NameLabelTypeDescription
paymentRequest 1 map Copy of PaymentRequest Core Data (PRCD).
payeeHost 2 tstr Host name as interpreted by the Browser. Included for optional validation by the Issuer, aided by the PSP.
accountId 3 tstr User account number associated with the selected FWP credential.
paymentNetworkId 4 tstr Payment network associated with the selected FWP credential. Included for "completeness".
serialNumber 5 tstr Unique identifier associated with the selected FWP credential.
networkOptions 6 "Any" Optional. This attribute MUST be included if specified in the PaymentRequest constructor for the particular paymentNetworkId, otherwise it MUST NOT be defined.
Note that possible networkOptions is specified by the calling Merchant as JavaScript, but MUST subsequently be converted to CBOR when included in this object. Due to a mandated restriction on the JavaScript Number type, this conversion is straightforward:
  • Number is converted to int.
  • String is converted to tstr.
  • Object is converted to map.
  • Array is converted to array.
  • null, true, and false are converted to their respective CBOR counterpart.
platformData 7 map Up-to-date information about the core software components. Included for security and logging purposes.
The outer CBOR map holds two sub maps with int label 1 for the operating system, and int label 2 for the "user-agent" (browser). Each sub map holds two tstr arguments, name with int label 3 and version with int label 4 respectively.
Note that hardware (device) data is assumed to be established during credential enrollment.
location 8 array Optional. If the platform supports GPS and the user has granted access to location data, this attribute MUST contain a CBOR array holding two CBOR IEEE-754 (2, 4, or 8 byte) floating point data items representing latitude (index 0) and longitude (index 1) respectively.
timeStamp 9 tstr ISO (RFC3399link) time stamp generated by the FWP implementation. If the local time zone is known, it SHOULD be included, else the UTC notation ("Z") MUST be used.
signature -1 map User authorization signature. See FIDO Web Pay - Cryptolink for details.
This object is subsequently referred to as Authorization Data (AD).
4.3 Create Signed Authorization Data (SAD)
Now apply the FIDO signature key (identified by credentialId and rpId), associated with the selected FWP credential to sign AD using the scheme described in FIDO Web Pay - Cryptolink. For the sample code this should result in the following object:
{
  1: {
    1: "Space Shop",
    2: "7040566321",
    3: "435.00",
    4: "EUR"
  },
  2: "spaceshop.com",
  3: "FR7630002111110020050014382",
  4: "https://banknet2.org",
  5: "0057162932",
  6: "additional stuff...",
  7: {
    1: {
      3: "Android",
      4: "12.0"
    },
    2: {
      3: "Chrome",
      4: "108"
    }
  },
  8: [40.74844, -73.984559],
  9: "2023-02-16T10:14:07+01:00",
  -1: {
    1: -7,
    2: {
      1: 2,
      -1: 1,
      -2: h'e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b5',
      -3: h'9826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8'
    },
    3: h'412e175a0f0bdc06dabf0b1db79b97541c08dbacee7e31c97a553588ee922ea70500000017',
    4: h'304402204fbd186e8eac7d7dbb915a7a443b0939af77de5e35cf87831663ae3a8bfc1d940220201d0c51ff9b683648a626cbe0bbb69fed29ce854aea65763e0e33edf2af9e09'
  }
}
This operation updates the signature (-1) attribute of AD.
The resulting object is subsequently referred to as Signed Authorization Data (SAD).
There is no FIDO authentication server involved in this step since FWP builds on the same "Card Present" authorization concept as EMV.
4.4 Create Encrypted Signed Authorization Data (ESAD)
For privacy and security reasons, Signed Authorization Data (SAD) objects MUST be encrypted by a public key provided by the Issuer through the encryptionKey attribute of the selected FWP credential.
This specification mandates the encryption scheme described in FIDO Web Pay - Cryptolink.
Note the COTXlink tag which is used to identify the FWP assertion object in its entirety.
Note that the public key MUST be shared with other clients of the Issuer, otherwise it will work as a static identifier to the specific User!
