EMV® Secure Remote Commerce Presentation

EMV® Secure Remote Commerce What is Remote Commerce?

Remote Commerce E-commerce Online Payments Digital Web-based Payments Commerce

• During the checkout process a merchant asks a consumer to provide or select a payment method for a purchase • Checkout may also include: Remote commerce – Verification of the cardholder and present happens at the bill of sale checkout process – Delivery of information to enable the receipt of the purchased goods or services

Remote commerce continues to grow worldwide with the popularity of online purchasing. However, it has become increasingly targeted and susceptible to compromise.

• Current environment • Variety of • Primary Account has many different implementations Numbers (PAN) entry, integration models result in transmission and which can be fragmentation, subsequent storage of expensive and time complexity, and live PAN introduces intensive for inconsistency significant risk merchants

Copyright ©2017©2018 EMVCo – Confidential 4 Concerns with Remote Commerce Each stakeholder needs to balance different concerns associated with payment card acceptance during a remote commerce checkout experience

Merchants Consumers

• User friction increases cart • Concerned that account will be abandonment compromised • Online transactions carry increased risk • Don’t have the same level of • Supporting multiple, unique payment convenience (e.g. multi data entry) solutions is expensive and time intensive across multiple merchants

Secure Remote Commerce (SRC) establishes the foundation to deliver a consistent consumer checkout experience while increasing simplicity and security

EMV® Secure Remote • Creates a consistent, streamlined checkout Commerce environment for digital transactions • Provides secure payment acceptance between a merchant site and the consumer device • Supports a variety of consumer devices (phones, tablets, PCs, and IoT devices)

Specification Features EMVCo will develop and maintain the EMV Secure Remote • Provides interfaces to support secure exchanges of data between Commerce merchants and issuers to enable payment Specifications to support remote • Defines UIs and APIs to enable predictable payment experiences transactions in a globally interoperable • Defines secure delivery methods of a payment payload to a manner merchant

• Define a payment payload with valid payment credentials

• Supports the protection of transactions with dynamic data

• Does not impact the existing processes for authorisation

Copyright ©2017©2018 EMVCo – Confidential 7 SRC Key Benefits SRC benefits merchants, consumers, and all industry stakeholders by streamlining integration and facilitating innovation across new devices, channels and technologies

Merchants Consumers

• Potentially lowers shopping cart • Provides a choice of online checkout abandonment methods • Simplifies integrations • Delivers a consistent and secure • Supports the integration of new consumer purchase experience across technologies multiple merchants • Provides a choice of online checkout methods

Physical Payments Consumer Payment Interaction Information

Physical Terminal Payment Card BAU Authorisation Remote Commerce

Merchant Website Payment Card Merchant and Acquiring Payment Issuing Intermediaries Bank Network Bank Cardholder

10100

Merchant Payment Digital Card SRC System Information Secure Remote Commerce Selection

As the development of the EMV® Secure Remote Commerce (SRC) Specification has progressed, it is critical to understand the intention/focus behind the specification and included annexes

SRC Specification Focus Outside of SRC Specification Scope

✓ Preparation and assertion of the data to be • Changes to transaction processing passed along through existing transaction processing rails • Implementation mandates

✓ Consistency in payload to provide structure • Restrictions on who can play which roles and ubiquity to help ease global integration • What the merchant experience looks like ✓ Guidance / Clarity for how to connect with an SRC System • Compliance or policy requirements

✓ Visual elements for incorporation to allow for customer recognition

• Establish interoperable interfaces for all stakeholders to enable a consistent payment card specification for message content, transmission and security

• Deliver a consistent representation of the consumer account data to merchant

• Introduce Dynamic Data to protect the Payment Data through a scalable solution

• Providing transparency between the participants to facilitate Cardholder Authentication and Consumer Device identification

• Enable the integration of other EMV® specifications such as Payment Tokenisation and 3-D Secure authentication

• Minimise consumers entry of their Payment Data by enabling consistent identification of the Consumer and the Consumer Device to minimise friction and potentially reduce abandonment during the payment experience

• Supporting common Consumer Verification to enable access to established Payment Data

Functions Description Typical Participant Examples • Any Payment System Responsible for the policies and processes associated with the oversight of SRC • Global/ Regional/ Domestic SRC Programme participants within an SRC System • Proprietary (Merchant, Issuer, other)

Orchestration of all technical activities between participants, manages the • Payment Networks supporting SRC System technical aspects of the SRC Programme Payment Systems

• Merchants Digital Shopping A payment enabled application that facilitates the SRC consumer experience • Marketplace Application (DSA) • Hosted Order Page Provider

• Wallets Digital • Browser Card Facilitator Provides consumers access to information for use during a commerce exchange • Issuer

SRC Roles SRC (DCF) • Merchant

Facilitates the collection and transmission of digital card and checkout SRC Initiator (SRC I) • Merchant Service Providers information on behalf of a DSA to enable the initialisation of a payment

SRC Participating Enrols the cardholder, PAN and authorisation related data • Issuers Issuer (SRC PI)

Current Checkout Solutions EMV Secure Remote Commerce Single Provider Solutions Multi-Provider Solutions Service Issuer Merchant PSP Payment Device Issuer Merchant Provider Wallet domain Wallets Network domain Checkout Secure Checkout Cloud COF Single Source Excluded Limited Single Multiple VS All All Any Agnostic All Providers Service Wallets / Issuer Merchant Provider Device Selection domain

Checkout SRC Roles

Device Digital Assurance SRC Limited Single Tied to Single Participating Shopping SRC SRC enables Digital Card Participating Provider Source Application Initiator System access Facilitator Issuer

One-off Fragmented - Potential-Risk - Lack of Scale - Current Gaps Solutions

Varied Experiences PAN Exposure Single Provider Merchant by Merchant

Common + Secure + Scalable + 360o Solution

Dynamic Data; Consistent EMV SRC Common Experience Ubiquitous Assurance Implementation Achieves Higher Cart Conversion Higher Authorisation Lower Cost of & Rates & Integration & Higher Higher Adoption More Engagement Low Fraud Losses Acceptance Rates

• Scale is fundamental to the effectiveness of solutions • Innovation in payment technologies mostly affects merchant-facing functions in the value chain • Integration of each new data source is resource and time consuming • Convenience over security is not an acceptable tradeoff for consumers and all want access to all their existing cards

Individual SRC Programmes in conjunction with SRC Systems’ participation may offer a spectrum of solutions for consumers from anonymity to full convenience.

