EMV Secure Remote Commerce: A Comprehensive Guide to Interoperable and Secure Online Payments

As e-commerce is becoming more and more popular in the recent years, it’s becoming more vulnerable to compromise. Although PCI DSS has been used to improve security in this environment, there is still no common specification to address data transmission between participants.

EMV Secure Remote Commerce (SRC) is a new framework that aims to facilitate secure and interoperable online payments across different devices and channels. Developed by EMVCo, which manages the EMV Specifications used in over 9 billion payment cards and 41 million point-of-sale terminals worldwide, SRC is designed to provide a level of security and interoperability for remote payments similar to that of physical payments. This article provides an overview of SRC, including its key features, benefits, and use cases.

What is EMV Secure Remote Commerce?

EMV Secure Remote Commerce is a standard that defines a set of technical specifications and business requirements for facilitating secure and interoperable remote payments. It is designed to enable simple and efficient integration and interfaces between various entities, such as merchants, issuers, acquirers, and payment gateways, while ensuring the protection and use of payment data.

SRC is based on the following principles:

  1. Dynamic data: SRC introduces dynamic data, which enables the secure and consistent transmission of payment data and related checkout data, while reducing the vulnerability of shopping websites and mobile shopping applications. This dynamic data can be used to authenticate the transaction, and the consumer, without revealing sensitive payment information.
  2. Consumer identity: SRC enables the use of consumer identity to access payment data, reducing the need for repetitive manual PAN entries, and increasing the approval rates for remote commerce transactions.
  3. Interoperability: SRC aims to facilitate interoperable remote transactions by introducing dynamic data in remote transactions and enabling the use and integration of other EMV technologies, such as payment tokenization and 3-D Secure authentication.

What are the components of the SRC specification ?

The SRC specification is designed to work within the payment ecosystem, including the roles of various entities, transaction flows, and payment use cases, while maintaining compliance with laws and regulations and ensuring that existing payment processes are not negatively impacted.

The specification does not prescribe any single implementation approach but describes the interactions between roles, functions, protocols, and the SRC System and SRC Participants.

SRC Program: A business entity creates an SRC program to oversee authorized SRC Systems and their participants. The program sets criteria for authorized participation and provides guidance for SRC Systems and participants. It establishes policies, requirements, and processes for onboarding, registration, and configuration of SRC System Participants, cardholder enrollment, visual guidance, and supported assurance methods.

SRC System: An SRC system is a technical infrastructure that allows SRC Participants, including Card Issuers, Acquirers, Payment Facilitators, and Merchants, to exchange payment data securely and interoperably. This is done using dynamic data and reference information instead of primary account numbers (PANs) to reduce fraud risk.

The SRC System is responsible for onboarding all of SRCPI, DCF, and SCRI.

SRC Participating Isser (SRCPI) : An SRC Participating Issuer is set up in each SRC System to enable its Cardholders and PANs to enroll and establish eligibility. The issuer can:

  • Identify eligible BIN/BIN ranges for SRC participation
  • Provide Card Art (visual version of the Payment Card) and other data for the Digital Card
  • Determine default Digital Card Facilitator(s)
  • Set Assurance method preferences for Enrolment or checkout
  • Provide Enrolment data to the SRC System for Cardholder participation

The SRCPI also manages other Enrolment-related business processes defined by the SRC Program.

Digital Card Facilitator (DCF): Digital Card Facilitators allow customers to access their digital card information and other SRC services while making purchases. They integrate with one or more SRC systems to achieve this. Digital Card Facilitators provide access to a customer’s digital card information, including payment token or PAN reference, a representation of the payment card, and consumer identity, to support an SRC experience.

SRC Initiator (SRCI): An SRC Initiator has two main functions:

  • Registering Digital Payment Applications : This means managing the registration of participating applications, which can be done by multiple initiators.
  • Integrating with SRC Systems : This includes providing support for specific technologies (e.g. web, mobile, IoT) and implementing recognition subdomain functionality for browser-based use cases.

SRC Initiators provide payment and non-payment functions :

  • Payment functions include receiving payment data from an SRC System and providing payment confirmation to the SRC System. Entities that provide payment services on behalf of merchants can also be SRC Initiators, indicating which merchant they are servicing by providing the appropriate Digital Payment Application configuration data to SRC Systems.
  • Non-payment functions include initiating checkout, presenting the SRC Candidate List, completing checkout, providing checkout confirmation to the SRC System, and transmitting and receiving checkout data on behalf of a Digital Payment Application to SRC Systems indicating transaction details and service elections.

