Communicating 3DS data in HTTP/JSON terms

[ianbjacobs]

Hi all,

Based on discussion at the Singapore face-to-face meeting, @marcoscaceres articulated some wishes to get a better picture of how to connect 3DS with payment request. With his permission, I copy his notes here for discussion.

======
From @marcoscaceres:

Following up from the w3c face to face meeting, basically what we need is either test HTTP endpoints or JSON responses for (apologies, I don't know the precise terminology for these - or if I'm missing
steps):

1. A URL that the merchant provides to the Payment Request API for the 3DS verification (I can fake this, if I have fake data - below).
2. The shape (e.g., JSON) of the payload that the browser sends to the verification URL (this is the finger print bit - but the browser will generate something representing the user fingerprint).
3. A "verified" response; a "rejected" response; or any other kind of response as .json.
4. The response for "step up" verification - so we can generate the UI within the browser (please, NOT the HTML! pretend it's a native application - so JSON).
5. When step up is done, the rejected response and/ the authenticated response.
6. The data that the browser would then return to the merchant.

[ianbjacobs]

Today we received some valuable input from our Amex colleagues for this thread:
https://lists.w3.org/Archives/Public/public-payments-wg/2018Apr/0036.html