Consumer Experience Spectrum Consumers may want different experiences Guest Device Agnostic Device Specific Frictionless based on their confidence in the solution providers

Frequency One Time Repeat User Repeat User Repeat User

Enrol with Issuer but Enrol but do not Enrol and remember me Enrol and remember me Recognition do not store my remember/track me (no on this device on this device information device recognition)

I can prove it is my card Check to make sure it is Check to make sure it is Do not ask me for Assurance me, I can prove it’s me me on this device information if you know it’s me

Secure Remote Commerce is a catalyst that enables innovators to create compelling products and integrate simple and secure payments with interoperable interfaces defined within EMVCo

Onboarding and Registration Secure Remote Commerce is an evolution Enrolment of remote commerce that enables secure and interoperable payment acceptance from browser or applications based on dynamically created payload, SRC Issuing Bank Merchant Digital Wallets / Value Added Consumer / Device Aggregators Mobile Wallets Services Identity Managers checkout and common user experience based on specified messages

EMV® Secure Remote Commerce Specification for Common Integration BAU Authorisation

Cardholder Merchants / Digital Merchants / Wallets / Digital Payment Merchant and Acquiring Bank Payment Issuing Bank Shopping SRC Initiators Card Facilitators Network / SRC Intermediaries Network Applications System SRC Systems

Product Page Checkout Page Shipping Payment & Order & Confirmation Billing Review

3DS Authorisation

NOTE: The SRC Specification does not SRC Experience facilitated by SRC System mandate use or limit implementations Card Assurance & to a “Single Button”. Identity Selection Verification

Payment Required 3-D Secure Tokenisation Optional

Merchant experience varies by channel (web, mobile application, other technology) FOR ILLUSTRATIVE PURPOSES ONLY

• Oct 2017 – Publish SRC Technical Framework • Oct 2018 – SRC Specification v0.9 released to the public • Why Publish v0.9? – Present to a broader population from the payments community, technical/industry bodies, and merchants – Increase visibility of the spec to encourage participation – Allow for product roadmap and investment planning – Encourage more companies to participate at an associate level – Expedite the release of the SRC Spec to address market needs

*The timeline and dates presented are provisional and subject to change.

EMVCo Associates Programme provides:

Business Associates (59)

ANZ AsiaPay* Australian Payments Network* Bancomat Bank of America Bank of America Banque Populaire Caisse Bundesverband deutscher Barclaycard* Bankalararasi Kart Merkezi* Merchant Services d’Epargne Banken Carrefour Banque* Cartao Elo* Cartes Bancaires* Citi* Conexxus

Creditcall Ltd.* Credit Mutuel Dutch Payments Association EFTPOS Australia* equensWorldline

European Card Payment EURO 6000, S.A. European Payments Council Expedia* First Data* Association Financial Software & Global Payments, Inc.* Google* Interac* JP Morgan Chase* Systems (FSS) Merchant Advisory National Credit Card Center Merchant e-Solutions Microsoft* Moneris Solutions* Group (MAG) of R.O.C.* National Payments NSPK* PAN-Nordic Card Association* PASA Poste Italiane* Corporation of India* Saudi Arabian Monetary Redsys SHAZAM* SIA-SSB Soft Space* Authority* Sony Interactive Square* SRC Research* STET Stripe* Entertainment LLC* Swedbank Target The Clearing House* TSYS* U.S. Bank* Vantiv* Verve International* WIBMO* Worldpay* ^ Participation as of 3 October 2018 | * Denotes dual Associates: registered as TA and BA

Ant Financial Services Group AsiaPay* Australian Payments Network* Barclaycard* BKM, A.S.*

CA Technologies Carrefour Banque* Cartao Elo* Cartes Bancaires* Citi*

Consult Hyperion Creditcall Ltd.* CTC advanced GmbH EFTPOS Australia* Everi

Expedia* Feitian Technologies FIME First Data* FIS OTS Fujian LANDI Commercial Global Payments, Inc.* Google* Ingenico Terminals Intel Equipment Co. Interac* JP Morgan Chase* Micro Focus Microsoft* Modirum

National Payments Corporation Moneris Solutions* mSIGNIA National Credit Card Center of R.O.C.* Netcetera of India*

Nets DK NCR Financial Solutions Group NSPK* NTT DATA Corporation PAAY Panasonic Mobile PAN-Nordic Card Association* PAX Computer Technology Poste Italiane* Rambus Communications Saudi Arabian Monetary Sony Interactive Entertainment RSA SHAZAM* Soft Space* Authority* LLC* Square* SRC Research* Stripe* Thales Tencent

The Clearing House* ThreatMetrix Toshiba Global Commerce Solutions TRUXTUN Capital TSYS*

TTA TÜV SÜD UL U.S. Bank* Vantiv* Verifone Verve International* WIBMO* Worldpay* ^ Participation as of 3 October 2018 | * Denotes dual Associates: registered as TA and BA

Audio commentary is available to accompany these slides. View the ‘EMV SRC Presentation with Audio’ on the EMV SRC press kit page.