Digital Payment Application (DPA): A Digital Payment Application lets customers interact with merchants through payment-enabled apps like websites, mobile apps, or IoT devices. To participate, the app must:

  • Integrate with one or more SRC Initiators, who can register it for each SRC System.
  • Be selected by the merchant or commerce provider to participate in one or more SRC Systems via one or more SRC Initiators.
  • Support a specific SRC Trigger, which is defined by the SRC Programme and specifies the types of checkout supported.

Merchants can integrate with multiple front-end SRC Initiators, but must consider the implications for their Digital Payment Application and SRC experience.

A Digital Payment Application provides the following functionality:

  • Presents an SRC Trigger and indicates the SRC Systems it supports to the consumer.
  • Invokes one or more SRC Initiators.
  • Conveys transaction details and service elections (such as Payment Tokenisation and EMV 3-D Secure payment authentication) to the SRC Initiators.
  • Provides checkout confirmation information to the SRC Initiator.

How does EMV Secure Remote Commerce work?

EMV Secure Remote Commerce works by facilitating the exchange of data between the card issuer and the merchant, while ensuring the protection and use of payment data.

SRC supports two major processes :

1 — Enrollment

An SRC Participating Issuer initiates Enrolment by providing Cardholder PAN(s) and Consumer Identities to the SRC System. Other entities such as Digital Card Facilitators and SRC Initiators may also initiate Enrolment. The Cardholder must confirm its participation by electing Enrolment of its PAN(s). If an SRC Profile exists for the Cardholder, the newly Enrolled PAN will be associated with the existing SRC Profile. Otherwise, a new SRC Profile will be created.
Enrollment of eligible Digital Cards or a PANs can occur as a standalone event (by SRCI or SRCPI), or within a checkout.

what is an SRC Profile : Each SRC system creates and manages SRC profiles. Each SRC profile has a primary consumer identity, which the consumer uses to access the SRC profile. Optional data elements can include:

  • Payment cards
  • Digital cards
  • Consumer information
  • Device identities

Although an SRC profile is created during enrollment, it can be added to and/or managed during subsequent SRC interactions.

2 — Checkout

Checkout allows a merchant to request permission to use a payment method for a Consumer’s purchase.

The SRC Specifications do not provide any requirements for payment authentication. However, they offer the DPA the choice to conduct payment authentication during, or after, checkout.

There can be two types of checkout, depending on SRC participants, available functionalities and configurations :

  1. SRC Checkout :

SRC checkout is the facilitation of checkout orchestrated by an SRC Initiator integrating the SDKs of one or more SRC Systems in order to simplify and streamline purchase experiences across multiple Digital Payment Applications.

It enables Consumers with at least one SRC Profile to access their Digital Cards across participating Digital Payment Applications for single and repeat uses.

the main steps could be as the following :

  1. Checkout initiation: The consumer initiates a checkout process on the merchant’s website or mobile application using an SRC Trigger.
    Depending on whether a consumer is recongnized or not recongnized additional recongnition and identity validation steps may be required during checkout initiation.
  2. SRC candidate list: The SRC Initiator presents the consumer with a list any Digital Card(s) returned by an SRC System based on the consumer’s registered SRC Profiles.
    The consumer then selects a digital card from the candidate list and proceeds to checkout.
  3. Checkout Confirmation: Following selection of a Digital Card for payment, the Digital Card Facilitator presents acheckout recap for review and confirmation of purchase details.
  4. Payment authorization: The SRC Initiator uses the payload returned by the SRC System to initiate a payment authorization as defined between the merchant and the it’s payment processor.

2 — Merchant Checkout:

Merchant Checkout is a merchant-driven checkout experience that integrates with one or more SRC Systems to provide simplified repeat purchase experiences across the merchant’s Digital Payment Applications.

there’s 3 variants to the Merchant checkout :

  1. Merchant Digital Card-On-File Checkout: A type of merchant checkout that integrates with one or more SRC Systems to allow the Consumer to designate a Digital Card as a merchant Digital Card-on-file for purchases.
  2. Merchant Orchestrated Checkout: Provides a purchase experience which is fully integrated within the merchant’s current checkout experience. The SRC Trigger is integrated with the merchant’s checkout call-to-action and is not a separate Click to Pay call-to-action. This is particularily convenient fo inApp Payments.
  3. Merchant Presented QR Code Checkout: Orchestrated by a split SRC Initiator model where Payment SRC Initiator related merchant data is populated in a dynamic QR code and consumed by an application on a Consumer Device (a Non-Payment SRC Initiator) to trigger an SRC checkout experience. It enables Consumers with at least one existing SRC Profile to access Digital Cards within a provided application for single use, based on the consumed merchant data.