Encryption sample object:
1010(["https://fido-web-pay.github.io/ns/p1", {
  1: 3,
  2: {
    1: -31,
    3: "x25519:2022:1",
    7: {
      1: 1,
      -1: 4,
      -2: h'034e9273d9d55c3df0fb366fc33425648d8150de504c1b3499e0a7dac91a2c17'
    },
    10: h'2fd62268299b5e2fe57bafd5762a8eff3a8b9991facbec2d36093cdacb23ed5dff5750ca3bd5d7fc'
  },
  8: h'c20ab16145f1e5349c1d85fab4caf0a3',
  9: h'57e7341b3b1379d8765ae613',
  10: h'204e5f5b4ad63d013ac875d160ffc4f762b75153fb8b30a9d9ecefaf23a30898cd68ac104edfdf854e060d906f1229f739b37e52dffed874a07df3fd661c061d6d7b4d561afe9fc31f14ffbb15a5d62debe1f5cb54a851fdc4b54a83d6f8e64a5a5b0c445960992af964126c17aa5591d747b9e74a40c5ea2d6c2a5f387401c63685bb1cc2a7a331b9b44505622e27a7c29314dedaacc8d3f425b48010d97115f7672dc1ad89a6b01b3d6f0427333d1abf0667feb54c42383ceb4a8883a24b93b4b7921649d05435fb62d4d4aafcb4ce93238d3538fc8821bf6a71bc906173152f933b359ccf9a546ad840510baebdecb6ee15fddc4348b8ef8d80cb36f8410a94784e22542208bfbf6cab1989f23d34be75ccc38a29502bf0e952174ab823df6728c39315c2acf3be75fb8a072a048c08e1efec35ee5158cf828f2b8b8a9e304824ff5dc7c9139af3667165ebc5dca0cfc20baa9e2e45fa65aad54ae026e7b463ec8f974dbe37e90217f6abe223c598c334e9aaa98647ee485eb65f271a7386db71c13843b7570ee211a5b055ee83e9ab9068536ae0b698821bad1a79de35'
}])
This object is subsequently referred to as Encrypted Signed Authorization Data (ESAD).
Due to the end-to-end encryption scheme, the domain constraints associated with Web Authentication assertions do not apply.
4.5 Assemble FWP Assertion
Create a JSON-serializable JavaScript object representing an FWP Assertion. For the sample code this should result in the following object:
{
  "paymentNetworkId": "https://banknet2.org",
  "issuerId": "https://mybank.fr/payment",
  "userAuthorization": "2QPygngkaHR0cHM6Ly9maWRvLXdlYi1wYXkuZ2l0aHViLmlvL25zL3AxpQEDAqQBOB4DbXgyNTUxOToyMDIyOjEHowEBIAQhWCADTpJz2dVcPfD7Nm_DNCVkjYFQ3lBMGzSZ4KfayRosFwpYKC_WImgpm14v5Xuv1XYqjv86i5mR-svsLTYJPNrLI-1d_1dQyjvV1_wIUMIKsWFF8eU0nB2F-rTK8KMJTFfnNBs7E3nYdlrmEwpZAZ8gTl9bStY9ATrIddFg_8T3YrdRU_uLMKnZ7O-vI6MImM1orBBO39-FTgYNkG8SKfc5s35S3_7YdKB98_1mHAYdbXtNVhr-n8MfFP-7FaXWLevh9ctUqFH9xLVKg9b45kpaWwxEWWCZKvlkEmwXqlWR10e550pAxeotbCpfOHQBxjaFuxzCp6MxubRFBWIuJ6fCkxTe2qzI0_QltIAQ2XEV92ctwa2JprAbPW8EJzM9Gr8GZ_61TEI4POtKiIOiS5O0t5IWSdBUNfti1NSq_LTOkyONNTj8iCG_anG8kGFzFS-TOzWcz5pUathAUQuuvey27hX93ENIuO-NgMs2-EEKlHhOIlQiCL-_bKsZifI9NL51zMOKKVAr8OlSF0q4I99nKMOTFcKs8751-4oHKgSMCOHv7DXuUVjPgo8ri4qeMEgk_13HyROa82ZxZevF3KDPwguqni5F-mWq1UrgJue0Y-yPl02-N-kCF_ar4iPFmMM06aqphkfuSF62Xycac4bbccE4Q7dXDuIRpbBV7oPpq5BoU2rgtpiCG60aed41"
}
Definition:
NameTypeDescription
paymentNetworkId String Payment network associated with the selected FWP credential.
issuerId String Issuer identifier associated with the selected FWP credential.
userAuthorization String Encrypted Signed Authorization Data (ESAD) supplied in a Base64Url string (in subsequent examples shown as a placeholder only). Note that whatever changes FWP may undergo, the userAuthorization field MUST remain since the actual FWP version is only available through the COTX tag.
