Secure Remote Commerce (SRC) speeds online and mobile checkout while assuring greater security. Here’s how.
EMVCo and the payment networks are positioning Secure Remote
Commerce, or SRC, as a critical mechanism for reducing e-commerce fraud. If widely
adopted by merchants, SRC will enable the elimination of some fraud types, such
as malware that infects checkout screens, and can reduce others, but the safety
SRC offers comes at a cost to merchants in time and effort. This blog provides
a generalized technical description of how SRC operates. We will not attempt to
compare and contrast specific implementation details, identify the threats
these implementations should eliminate or reduce, or consider the impact of SRC
on gateways, acquirers, and merchants. We will address these matters in future
blogs on this website.
The scenario below assumes the cardholder has already
created a profile and loaded a card into SRC.
Simplified Diagram of
SRC Cardholder Operation (After User Registration)
When a user clicks on the EMVCo symbol, the merchant will
the cards that merchant accepts and fingerprints the device during
the merchant accepts. Once loaded, the initialization process continues by testing
to determine if any of the network SRC entities recognize this specific user by
issuing an IsRecognized() call. When an SRC entity recognizes the user, it
delivers a federated ID token (JSON web token, or JWT), which is used to access
all SRC instances regardless of network. The SRCI user interface now makes a
call (getSrcProfile) to each SRC system to receive that cardholder’s card
details, which are then displayed in the user interface as shown in the diagram
above. Note that the card image is provided by the issuer to the SRC system for
All that is left to do is for the consumer to click on the
card they want to utilize for this purchase and then click the Checkout button.
Two important steps are not included in this blog. One is the
registration of the cardholder from the merchant user interface, be it a
browser or smartphone. The other is the actual processing of the payment. With
SRC, payment data is not posted via the browser but is passed to the SRCI back end.
These two scenarios will be described in detail in future blogs