EMV^® Secure Remote Commerce

Q: What is remote commerce?

A: In a remote commerce transaction, the consumer does not interact with a physical terminal. Remote commerce, also called e-commerce, continues to grow worldwide with the popularity of online purchasing.

Remote commerce involves a checkout process whereby a merchant or commerce provider requests permission to use a consumer’s payment method to complete a transaction.

Q: What is EMV®* Secure Remote Commerce?

A: EMV^® Secure Remote Commerce (SRC) is a set of specifications developed by EMVCo that enable the creation of a ‘virtual payment terminal’. It provides a foundation that will enable industry solutions for the processing of e-commerce transactions in a consistent, streamlined fashion across a variety of remote-checkout environments and consumer devices, including smartphones, tablets, PCs and other connected devices.

The EMV^® SRC Specifications:

• Define interfaces to allow for secure exchanges of payment data across participants in the remote commerce environment.
• Accommodate options for using dynamic data, such as cryptograms or other transaction unique data, to enhance the security of payment transactions on a merchant’s SRC-enabled website, mobile app or other e-commerce platform.
• Enable compatibility with other technologies such as EMV^® Payment Tokenisation and EMV^® 3-D Secure.
• Provide an API Specification and SDK Specification to support common integration.
• Facilitate consumer recognition of a common user experience, indicated by a payment icon, which signals to a consumer that EMV^® SRC is being used as a foundation to process card-based payment transactions in remote-checkout environments.
• Provide UI Guidelines and Requirements.

The EMV^® SRC Specifications were developed with input from industry participants and are available to all parties on a royalty-free basis from the EMVCo website.

Q: What are the common challenges facing remote commerce?

A: EMV^® SRC offers the potential to address common challenges within the remote commerce environment, promoting an easy, smart (i.e. responsive and with recall abilities) checkout experience for consumers:

• Increasing card not present (CNP) fraud
  
  The key entry, transmission and subsequent storage of live primary account numbers (PAN) introduces potential risk.
  
  Remote commerce is often initiated through the manual entry and storage of the PAN into a website or application by the consumer. In parallel, data storage solutions that utilise usernames and passwords are widely implemented.
  
  As a result, the harvesting of manually entered data, account takeover of established usernames and passwords, or use of malware are a few examples of the vulnerabilities that can lead to the potential for massive data breaches. In addition, the actual method of delivering the payment card data to the merchant is inconsistent. This has led to the development of a variety of solutions, which has created possible further vulnerabilities within the remote commerce environment that can potentially be exploited.
  
  EMV^® SRC aims to mitigate such potential risks from occurring (see benefits section below to understand how).
• Checkout friction
  
  The current remote commerce ecosystem enables payments using a range of integration models and implementation practices. This can create inconsistency and complexity during the consumer’s purchase.
  
  EMVCo recognises the benefits of a more consistent user experience, indicated by a payment icon that conveys to consumers that they can expect an easy, smart checkout wherever it appears, regardless of which payment card or remote-checkout environment they use.
  
  Also, the reduced need for entering card and shipping information has the potential to lower shopping cart abandonment for merchants.
• Ecosystem complexity
  
  The remote environment has evolved using proprietary solutions, with multiple participants and use cases increasing the complexity associated with technology integration.
  
  EMVCo’s work in this area aims to offer a global and interoperable specification upon which SRC systems can be built to simplify merchant integration, enhance scalability and enable a consistent consumer experience.

Q: What are the benefits of EMV^® SRC?

A: The benefits of EMVCo’s EMV^® SRC initiative are to:

• Increase consistency across the remote environment by enabling solutions that can deliver interoperability and convenience.
• Reduce ecosystem complexity by enabling consistent and simplified integration processes and interfaces among stakeholders.
• Enhance the security of remote commerce websites and applications through the introduction of dynamic data as well as the secure transmission of payment and checkout information.
• Provide integration compatibility for other EMV^® Specifications, including EMV^® 3-D Secure and EMV^® Payment Tokenisation.
• Reduce repetitive manual PAN entry by enabling the consistent identification of the consumer, potentially lowering shopping cart abandonment.
• Facilitate consumer recognition, through a payment icon, which can be used on a royalty-free basis.
• Facilitate industry innovation by providing a baseline for remote commerce across new devices, remote-checkout environments and technologies.

