EMVCo and the payment networks are positioning Secure Remote Commerce, or SRC, as a critical mechanism for reducing e-commerce fraud. If widely adopted by merchants, SRC will enable the elimination of some fraud types, such as malware that infects checkout screens, and can reduce others, but the safety SRC offers comes at a cost to merchants in time and effort. This blog provides a generalized technical description of how SRC operates. We will not attempt to compare and contrast specific implementation details, identify the threats these implementations should eliminate or reduce, or consider the impact of SRC on gateways, acquirers, and merchants. We will address these matters in future blogs on this website.

The scenario below assumes the cardholder has already created a profile and loaded a card into SRC.

Simplified Diagram of SRC Cardholder Operation (After User Registration)

When a user clicks on the EMVCo symbol, the merchant will load a version of the SRCI JavaScript Library into the browser that recognizes the cards that merchant accepts and fingerprints the device during initialization. The JavaScript calls all the SRC libraries for all of the cards the merchant accepts. Once loaded, the initialization process continues by testing to determine if any of the network SRC entities recognize this specific user by issuing an IsRecognized() call. When an SRC entity recognizes the user, it delivers a federated ID token (JSON web token, or JWT), which is used to access all SRC instances regardless of network. The SRCI user interface now makes a call (getSrcProfile) to each SRC system to receive that cardholder’s card details, which are then displayed in the user interface as shown in the diagram above. Note that the card image is provided by the issuer to the SRC system for this purpose.

All that is left to do is for the consumer to click on the card they want to utilize for this purchase and then click the Checkout button.

Two important steps are not included in this blog. One is the registration of the cardholder from the merchant user interface, be it a browser or smartphone. The other is the actual processing of the payment. With SRC, payment data is not posted via the browser but is passed to the SRCI back end. These two scenarios will be described in detail in future blogs