The FWP Assertion is made available to the PaymentRequest invocation code via the PaymentResponse.details attribute.
An alternative to using issuerId attributes for service end-points, is populating issuerId attributes with Service Discovery URLs, which in turn provide the actual service end-points (as well as other information that may be required before service invocation).
5
Return FWP Assertion
At this point the checkout Web code would normally return the completed FWP Assertion to the Merchant server through a FORM POST or fetch() operation.
6
Process FWP Assertion and Create PSPRequest Object
After receiving the FWP Assertion, the Merchant would usually call a PSP with a specifically crafted object. The exact definition is likely to be specific for each PSP network and is therefore out of scope for this specification. The following sample outlines such an object:
{
  "paymentRequest": {
    "payeeName": "Space Shop",
    "requestId": "7040566321",
    "amount": "435.00",
    "currency": "EUR"
  },
  "fwpAssertion": {
    "paymentNetworkId": "https://banknet2.org",
    "issuerId": "https://mybank.fr/payment",
    "userAuthorization": "2QPy•••ed41"
  },
  "receiveAccount": "DE89370400440532013000",
  "clientIpAddress": "220.13.198.144",
  "timeStamp": "2023-02-16T09:14:22Z"
}
Definition:
NameTypeDescription
paymentRequest Object Copy of PRCD, recreated by the Merchant, but now in JSON notation using the names from the table showing the CBOR version.
fwpAssertion Object Copy of the FWP Assertion.
receiveAccount String Merchant account to be credited.
clientIpAddress String Request IP address (in V4 or V6 format) of the User device. Included for security and logging purposes.
timeStamp String ISO time stamp generated by the Merchant.
7
Send PSPRequest Object
At this point the Merchant sends the completed PSPRequest object to the appropriate PSP.
Note that authentication of the Merchant is out of scope for this specification.
Since FWP supports multiple and independent payment systems, a Merchant may use different PSPs depending on received paymentNetworkId.
8
Process PSPRequest and Create IssuerRequest Object
After successfully having authenticated the Merchant request, the PSP MUST perform a number of checks on the received object including:
Any deviations MUST cause the request to be rejected. Fault handling is out of scope for this specification.
The next step is creating a suitable IssuerRequest object. The exact definition is likely to be specific for each payment network and is therefore out of scope for this specification. The following sample outlines such an object:
{
  "pspRequest": {
    "paymentRequest": {
      "payeeName": "Space Shop",
      "requestId": "7040566321",
      "amount": "435.00",
      "currency": "EUR"
    },
    "fwpAssertion": {
      "paymentNetworkId": "https://banknet2.org",
      "issuerId": "https://mybank.fr/payment",
      "userAuthorization": "2QPy•••ed41"
    },
    "receiveAccount": "DE89370400440532013000",
    "clientIpAddress": "220.13.198.144",
    "timeStamp": "2023-02-16T09:14:23Z"
  },
  "payeeHost": "spaceshop.com",
  "timeStamp": "2023-02-16T09:14:23Z"
}
Definition:
NameTypeDescription
pspRequest Object Copy of the PSPRequest object received from the Merchant.
payeeHost String The Merchant host name registered by the PSP.
timeStamp String ISO time stamp generated by the PSP.
9
Send IssuerRequest Object
At this point the PSP sends the completed IssuerRequest object to the designated Issuer. Note that the method used for locating the proper Issuer depends on the paymentNetworkId and issuerId attributes. In the sample the IssuerRequest object would presumably be sent to https://mybank.fr/payment.
10
Process IssuerRequest
Before initiating a payment transaction the Issuer MUST decode and perform a number of steps to verify the correctness of the received IssuerRequest object. Any deviation MUST terminate the operation in progress and return an error message to the PSP in a not here specified manner.
Note that pspRequest is a sample. However, regardless of the actual implementation, the data referred to here MUST still be available.