Q: Are the EMV^® SRC Specifications flexible?

A: Yes. Although EMV^® SRC delivers a level of consistency to facilitate consumer recognition and familiarity, the specifications are flexible to enable a range of experiences.

Q: Why is EMVCo working in this area?

A: EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV^® Specifications.

The EMV^® Chip Specifications have proven successful in limiting fraud at the physical point-of-sale, and EMV^® SRC aims to help deliver comparable levels of security, interoperability and convenience to enhance the remote payments environment.

EMVCo has the strategic breadth, industry knowledge, and technical depth to develop and maintain frameworks and specifications that can help support secure digital card payments. The EMV^® Specifications are flexible to accommodate global needs and can be adapted for regional payment requirements.

In addition to EMVCo’s expertise, the global technical body has an organisational structure that enables collaboration within the payments community, and a well-established track record of technical specification delivery. EMVCo is dedicated to developing globally interoperable specifications as the payment industry continues to evolve.

Fundamentally, EMVCo has the appropriate experience to ensure that frameworks and specifications can be developed in such a way that their respective compatibility with the existing payment infrastructure will be maintained.

Q: What is the payment icon?

A: The SRC payment icon is comprised of a pentagon design oriented on its side with a stylized depiction of a fast forward symbol on the right, formed by a continuous line. The icon shall always appear exactly as shown in the image below and shall never be broken apart or visually altered in any way.

Q: Why has EMVCo developed the payment icon associated with EMV^® SRC?

A: The payment icon facilitates easy consumer recognition of websites, apps and other remote-checkout environments that use the EMV^® SRC Specifications as a foundation to process card-based payment transactions. When a consumer clicks on the prompt associated with the icon, they can be confident that they are entering a consistent payment space regardless of the payment method or merchant and can expect an easy, smart checkout.

The intention is for the icon to become a trusted visual symbol in remote payment environments, which brings the same level of familiarity and confidence that consumers currently experience when using an EMV^® point-of-sale payment terminal at any merchant outlet globally with Contactless or QR icons.

Q: Where can consumers expect to see the payment icon?

A: The icon is available for licensed reproduction across remote-checkout environments that offer payments enabled by the EMV^® SRC Specification, including websites and apps.

Q: How can I obtain the payment icon, and what are the requirements for its placement and usage?

A: EMVCo has published a Trademark License Agreement and the Reproduction Requirements to detail the use of the icon and call-to-action across remote-commerce environments. The payment icon, Trademark License Agreement and Reproduction Requirements are available from the EMVCo website for royalty-free usage.

Q: What are the SRC System Operating Images that can appear next to the payment icon?

A: SRC System Operating Images are the unique images referring to an SRC System that will be displayed in association to the SRC Trigger and payment icon.

Q: Will the usage of the payment icon be mandatory across remote-checkout environments that offer EMV^® SRC-enabled payments?

A: EMVCo does not mandate the use of the EMV^® SRC Specifications nor the associated payment icon. EMVCo also does not mandate which payment methods are presented to consumers within the EMV^® SRC experience.

Q: Are there other solutions like EMV^® SRC in the marketplace today?

A: Solutions exist today that provide security and convenience. However, each requires a unique integration that adds complexity for merchants and an inconsistent experience for consumers.

EMV^® SRC’s objective is to facilitate the secure transmission of data as well as enable a more consistent merchant integration for card payments, much like what occurs at the physical point of sale.

Existing solution providers will have the option to use the EMV^® SRC Specifications for their implementations.

Q: Are any other industry bodies working in this area?

