The payments game is all about the battle between security and convenience. Adding measures like billing address verification and two-factor authentication help secure transactions against fraud, but they also increase friction and abandonment. Reducing the friction may boost sales but will invite fraud along with it.
Smart-chip maker EMVco has come up with a innovation that unifies security and convenience called Secure Remote Commerce. SRC enables universal payment profiles that can be used across the web, so consumers don’t have to create profiles and authenticate at every single point of sale.
WHAT IS SRC
SRC — also known as “Click to Pay” — is not a solution per se, but more a set of protocols that coordinates payments stakeholders to provide consumers with a single payment gateway across all participating merchants. This dramatically reduces checkout friction while preserving and even enhancing security.
Card schemes had previously tried their own proprietary solutions like MasterPass and Visa Checkout, but they were confusing and adoption was limited. SRC has created rules-of-the-road specifications for all card schemes to utilize for a consistent, scheme-neutral and secure payment experience.
Now this is payments, where just about everything is complicated. So you’re probably already confused; we get it. SRC is best understood through the consumer experience, so let’s cut right to its real-world application and pretend we’re making a purchase from an SRC-enabled merchant.
HOW SRC WORKS FOR CONSUMERS
In checkout, you’ll see a payment method option called “Click to Pay” that will look something like this:
That’s the “Click to Pay” icon on the left, typically displayed with the payment methods it supports. On your first use, clicking this method will prompt you to do the usual gateway data entry of card number, billing address etc. This authenticates your payment for this particular transaction, but it also creates your payment profile in the SRC system.
You must bind your profile to an identifier — either an email or purchasing device — and that will be all you need to authenticate on future SRC payments. At the bare minimum, you bind to a single card with your email. But you can add multiple cards and bind them to multiple devices.
With SRC, that first authentication authorizes all subsequent purchases using “Click to Pay” with just your identifier. So we can now move to a completely different merchant and make purchases without having to create new profiles or authenticate our credit card ever again. SRC routes a one-time password to your identifier, and that’s all you need.
If you’re thinking: “that sounds like Paypal,” you’re not wrong. Like Paypal, you can register multiple payment methods, to deploy with a single login. However, Paypal is a third party, which holds your sensitive data and charges fees on transactions. SRC is just a protocol; you’re not creating a new account, or giving out your sensitive data to a new party. You’re actually connecting to your exiting issuers through SRC.
HOW SRC WORKS FOR MERCHANTS
From the merchant perspective, the transaction is processed off-site and tokenized. So let’s look at what’s happening behind the scenes with SRC payments. As mentioned, SRC is a connection protocol between transaction stakeholders through the following components:
- The SRC System itself coordinates interactions between cardholder, merchant and issuer. While each component is present in every SRC transaction, who actually executes that component will vary in context. The SRC System sorts all that out.
- Digital Payment Application (DPA): Integrates SRC protocols into the merchant point of sale to connect the cardholder to the SRC system. This role can be fulfilled by the processor or the merchant themselves.
- SRC Initiator (SRCI): The “gateway” between the merchant’s DPA and the SRC system, where users enroll, authenticate and manage their SRC profile. Again, different role-players may provide this PSP, merchant, acquirer, or gateway.
- Digital Card Facilitator (DCF): Where the payment profiles are stored and authentications are executed.
- SRC Participating Issuer (SRCPI): This is the one static component, specifically the issuing bank of the payment network used.
SRC’s adoption has been driven by its flexibility and adaptability. Each of these components are fulfilled by different players, depending on the countries, financial institutions and regulations involved.
SECURITY CONCERNS
A major plus for security with SRC is that the merchant is nowhere near the authentication process. There is no need to keep and store customer accounts with sensitive information. Security requirements are placed at the source. For example, instead of the merchant providing PCI compliance, that role can be put on the card networks that actually set those PCI standards.
SRC doesn’t necessarily change how transactions are authenticated — all the security standards of conventional transactions are still being met, and can even be exceeded. Due it it’s modularity, SRC can accommodate enhanced security features such as 3DS2.0 and biometrics.
HOW TO ENABLE SRC
Currently, merchants can get SRC enabled on their point of sale through their payment processor. Generally speaking, SRC can be an excellent addition to your point of sale. SRC users can then purchase your items securely with no friction in their way. In particular, if you’re seeing a lot of cart abandonments, or checkouts using guest accounts, the SRC route is ideally suited to improve the user experience on your site.
On the dispute management side of things, SRC has some clear benefits. First, you aren’t going to see a lot of friendly fraud coming through this channel. The cardholder’s fingerprints are all over this method to where it would be hard from them to falsely claim fraud. True fraud is also significantly impeded by SRC, as the fraudster would have to hack, steal or spoof the cardholder’s identifier to have any success.
CONCLUSION
Secure Remote Commerce or “Click to Pay” promises to streamline payments for consumers by reducing checkout friction without compromising security. While it provides the rules of the road to coordinate all the stakeholders in the payments process, we’re still working with a lot of moving parts.
Whether your processor offers this functionality, and whether consumers get on board taps into the wider issue of adoption, which plagues all innovations in the payments space. Many a great idea has come forward to solve payments problems, only to be forgotten or postponed out of existence. Only time will tell. But in the meantime, if merchants can add this payment method to their point of sale, they should definitely consider doing so.