10.1 Core Validation
10.2 Extract Signed Authorization Data (SAD)
10.3 Validate Request Data
10.4 Validate Authorization Signature
10.5 Replay Handling
To cope with possible replays, verify that the received User authorization has not already been used. This can be accomplished by maintaining a lookup cache holding received SAD objects. Due to the unique, account specific data featured in SAD objects, authorizations associated with different accounts may share a common cache. Since authorization signatures encompass variant data like the timeStamp and paymentRequest attributes, as well as the signature counter in FIDO authenticatorData objects, false cache collisions on individual SAD objects should be "impossible", also in the cryptographic sense. Cached SAD objects can safely be removed when expired, preferable using a background process.
See Replay Cachelink for a sample in Java.
Note that using this scheme, SAD objects MUST be fully validated before being added to the cache!
Ideally, Issuers SHOULD support idempotent operation to facilitate transaction retries that may happen due to network glitches or similar.
10.6 Other Validation Steps
Obviously there are other things to verify but these are not directly related to FWP, like checking that the User has funds available matching the current request.
8. Delegated Authorization
Using delegated authorization the validation of User authorizations is separated from payment initiations. The purpose with such arrangements include:
Note that FWP makes the use of delegated authorization transparent for both the User and the Merchant.
Delegated authorization differs from 3D Securelink by keeping the authorization process and associated User account information, inside of the core payment network. This enables validation of potentially untrusted Merchant data as well as eliminating dependencies on certified Merchant 3D Secure SDKs.
Delegated authorization builds on the assumption that the PSP is trusted for carrying out payment initiations on behalf of a User (based on a preceding User authorization step), which is an established concept in most payment networks. (In the FWP standard mode the PSP only acts as a proxy for the Merchant).
The delegated authorization mode is illustrated by the following sequence diagram:
FIDO Web Pay - Sample Delegated Sequence Diagram Merchant Symbol Merchant PSP Symbol PSP Authorizer Symbol Authorizer Issuer Symbol B  A  N  K Issuer PSPRequest 7 Processing D1   AuthorizeRequest D2 Processing D3 Authorization D4 Processing D5 "Payment Rails" D6 Processing D7
Note that step 1-7 are identical to the FWP "standard" mode. "Payment Rails" refer to existing payment systems.
In an Open Banking context the PSP would be equivalent to a PISP while the Authorizer would be a specialized AS.
D1
Process PSPRequest and Create AuthorizeRequest Object
This step should involve the same verifications as in step 8 in the standard mode. A suitable AuthorizeRequest object would typically follow the IssuerRequest sample in step 8.
Using delegated authorization may be decided by each Issuer individually. The actual configuration is preferably resolved by making the issuerId attribute play the role of a Service Discovery URL.
D2
Send AuthorizeRequest Object
At this point the PSP sends the completed AuthorizeRequest object to the designated Authorizer. Note that the method used for locating the proper Authorizer depends on the paymentNetworkId and issuerId attributes.
D3
Process AuthorizeRequest
This step should involve the same verifications as in step 10 in the standard mode.
D4
Return Authorized Data
If the preceding step is successful, AuthorizeRequest would typically return the (now decrypted) User account number.
A more sophisticated approach would be to return signed data for maintaining the end-to-end security model. For card payments this would preferably be in the form of EMV compliant objects that can be passed on to existing payment systems "as is".
 
In an Open Banking implementation based on OAuth2 concepts, the return data would contain access tokens and consent information.
D5
Create Payment Instruction
After receiving the User account number a payment instruction object is created. The format and contents of such objects are payment network specific and are therefore not described here.
D6
Invoke "Payment Rails"
Perform a payment instruction request in a payment network specific way.
D7
Process Payment Instruction
Process the payment instruction request in a payment network specific way.
Security and Privacy Considerations
Security in FWP depends to a large extent on the W3C PaymentRequestlink API which acts as a "mediator" between the untrusted Web and payment applications. That does though not stop arbitrary Web sites from invoking FWP when the user clicks a link on the site. However, if the site does not represent a genuine merchant, even a completed user authorization will not lead to a security breach, because properly designed backend systems should block the rest of the process since the requester would not be recognized. If on the other hand the site is legitimate, the assumption is that in order to become a merchant entitled to request payments, you usually need to follow specific rules regarding how and when payments requests may be performed.
