Mastercard and Visa recently announced a standardized method for e-commerce checkout, based on a unified, streamlined checkout framework that was proposed by EMVCo in November, 2017. Dubbed Secure Remote Commerce (SRC), the unified digital checkout specifications are an evolution of remote commerce that provides for secure and interoperable card acceptance established through a standard technical framework and specification. It enables a merchant to securely request and receive interoperable payment data used to process accepted cards in a remote commerce transaction. Since SRC is platform-agnostic, Jess Turner, EVP of Digital Payments and Labs of North America at Mastercard said that the technology will allow consumers to choose any payment method they wish to use.
What Led up to SRC
Internet-based commerce, otherwise known as remote commerce, became readily available in the 1990s and has continued to grow in popularity as a purchasing environment for consumers. Remote commerce is typically serviced by a wide variety of stakeholders and is usually enabled through the customer entry of their payment cards Primary Account Number (PAN) into a merchant’s shopping application or website. The current environment has many different integration models and practices, and the variety of implementations and lack of common specifications for this environment results in fragmentation, complexity, and inconsistency.
Security of payments does exist in physical Point of Sale (PoS) terminals thanks to EMV specifications, but previously there was no common industry specification for the myriad of potential remote commerce payment scenarios. As remote commerce becomes increasingly targeted and susceptible to compromise, it is important to establish common specifications that protect and serve consumers and merchants with a consistent consumer experience.
While many merchant shopping applications have enabled a card-on-file methodology, the basic method of the delivery of the payment card is mostly insecure and unauthenticated. While account data storage standards such as the Payment Card Industry Data Security Standards (PCI DSS) are commonplace, there is still no common specification to address the functional interactions and transmission of data between participants. There is a concern that the lack of uniformity in remote commerce might create an opportunity for attackers and hinder the progress made against payment-related fraud.
What SRC Hopes to Accomplish
According to the Secure Remote Commerce Framework, SRC hopes to provide simplified and efficient integration and interfaces between payment ecosystem stakeholders, facilitate interoperable and secure payments, and decrease the vulnerability of shopping websites and mobile shopping applications via the secure transmission of payment data and related checkout data.
This is in addition to other features, such as reducing shopping cart abandonment by decreasing repetitive manual PAN entries and providing integration options for EMV specifications such as Payment Tokenization and 3D Secure (2.0) authentication.
Tokenization has a major role in the united effort between Visa and Mastercard to simplify the checkout process. “Just like [the] EMV chip has brought security to the physical world, tokenization everywhere is critical to securing the digital world,” said a Mastercard representative. “Today, nearly 75% of all cards globally are ready to be tokenized. A token-only world is within reach and SRC will support this by building on the EMVCo tokenization standards. It renders the credentials useless to fraudsters and reduces the risk for merchants and critical, it also provides consumers visibility into where their credentials are stored and how their data is used.” Potential use cases could include payments initiated using a device that accesses digital card credentials stored outside merchant environments, utilized during a guest experience at a merchant, or during a merchant card-on-field experience.
Expert Opinions on SRC
David Worthington, Vice President of Strategic Business Development at Rambus, had this to say about the new SRC provisions: “Whilst the SRC specifications are still being finalized within EMVCo, and subject to the input of EMVCo Technical Associates, as part of ongoing industry review, there has already been significant progress over the last year since SRC was proposed by EMVCo. As a holistic approach to the remote transaction, incorporating parallel EMVCo work on Tokenization and 3D Secure 2.0 authentication, the aim is to provide a better payment experience, something all consumers could benefit from.”
Mastercard and Visa, as well as American Express and Discover, have now agreed to adopt the same standard, which is a rare occurrence as they have been promoting their own solutions in the past like Mastercard’s Masterpass and Visa’s V.me. Such an unprecedented collaboration will make a major positive impact on the convenience in which consumers pay online. With the introduction of the SRC provisions by EMVCo, it is their hope that the unification and streamlining of checkouts will make the environment of digital payments more secure and interoperable.