EMV SRC Explained
Back in June, EMVCo published the specifications for Secure Remote Commerce, a digital toolset it developed to allow for the creation of secure, globally interoperable virtual payment terminals. While the general idea behind SRC is easy enough to grasp, many merchants still have lots of questions about where SRC should be implemented, how it works, and what actual benefits it will confer. Before throwing another branded payment platform up for your customers to figure out, it’s fair to ask: is this going to be worth it?
From our perspective here at Chargeback Gurus, the first thing we want to know is whether implementing a particular tool or platform is likely to have an effect on the number of disputes and chargebacks a merchant receives. The basic framework of SRC relieves merchants from having to store and protect customer payment credentials, and makes it more difficult for fraudsters to use stolen cards at SRC-enabled payment terminals. The downside of this is that a cyberattack on a SRC “vault” of stored card data is a very high-reward target for hackers, but the relationship between any given high-profile data breach and an individual merchant’s chargeback rate is tenuous at best.
Merchants who want to expand their reach and accessibility, making themselves an attractive choice for shoppers from a wide range of regions (and with a wide range of security concerns and priorities), should always keep an open mind toward platforms that have the potential to improve security while minimizing checkout friction. We don’t want to see merchants who could benefit from SRC avoiding it due to confusion or misinformation, so let’s take a closer look at the advantages of SRC and what its implementation actually involves.
How is SRC Structured?
SRC is a set of specifications and technological tools, not a unitary app or program. A SRC implementation will involve multiple components working together to store card credentials and process payments:
- The SRC System, which coordinates the activities of the lower-level components.
- The Digital Payment Application (DPA), the software through which the consumer interfaces with the SRC system
- The Digital Card Facilitator (DCF), which stores and provides access to the consumer’s actual payment credential data.
- The SRC Initiator, which collects and transmits the data between the DCF and the merchant so that the payment can be processed.
- The SRC Participating Issuer, which enrolls cardholders in SRC.
These roles are designed to be handled in a flexible and adaptable manner by various participants in the payments ecosystem, enabling different countries, regions, and banking systems to implement SRC in the most logical and effective way.
Who Benefits from SRC?
EMVCo designed SRC in consultation with various stakeholders in the card payments industry. This is a global initiative intended to be used in all regions and markets, and the specifications are made available for use royalty-free. While recognizable branding is very much part of the SRC concept, it is quite different from superficially similar, proprietary third-party checkout platforms like PayPal. In other words, the primary beneficiaries are supposed to be the merchants and customers who make use of SRC, not its creators and backers.
For consumers, the main benefit is that they get a secure, consistent payment experience that spares them from having to reenter their payment credentials at every different site they shop at. Rather like a digital wallet, the SRC vault stores their credit card numbers and other payment credentials and mediates the checkout process. All the consumer has to do is validate their identity through SRC and the stored card of their choice will be charged for the transaction. The only point of friction would be the initial signup and card storage process.
This consumer convenience works for the merchant’s benefit, too. Merchants can look forward to fewer abandoned shopping carts since customers who use SRC won’t ever get stuck fumbling for a misplaced or inaccessible payment card when it’s time to check out. Merchants can also anticipate fewer chargebacks. Since payment authorization will go through SRC, it will be much harder for cardholders to claim that their card was used without their knowledge or consent. With a successful SRC implementation, actual cases of true fraud should decrease, and friendly fraud will be a much tougher sell to issuing banks.
How Can SRC Be Implemented?
While an official SRC API may be in the works, for now the implementation process runs through two providers:
- The card networks, who enroll you in SRC (automatically for American Express, opt-in for Visa and Mastercard)
- Your payment processor, who handles the actual integration of SRC-enabled checkout technology
“Click to Pay” is the terminology we’ve already seen used in conjunction with SRC. EMVCo has designed a standardized payment icon to be used as a universal identifier for SRC-facilitated payment acceptance.
EMV created the chip technology that is used in credit cards and point-of-sale terminals everywhere now, and in many ways SRC is designed as a virtual analogue to the EMV chip. Wherever it appears, it offers a more secure way to authorize a card payment transaction for those who are set up to use it.
When a customer encounters the SRC icon, they are meant to understand that they can click on it to initiate a SRC-enabled checkout process. By doing so, they will connect with the DPA, which will attempt to recognize them as a returning user. If it cannot do so, the customer may need to log in again, or complete a signup process with the SRC Initiator if they haven’t used SRC before.
Once the customer is recognized, they will interact with the DCF to select which stored card they want to use (if there are multiple), which will then interface with the DPA to process the transaction. At no point is the customer’s payment data transmitted directly to the merchant.
The key thing to remember about SRC is that it isn’t a plug-and-play widget that slots into your checkout page and starts seamlessly providing added payment security. SRC is designed to be adaptable to a broad range of different payment environments, devices, and platforms, and many aspects of a SRC implementation will be out of the scope of EMV’s specifications, determined instead by the card networks, banks, and payment processors.
The upshot of this is that without centralized control of the SRC system and its components, players in the payments industry can work to shape it in ways that will optimally suit their needs and those of their customers. We’re hoping that wider adoption of SRC will mean fewer fraudulent charges and plummeting chargeback rates for enrolled merchants.