The W3C Web Payments Working Group has published working drafts of Web Payments HTTP Specifications that include the Web Payments HTTP API 1.0 and Web Payments HTTP Messages 1.0. The two specifications are designed to work together to enable payment requests outside of a browser context.
The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.
APIs continue to work their way into just about every part of the digital economy. The latest example is Subledger, which offers a suite of APIs that let developers integrate accounting functionality into their applications.