A: EMV^® SRC is focused on enhancing consistency and security for card-based payments within remote payment environments.

EMVCo aims to work closely with industry participants to capitalise on opportunities for alignment where appropriate.

For example, The FIDO Alliance, EMVCo, and the World Wide Web Consortium (W3C) have created an Interest Group for organisations to collaborate on a vision for web payment security and interoperability.

The Web Payment Security Interest Group complements existing specification-level discussions around EMV^® SRC, EMV^® 3DS, FIDO Alliance’s FIDO2 specifications, and W3C's Web Authentication and Payment Request APIs. The group also provides the foundation for collaboration around future technical specifications.

Q: Have other industry stakeholders provided input to the EMV^® SRC Specifications?

A: The publication of EMV^® SRC v1.0 follows a public consultation period on the draft specification in Q4 2018, which allowed as many payment industry participants as possible, including merchants, card issuers and payment networks, the opportunity to review and contribute.

EMVCo has an established Associates Programme that is open to industry stakeholders. Any interested party can become an EMVCo Subscriber. Both EMVCo Associates and Subscribers have engaged in the development of the EMV^® SRC Specifications, ensuring that industry feedback has been incorporated.

EMVCo encourages new participants to join the EMVCo Associates Programme or become an EMVCo Subscriber.

Q: Will the EMV^® SRC Specifications be available to all parties without charge?

A: Yes. The EMV^® SRC Specifications are available to all industry participants from EMVCo on a royalty-free basis. The associated payment icon, along with the corresponding Trademark License Agreement and the Reproduction Requirement documentation, is also available from the EMVCo website for royalty-free usage within remote-commerce channels. EMVCo has an established process for delivering payment specifications through open and transparent processes in consultation with industry stakeholders.

Q: How will the EMV^® SRC Specifications be adopted by payment systems and other payments stakeholders?

A: As an organisation striving to facilitate enhanced security and interoperability across the payments ecosystem, EMVCo plays an important role in bringing together stakeholder interests among payments industry participants.

While EMVCo has published the EMV^® SRC Specifications for any industry participant to adopt on a royalty-free basis for its own remote commerce solutions, EMVCo does not establish obligations, requirements, or otherwise for the adoption and implementation of its specifications. EMVCo does not mandate or enforce EMV^® compliance or the implementation policies for issuers, merchants and acquirers, which are handled by payment systems independently outside of EMVCo.

To learn more about the role EMVCo plays within the payments ecosystem, read its Operating Principles, which can be found in the “About EMVCo” section of the website.

Q: Will EMVCo be offering an EMV^® SRC testing and certification programme?

A: Due to the evolving nature of the remote payments environment and dynamic advancement of technology within this area, the nature and applicability of such an EMV^® SRC testing programme is under consideration.

Q: Are the EMV^® SRC Specifications compatible with EMV^® 3DS and EMV^® Payment Tokenisation?

A: Yes, the EMV^® SRC Specifications are compatible with the EMV^® 3-D Secure – Protocol and Core Functions Specification (EMV^® 3DS) and EMV^® Payment Tokenisation Specification – Technical Framework.

EMV^® SRC seeks to improve security, simplify merchant integration, enhance scalability and enable a consistent consumer experience for remote payments. It is not intended to be a replacement for EMV^® 3DS and EMV^® Payment Tokenisation.

EMV^® 3DS may optionally be used within EMV^® SRC to enable consumers to authenticate themselves with their card issuer during a transaction. EMV^® Payment Tokenisation may be used, for example, to restrict usage of a digital card to the remote commerce acceptance channel at a specific merchant.

Q: Will EMVCo be updating the EMV^® SRC Technical Framework in line with the updated EMV^® SRC Specifications?

A: No. With the publication of the EMV^® SRC Specifications, relevant aspects of the EMV^® SRC Technical Framework have been incorporated into the specification so revisions to the technical framework will not be necessary.

View all related FAQs (PDF)