EMV® Secure Remote Commerce (SRC) offers an approach to promote security and interoperability within the card payment experience in a remote payment environment.
22 Mar 2019
|EMVCo statement: Advances in EMV® Secure Remote Commerce with Publication of Draft Specification v0.95|
28 Feb 2019
|2018: A Year in Review|
19 Oct 2018
|EMV® Secure Remote Commerce Presentation|
10 Oct 2018
|EMV® SRC Draft Specification Release Plan|
15 May 2018
|EMVCo Statement – EMV® Secure Remote Commerce|
Q: What is EMV®* Secure Remote Commerce?
A: EMV® Secure Remote Commerce (SRC) offers an approach to promote security and interoperability within the card payment experience in a remote payment environment.
EMV® SRC will facilitate checkout through information stored and managed by an SRC System (e.g. payment network) and SRC System Participants (e.g. issuers and merchants).
EMVCo is defining the specification that enables a merchant to obtain a consistent, secure payload of customer payment information that establishes card validity and can therefore be used to facilitate authorisation through existing channels.
When finalised, it is expected that v1.0 of the EMV® SRC Specification will:
This work is being developed with input from industry participants and will be available to all parties on a royalty-free basis from the EMVCo website once published.
Q: How can EMV® SRC add value to the remote payments environment and what challenges does it address?
A: EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV Specifications.
EMV® SRC offers the potential to address challenges within the remote payments environment to promote an enhanced payment experience for consumers.
Remote commerce, also called e-commerce, continues to grow worldwide with the popularity of online purchasing. Remote commerce involves a checkout process whereby a merchant or commerce provider requests a consumer’s permission to use their payment method to complete a transaction. The current remote commerce ecosystem enables payments using a range of integration models and implementation practices. This can create inconsistency and complexity during the consumer’s purchase. Additionally, the key entry, transmission and subsequent storage of live primary account numbers (PAN) introduces potential risk.
Challenges that EMV® SRC can address include the fact that remote commerce is often initiated through the manual entry and storage of the PAN into a website or application by the consumer. In parallel, data storage solutions that utilise usernames and passwords are widely implemented. As a result, the harvesting of manually entered data, or account takeover of established usernames and passwords, are a few examples of the vulnerabilities that can lead to the potential for massive data breaches. Also, the use of malware that exploits system vulnerabilities is increasingly common. EMV® SRC aims to mitigate the impact of such potential risks from occurring.
In addition, the actual method of delivering the payment card data to the merchant is inconsistent. This has led to the development of a variety of solutions, which has created possible further vulnerabilities within the remote commerce environment that can potentially be exploited.
Also, the remote environment has evolved using proprietary solutions, with multiple participants and use cases increasing the complexity associated with technology integration, as independent merchant integration is required to facilitate the exchange of payment data.
EMVCo also recognises the benefits from a more consistent user experience, indicated by an SRC Mark that conveys a secure payments environment to consumers at participating merchants.
EMVCo’s work in this area therefore aims to improve remote transaction security by offering a global and interoperable specification upon which SRC systems can be built to simplify merchant integration, enhance scalability and enable a consistent consumer experience when conducting remote payments.
Q: Why is EMVCo working in this area?
A: The EMV® Chip Specifications have proven successful in limiting fraud at the physical point-of-sale, and EMV® SRC aims to deliver comparable levels of security, interoperability and convenience to enhance the remote payments environment.
EMVCo has the strategic breadth, industry knowledge, and technical depth to develop and maintain frameworks and specifications that can help support secure digital card payments. The EMV® Specifications are flexible to accommodate global needs and can be adapted for regional payment requirements.
In addition to EMVCo’s expertise, the global technical body has an organisational structure that enables collaboration within the payments community, and a wellestablished track record of technical specification delivery. EMVCo is dedicated to developing globally interoperable specifications as the payment industry continues to evolve.
Fundamentally, EMVCo has the appropriate experience to ensure frameworks and specifications are developed that maintain compatibility with the existing payment infrastructure.
Q: What are the benefits of EMV® SRC to the payments industry?
A: The benefits of EMVCo’s EMV® SRC initiative are to:
Q: Are there other solutions like EMV® SRC in the marketplace today?
A: Solutions exist today that provide security and convenience. However, each requires a unique integration that adds complexity for merchants and an inconsistent experience for consumers.
EMV® SRC’s objective is to create the secure transmission of data as well as enable a more consistent merchant integration for card payments, much like what occurs at the physical point of sale.
Existing solution providers will have the option to use the EMV® SRC Specification for their implementations.
Q: Are any other industry bodies working in this area?
A: EMV® SRC is focused on providing consistency and security for card-based payments within remote payment environments.
EMVCo aims to work closely with industry participants such as W3C to capitalise on opportunities for alignment where appropriate.
Q: Are other industry stakeholders providing input to the new SRC specification?