Due to the end-to-end security model, card numbers and similar personally identifiable information (PII) are protected from illicit access, as long as payment providers manage FWP decryption keys in a secure manner.
It is technically possible creating Web applications that look like FWP ("spoofing"), but such applications are not able producing valid assertions since that requires unconstrained access to FIDO keys which is reserved for FWP (which runs with higher privileges than ordinary Web code).
If the internal clock of an FWP client is severely out of sync, associated authorizations should be rejected. This makes clock manipulations useless as attack vectors.
FWP depends on that the underlying software is operating correctly. Bugs or successful attacks on the platform may force the FWP system to perform payments in the background or violate the user's privacy.
Although FWP was designed with privacy in mind, it does add some data which (to a rather limited extent), can be used by merchants for "binning" users:
Integration
It goes without saying that the integration of systems like FWP in payment networks is crucial for acceptance by the market.
For card based payments FWP implementations can build on the existing EMV foundation since essentially only the formats differ. Although the lack of a PAN (card number) in FWP may appear as an obstacle, the issuerId would in this case hold a "neutered" PAN where the BIN (Bank Identification Number) is set, while the rest are set to zeroes + Luhn check digit. E.g. VISA: 4972039000000004. However, using Issuer URLs is also a viable alternative for card payments because payment processors associated with "regular" EMV and FWP payments would probably not share end points.
For account-to-account payments there are currently no generally agreed upon standards for consumer payments, but remapping existing card based systems and infrastructures seems though like a possible path.
Delegated Authorization represents yet another way addressing payment system integration.
Extensions
The FWP client is loosely derived from a proof-of-concept system called Saturnlink. By continuing along this path, features like the following could potentially be added:
Note that some of the features above could impact the PaymentRequest API.
Implementation Options
An alternative to building FWP support into browsers, is moving the FWP implementation (including the credential database), down into the client platform layer. This would open FWP to other scenarios like:
Such an arrangement would also introduce additional features including:
Usage of CBOR
That the internals of FWP assertions are based on CBOR rather than JSON may seem odd since CBOR currently is not particularly common on the Web. However, there is a pretty strong rationale for using CBOR for this application including:
To maintain simple and deterministic representation of data, this specification only uses a subset of CBOR. Extensions to this specification SHOULD NOT introduce additional CBOR primitives beyond floating point and big number.
Acknowledgements
The FWP core was heavily influenced by an earlier Microsoft research project called Windows CardSpacelink.
The User icon was derived from https://commons.wikimedia.org/wiki/File:Crystal_Clear_kdm_user_female.svglink
Document History
DateVersionComment
2021-03-120.1Initial publishing.
2021-03-150.11Added external token comment.
2021-03-290.12Improved replay handling + Changed "Acquirer" to "PSP".
2021-04-020.13Added section Delegated Authorization.
2021-04-110.14Added credentialId + more text in Credential Database.
2021-04-140.15Added section Implementation Options.
2021-04-160.16Added sequence diagram "scope" rectangle.
2021-05-090.17Simplification: Removed hashing of PRCD.
2021-05-190.18Aligned wallet database with FIDO names.
2021-06-030.19Added IPR declaration.
2021-06-210.20Converted the FWP core to CBOR (was JSON).
2021-07-020.21Removed redundant FINGERPRINT item.
2021-08-020.22Added document "FIDO Web Pay - Crypto" and ToC.
2021-08-270.23Added section Security Considerations.
2021-09-300.24Added CBOR types in Credential Database.
2022-02-020.25CBOR date time replaced by text string.
2022-06-150.26CBOR primitives expressed in CDDL notation.
2022-08-180.27CTAP2 signature scheme.
2022-10-030.28Added rpId to Credential Database.
2022-11-160.29Changed paymentMethod to paymentNetworkId.
2022-12-190.30Changed signature key to -1.
2023-01-070.31Added COTX tag to the ESAD object.
2023-02-160.32Added location the AD object.
Authors
The FWP specification is currently authored by Anders Rundgren (anders.rundgren.net@gmail.com) on GitHub (https://github.com/fido-web-pay/specificationlink).
Trademarks
FIDO is a registered trademark of the FIDO alliance.
EMV is a registered trademark of EMVCo.
 
This specification represents an independent effort, not associated with the FIDO alliance or EMVCo.