Safeguarding Payments with the Secure Remote Commerce Initiative
While the chargeback process may pit merchants, consumers, banks, and card networks against each other at times, at the end of the day, everybody with a stake in payment cards wants the same things: a system that’s easy for consumers, profitable for merchants, and free from fraud and theft. As the de facto rulers of the payment card universe, the card networks understand this as well as anyone, and we’re always pleased to see them take steps to improve security while keeping things user-friendly and frictionless for consumers.
Through EMVCo, the consortium that governs payment card standards, Visa, Mastercard, and American Express have introduced the Secure Remote Commerce Initiative, a forward-looking method of storing payment credentials and processing online payments that has been designed around thwarting fraud while keeping things simple and streamlined for ecommerce customers.
Many in the industry see SRC as an example of where the future of payment security is headed. It provides some tangible benefits to consumers and merchants alike, and puts fewer roadblocks into the checkout process than protocols like 3-D Secure. If you’re worried about fraud and chargebacks (and what merchant isn’t?) and haven’t implemented SRC yet, it’s time to get familiar with it.
How SRC Works
As things currently stand, internet shopping means providing your credit card number and other personal information to every online merchant you patronize, which means that your sensitive card data is stored in merchant databases all over the world, everywhere you shop. Some of those merchants may use cybersecurity best practices, and some of them may not. If any one of those merchants gets hacked, the fraudsters have your payment credentials.
To prevent merchant data breaches from exposing private customer information—without creating additional checkout friction for consumers—the SRC Initiative was launched. While it hasn’t seen widespread merchant adoption yet, it is active right now, and all three of the card networks backing it are using it.
Using SRC is similar to checking out with PayPal—you get bounced from the checkout page to a separate login screen, and once you’ve logged in and selected your payment card, it communicates with the merchant page to confirm that you’ve made a valid payment and returns you to the next step in the checkout process to complete your order.
Here’s how it works when you check out, step by step:
- When you’re ready to finalize a purchase at an online store and have navigated to the checkout page, you’ll see the SRC icon.
- Click on the SRC icon and you’ll be prompted to enter a single piece of information, the email address that serves as your SRC user ID.
- If you’re on a trusted device, you can select a stored credit card to pay with. If you’re on a new device, you’ll be sent a confirmation code before you can proceed with payment.
- With your payment accepted, you return to the merchant’s site. Your payment credentials are safely stored with the card network, not the merchant.
Essentially, it’s a digital wallet that’s stored and kept secure by the card networks themselves. You manage your stored cards with SRC and can use them at any merchant that is set up to accept payments via SRC. The only speed bump in the process is the initial registration.
Cinemark, Movember and Rakuten are the first merchants to adopt click to pay on their websites, with BassPro, JoAnn Fabric and Crafts, Papa John’s, Saks Fifth Avenue, SHOP.com and Tickets.com following by the end of 2019.
Benefits of SRC
The most obvious benefit of SRC is that cardholders aren’t at the mercy of the security practices of the merchants they shop with. If a data breach occurs, you won’t have to worry that your card number is floating around the dark web somewhere. It also represents an improvement over earlier anti-fraud tools that required consumers to go through lengthier validation processes. With SRC, all they have to do on a trusted device is enter their email address.
For merchants, an additional benefit is that SRC prevents chargebacks. Cardholders cannot plausibly claim that payments validated through SRC were the work of a fraudster, so by implementing it you should see a reduction in fraud-related chargebacks, both the true fraud and the “friendly” kind. The goal of SRC is to reduce consumer friction and the new Click to Pay button will replace the current guest checkout process.
While SRC does not shift dispute liability—it’s still on you, merchants—it can serve as an important element in your overall chargeback defense plan.
Enrolling Your Credit Cards in SRC & Creating the Digital Vault
As a consumer you have an option to enroll your credit card in the SRC program through Visa and Mastercard network. You can enroll your credit cards for the SRC program in their respective websites.
American express cardmembers are enrolled in the SRC program by default.
The card networks work in a collaborative fashion making it easier for the card holder to enter multiple cards in the vault at the time of purchasing the product as well. For added security, the vault is associated with your email address and mobile number.
Introducing SRC to Your Checkout
Payment processors and payment platforms, such as Adyen, Authorize.Net, CyberSource, FIS, Global Payments, Mastercard Payment Gateway Services and Stripe are now offering “click to pay” to merchants.
It is also expected that a unified API will be released either by EMVco., card networks or payment processors for merchants to utilize SRC checkout feature. We highly recommend you consult with your payment processor about utilizing Click to Pay and don’t be surprised if they already have an API.
A Word of Caution
Overall, the SRC is a big step forward in terms of data security and consumer-friendly functionality. It’s hard to argue that a card stored on servers managed by the card networks themselves is less secure than one stored in the database of a small merchant. However, using SRC does create an Achilles’ heel of sorts, a single point of vulnerability that’s harder for fraudsters to target, but comparatively more valuable than a single stored card.
Sophisticated fraudsters can copy browser cookies and imitate trusted devices, creating a full, virtual profile of a targeted victim. By doing so, they can appear indistinguishable from the victim, fooling SRC and allowing them to use the victim’s stored cards at any site that has implemented SRC.
This is a much more difficult cyberattack than simply breaking into a single merchant database, but it is possible, and there are fraudsters who specialize in high difficulty, high value attacks like these. It’s not a reason to avoid SRC, but it is something to be aware of, and we hope that EMVCo and the card networks will take steps to properly address it soon.
What we like most about SRC is that it doesn’t sacrifice the customer experience for improved security, or vice versa. It’s understandably hard for merchants to introduce security protocols that are going to cause some shoppers to get annoyed and abandon their shopping carts, but we think that even the most impatient consumers won’t mind dealing with SRC once they’ve gotten familiar with it.
Merchants and consumers should be aware of the theoretical risks of creating a hard-to-crack but high value target for fraudsters, but the fact that SRC protects cardholder data, reduces chargebacks, and allows for frictionless payments—all within a single protocol—makes it well worth investigating. We expect to see many more merchants using SRC in the not-too-distant future.