A: EMVCo has an established Associates Programme that is open to industry stakeholders. Any interested party can become an EMVCo Subscriber. Both EMVCo Associates and Subscribers have engaged in the development of the draft EMV® SRC Specification, ensuring that industry feedback has been incorporated.
Following the release of EMV® SRC v0.9 for public comment (which closed on Monday 3 December), EMVCo received further feedback from EMVCo Associates and Subscribers as well as the public through the query system on the EMVCo website. EMVCo has reviewed the comments and published its responses to public comments received. A plan will be established to incorporate applicable recommendations that will help facilitate global interoperability as the EMV® SRC Specification evolves.
Q: Will the specification be available to all parties without charge?
A: Yes. Both the technical framework and EMV® SRC Specification will be available to all industry participants from EMVCo, on a royalty-free basis. EMVCo has an established process for delivering payment specifications through open and transparent processes in consultation with industry stakeholders.
Q: How will the specification be adopted by payment systems and other payments stakeholders?
A: As an organisation striving to facilitate enhanced security and interoperability across the payments ecosystem, EMVCo plays an important role in bringing together stakeholder interests among payments industry participants.
While EMVCo has created the EMV® SRC technical framework and has published a draft EMV® SRC Specification for any industry participant to adopt on a royalty-free basis for its own remote commerce solutions, EMVCo does not establish obligations, requirements, or otherwise for the adoption and implementation of its specifications. EMVCo does not mandate or enforce EMV® compliance or the implementation policies for issuers, merchants and acquirers, which are handled by payment systems independently outside of EMVCo.
To learn more about the role EMVCo plays within the payments ecosystem, read its Operating Principles, which can be found in the “About EMVCo” section of the website.
Q: Will EMVCo be offering a supportive testing and certification programme?
A: Due to the evolving nature of the remote payments environment and dynamic advancement of technology within this area, the nature and applicability of such an SRC testing programme is under consideration.
Q: Will the EMV® SRC Specification utilise other EMV® Specifications?
A: Yes, the EMV® SRC Specification will provide integration options for the EMV® 3-D Secure – Protocol and Core Functions Specification (EMV® 3DS) and EMV® Payment Tokenisation Specification – Technical Framework.
EMV® SRC seeks to improve security, simplify merchant integration, enhance scalability and enable a consistent consumer experience for remote payments. It is not intended to be a replacement for EMV® 3DS and EMV® Payment Tokenisation.
EMV® 3DS may optionally be used within EMV® SRC to enable consumers to authenticate themselves with their card issuer during a transaction. EMV® Payment Tokenisation may be used, for example, to restrict usage of a digital card to the remote commerce acceptance channel at a specific merchant.
Future versions of each specification may detail respective integration options.
Q: How should merchants and other parties interpret the specifications in EMV® SRC v0.9?
A: The EMV® SRC Specification draft v0.9 has the critical components necessary for the industry to evaluate and begin implementation efforts. Content includes defined data elements, messages, UI and API guidance.
Q: What will be the difference between EMV® SRC v0.9 and v1.0?
A: EMV® SRC Specification v1.0 is expected to include updates to provide additional clarity to the core specification outlined in draft v0.9. Additional details that were included in the annex of draft v0.9 are expected to be more fully defined API and UI SRC Specifications. A subsequent SRC Tokenisation Specification is also expected to follow as part of the SRC v1.0 suite of documentation.
Q: When do you expect EMV® SRC v1.0 to be published?
A: Feedback on EMV® SRC draft specification v0.9 could be made privately or publicly via an option on the EMVCo website. EMVCo has reviewed comments and published its responses to public comments received. A plan will be established to incorporate applicable recommendations that will help facilitate global interoperability as the EMV® SRC Specification evolves. The draft of v1.0 will be shared with EMVCo Associates and/or Subscribers, with an aspiration to publish v1.0 in 2019.
Q: Will EMVCo be updating the EMV® SRC Technical Framework in line with the updated EMV® SRC Specification?
A: Yes, EMVCo will update the EMV® SRC Technical Framework in the subsequent releases based on feedback received from EMVCo Associates, Subscribers and from the public review of EMV® SRC Specification v0.9.
Q: Why did EMVCo release a draft EMV® SRC Specification for public comment?
A: EMVCo recognises the need to expediently deliver its EMV® SRC Specification to help address rising fraud levels in global e-commerce while reducing consumer friction during online checkout.
Given the high levels of industry interest in the EMV® SRC initiative, EMVCo published a draft specification - EMV® SRC Specification v0.9 – for wider comment before releasing the official 1.0 version. This allowed EMVCo to expand on the feedback received to date from EMVCo Associates and Subscribers on the specification development and gave as many payment industry participants as possible the opportunity to review and contribute to v1.0 which will be published in 2019.View all related FAQs (PDF)
Draft Specifications and Bulletins are shared with EMVCo Associates and Subscribers, who provide feedback and submit Queries. They are also eligible to attend relevant meetings to discuss the Specifications.