SRC also supports implementations to provide Cardholder-
Initiated (CIT) and Merchant-Initiated Transactions (MIT).

Click To Pay

Consumer-facing solutions and programs based on the EMV SRC Specifications can be referred to as “Click to Pay”. This universal description makes it easy for consumers to recognize and signals that they can confidently make transactions through an easy e-checkout, regardless of the payment card, digital channel, or device they use.

The corresponding “Click to Pay” icon indicates availability at participating merchants. Alternatively, “Click to Pay” can be used in text as descriptive language if an e-merchant is unable to visually display the icon.

Click to Pay programs are created by various industry participants, including global and domestic payment schemes, banks, fintechs, and merchants. Consumers enroll in a Click to Pay program via participating payment card issuers. Once enrolled, a consumer can confidently pay online wherever they see the Click to Pay icon, using their preferred card and expecting comparable security and convenience as when making in-store purchases.

The EMV SRC Specifications provide a common baseline for the development of Click to Pay e-commerce payment solutions.

EMVCo licenses the Click to Pay icon to participating merchants and other participants

What are the benefits of EMV Secure Remote Commerce?

EMV Secure Remote Commerce offers a range of benefits for consumers, merchants, issuers, and acquirers. These include:

  1. Convenience: SRC simplifies the checkout process by reducing the need for repetitive manual PAN entries and enabling the use of consumer identity to access payment data.
  2. Security: SRC provides a comparable level of security as EMV-based physical payments, by introducing dynamic data in remote transactions, and enabling the use and integration of other EMV technologies, such as payment tokenization and 3-D Secure authentication.
  3. Interoperability: SRC facilitates interoperable remote transactions by introducing dynamic data in remote transactions and enabling the use and integration of other EMV technologies, such as Tokenisation and 3DS authentication, by a variety of SRC Participants.

Challenges and Limitations of SRC

While SRC offers a range of benefits, there are also several challenges and limitations that need to be addressed to ensure its widespread adoption and success. Some of these challenges are:

  1. Integration with Existing Payment Systems: SRC needs to be integrated with existing payment systems, which can be a complex and time-consuming process. This integration requires coordination between different stakeholders in the payment ecosystem, including issuers, acquirers, payment service providers, and merchants.
  2. Consumer Education: SRC requires consumer education to ensure that consumers understand how to use the new payment method and the benefits it offers. This education needs to be provided by different stakeholders, including issuers, acquirers, payment service providers, and merchants.
  3. Compliance with Regulations: SRC needs to comply with regulations and standards, such as PSD2 and GDPR. Compliance with these regulations requires coordination between different stakeholders in the payment ecosystem, including issuers, acquirers, payment service providers, and merchants.
  4. Security and Fraud Management SRC needs to be secure and effective in managing fraud. This requires robust security measures, such as encryption, tokenization, and dynamic data, as well as effective fraud management processes.
  5. Limited Availability SRC is currently only available in select markets, which limits its adoption and impact. To achieve widespread adoption, SRC needs to be available in more markets and supported by more payment systems and networks.

Conclusion

SRC is a new payment method that offers a range of benefits to various stakeholders in the payment ecosystem, including consumers, merchants, issuers, and acquirers. SRC introduces dynamic data, which enhances security and reduces the risk of data breaches. It also simplifies the payment process for consumers, reduces abandonment rates, and increases approval rates for transactions. SRC enables interoperability between different payment systems and networks, which reduces the cost and complexity of payment processing for merchants and payment service providers. While SRC offers significant benefits, it also faces several challenges and limitations, including integration with existing payment systems, consumer education, compliance with regulations.

EMVCo’s SRC is already implemented by Visa, Mastercard, AMEX, Diners Club, Adyen, Stripe, etc. It is primarily being deployed in the US, but will soon be expanded to the EU