Secure Remote Commerce and the SRCI

Secure Remote Commerce and the SRCI
Steve Cole Sr. Product Manager, EMV and Security Products Worldpay from FIS
Mar 5, 2020

Secure Remote Commerce – what is it?

You may have noticed that every website you visit supports a variety of different checkout experiences.
Some use PayPal, Visa Checkout, or Masterpass, but others use their own custom experiences. Often, this means you must re-enter the same details on many different websites. 

One of the most frustrating issues for consumers when shopping online is the number of fields they must fill out to complete a purchase. In some cases, this can be as many as 58 unique fields! This includes entry of personal information, payment card details, and billing and shipping addresses. It’s one of the biggest contributors to cart abandonment. The two top reasons for cart abandonment are 1) the site wanted the customer to create an account, and 2) a checkout process that was too long or complicated. These two reasons alone contribute over 40% of overall cart abandonment.

To address this, EMVCo has published the Secure Remote Commerce (SRC) specifications aimed at improving the checkout experience, which has been adopted by the payment networks. The aim is to introduce a consistent user experience for consumers while removing the need to re-enter all their information across any SRC supported site, speeding up checkout time and reducing abandonment. This is especially beneficial in the guest checkout experience where a customer doesn’t want to create an account.

The SRC specifications enable the creation of what’s called ‘virtual payment terminal’. The idea is to create a similar experience to a physical terminal, but in the online commerce world. It provides “a foundation that will enable industry solutions for the processing of eCommerce transactions in a consistent, streamlined fashion across a variety of remote-checkout environments and consumer devices including smartphones, tablets, PCs, and other connected devices 1.”

How does SRC work?

SRC is an open system where participants in the payments ecosystem facilitate a streamlined checkout process that reduces the need to enter personal and card information in multiple eCommerce sites and works across multiple devices and channels. To accomplish this, roles have been defined in the SRC process as shown in the figure below.

Each of these roles performs specific functions:

  • DPA (Digital Payment App): Integrates SRC code on websites to enable the SRC payment experience
  • SRCI (SRC Initiator): Distributes code to DPA and manages API integration to SRC Systems
  • SRC System: Orchestrates technical activities between parties and binds consumer profiles
  • DCF (Digital Card Facilitator): Enrolls consumers and stores the digital card after being presented by the SRCI
  • SRC PI (Participating Issuer): Onboards customers into the SRC System

While these roles can technically be filled by any ecosystem participants, certain stakeholders make more sense in certain roles. For instance, an acquirer is better suited to playing the role of an SRCI, managing the consumer experience and relationship with merchants. The DPA owner decides which SRC Initiators to use.

The role of the SRCI

As mentioned above, two of the primary functions of the SRCI are to distribute code to the DPAs and manage integration to the SRC Systems’ APIs. These functions support the initiation of the SRC checkout process, so customers can enroll for SRC, pay using SRC, add cards to SRC, and access cards stored in SRC. This requires the SRCI to implement and distribute code to:

  • Collecting card details so the card can be enrolled into the appropriate SRC System
  • Capturing the customer authentication data for card access via the SRC Systems
  • Retrieving saved card data from relevant SRC Systems
  • Displaying the card list (aka candidate list) to the customer
  • Connecting the customer to the DCF of the selected card
  • Retrieving the payload from the appropriate SRC System
  • Notifying the SRC System of payment authorization

Additionally, the SRCI is responsible for registering DPAs with the SRC Systems. The SRCI may also send the card data to the acquirer for authorization.  

To better understand the role of the SRCI, we will walk through an example of a first-time user of SRC (note that implementations may vary so this is not the only possible experience or flow). The SRC experience begins when the customer reaches the checkout page of the online merchant. They will be presented with their payment options including SRC. The SRC button (there can also be “buttonless” implementations) will display the SRC mark and the card brands accepted by the merchant. When the customer clicks on the button, the SRCI will query each SRC System to determine if any of the SRC Systems recognize the customer’s device. If the device is recognized (bound to the customer’s SRC profile), the SRC Systems will return the card data for the customer.  However, since our customer is a new SRC user, they will not be recognized.

At this point, the customer will be presented a page hosted by the SRC Initiator to enter their card details. In addition to entering card details, this page would also have an option for a returning, but unrecognized, user to log in with the SRC credentials. Since our customer is a new SRC user, they will enter their card details into the page. Based on the card data, the SRCI identifies the appropriate SRC System to which the card data will be sent and then securely sends the data for enrollment.

The SRC Initiator will then direct the customer to the DCF user interface to complete the enrollment and checkout. The customer will enter their billing, shipping, and contact information. In addition, they will create their SRC user ID. Once the customer’s profile is created, they will have the option to bind their device to their profile as well. The customer will then be prompted to confirm their information and proceed with the checkout. As this happens, the SRC System provides the SRCI with the checkout response, and the SRCI requests the payment data for the transaction while the cardholder is returned to the merchant’s site to confirm their order.  

On confirmation of the order, the SRCI will initiate the authorization request to the acquirer. After the acquirer responds with the transaction result, the SRCI provides the result to the merchant for display to the customer. The process completes with the SRCI notifying the SRC System of the result of the transaction. For returning users, both recognized and unrecognized, the SRCI will perform similar functions, but with less user interaction.

Becoming a SRCI

Each SRC System will establish their own requirements and prerequisites for becoming an SRC Initiator. Entities wishing to become SRCIs will need to on-board with each SRC System they want to support. The SRC Systems will distribute the required SDKs, API specifications, and keys to the SRCI. The SDKs allow the SRCI to initiate the checkout experience and make the required calls to the SRC Systems from the merchant website. The source code used by the SRC Common Software is the software the SRCI distributes to the DPAs. The SRCI uses the APIs to interact with the SRC Systems. The keys are used for signing and encrypting data. The SRCI will need to implement all of these elements and abide by the rules of each SRC System.

Secure Remote Commerce brings the promise of a streamlined, online checkout experience across devices and browsers, but requires coordination among a number of parties to be successful. The SRC Initiator plays a pivotal role in connecting the pieces of the SRC puzzle.  

1 EMVCo,

The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.