EMV® Secure Remote Commerce What is Remote Commerce?
Remote Commerce E-commerce Online Payments Digital Web-based Payments Commerce
Copyright ©2017©2018 EMVCo – Confidential 2 When Does Remote Commerce Happen?
• During the checkout process a merchant asks a consumer to provide or select a payment method for a purchase • Checkout may also include: Remote commerce – Verification of the cardholder and present happens at the bill of sale checkout process – Delivery of information to enable the receipt of the purchased goods or services
Copyright ©2017©2018 EMVCo – Confidential 3 Challenges within the Industry Landscape
Remote commerce continues to grow worldwide with the popularity of online purchasing. However, it has become increasingly targeted and susceptible to compromise.
• Current environment • Variety of • Primary Account has many different implementations Numbers (PAN) entry, integration models result in transmission and which can be fragmentation, subsequent storage of expensive and time complexity, and live PAN introduces intensive for inconsistency significant risk merchants
Copyright ©2017©2018 EMVCo – Confidential 4 Concerns with Remote Commerce Each stakeholder needs to balance different concerns associated with payment card acceptance during a remote commerce checkout experience
Merchants Consumers
• User friction increases cart • Concerned that account will be abandonment compromised • Online transactions carry increased risk • Don’t have the same level of • Supporting multiple, unique payment convenience (e.g. multi data entry) solutions is expensive and time intensive across multiple merchants
Copyright ©2017©2018 EMVCo – Confidential 5 Secure Remote Commerce
Secure Remote Commerce (SRC) establishes the foundation to deliver a consistent consumer checkout experience while increasing simplicity and security
EMV® Secure Remote • Creates a consistent, streamlined checkout Commerce environment for digital transactions • Provides secure payment acceptance between a merchant site and the consumer device • Supports a variety of consumer devices (phones, tablets, PCs, and IoT devices)
Copyright ©2017©2018 EMVCo – Confidential 6 EMV® SRC Specification
Specification Features EMVCo will develop and maintain the EMV Secure Remote • Provides interfaces to support secure exchanges of data between Commerce merchants and issuers to enable payment Specifications to support remote • Defines UIs and APIs to enable predictable payment experiences transactions in a globally interoperable • Defines secure delivery methods of a payment payload to a manner merchant
• Define a payment payload with valid payment credentials
• Supports the protection of transactions with dynamic data
• Does not impact the existing processes for authorisation
Copyright ©2017©2018 EMVCo – Confidential 7 SRC Key Benefits SRC benefits merchants, consumers, and all industry stakeholders by streamlining integration and facilitating innovation across new devices, channels and technologies
Merchants Consumers
• Potentially lowers shopping cart • Provides a choice of online checkout abandonment methods • Simplifies integrations • Delivers a consistent and secure • Supports the integration of new consumer purchase experience across technologies multiple merchants • Provides a choice of online checkout methods
Copyright ©2017©2018 EMVCo – Confidential 8 Remote Commerce vs. Secure Remote Commerce
Physical Payments Consumer Payment Interaction Information
Physical Terminal Payment Card BAU Authorisation Remote Commerce
Merchant Website Payment Card Merchant and Acquiring Payment Issuing Intermediaries Bank Network Bank Cardholder
10100
Merchant Payment Digital Card SRC System Information Secure Remote Commerce Selection
Copyright ©2017©2018 EMVCo – Confidential 9 Secure Remote Commerce Scope
As the development of the EMV® Secure Remote Commerce (SRC) Specification has progressed, it is critical to understand the intention/focus behind the specification and included annexes
SRC Specification Focus Outside of SRC Specification Scope
✓ Preparation and assertion of the data to be • Changes to transaction processing passed along through existing transaction processing rails • Implementation mandates
✓ Consistency in payload to provide structure • Restrictions on who can play which roles and ubiquity to help ease global integration • What the merchant experience looks like ✓ Guidance / Clarity for how to connect with an SRC System • Compliance or policy requirements
✓ Visual elements for incorporation to allow for customer recognition
Copyright ©2017©2018 EMVCo – Confidential 10 Secure Remote Commerce Objectives
• Establish interoperable interfaces for all stakeholders to enable a consistent payment card specification for message content, transmission and security
• Deliver a consistent representation of the consumer account data to merchant
• Introduce Dynamic Data to protect the Payment Data through a scalable solution
• Providing transparency between the participants to facilitate Cardholder Authentication and Consumer Device identification
• Enable the integration of other EMV® specifications such as Payment Tokenisation and 3-D Secure authentication
• Minimise consumers entry of their Payment Data by enabling consistent identification of the Consumer and the Consumer Device to minimise friction and potentially reduce abandonment during the payment experience
• Supporting common Consumer Verification to enable access to established Payment Data
Copyright ©2017©2018 EMVCo – Confidential 11 SRC Participants and Roles
Functions Description Typical Participant Examples • Any Payment System Responsible for the policies and processes associated with the oversight of SRC • Global/ Regional/ Domestic SRC Programme participants within an SRC System • Proprietary (Merchant, Issuer, other)
Orchestration of all technical activities between participants, manages the • Payment Networks supporting SRC System technical aspects of the SRC Programme Payment Systems
• Merchants Digital Shopping A payment enabled application that facilitates the SRC consumer experience • Marketplace Application (DSA) • Hosted Order Page Provider
• Wallets Digital • Browser Card Facilitator Provides consumers access to information for use during a commerce exchange • Issuer
SRC Roles SRC (DCF) • Merchant
Facilitates the collection and transmission of digital card and checkout SRC Initiator (SRC I) • Merchant Service Providers information on behalf of a DSA to enable the initialisation of a payment
SRC Participating Enrols the cardholder, PAN and authorisation related data • Issuers Issuer (SRC PI)
Copyright ©2017©2018 EMVCo – Confidential 12 Why EMV® Secure Remote Commerce?
Current Checkout Solutions EMV Secure Remote Commerce Single Provider Solutions Multi-Provider Solutions Service Issuer Merchant PSP Payment Device Issuer Merchant Provider Wallet domain Wallets Network domain Checkout Secure Checkout Cloud COF Single Source Excluded Limited Single Multiple VS All All Any Agnostic All Providers Service Wallets / Issuer Merchant Provider Device Selection domain
Checkout SRC Roles
Device Digital Assurance SRC Limited Single Tied to Single Participating Shopping SRC SRC enables Digital Card Participating Provider Source Application Initiator System access Facilitator Issuer
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 13 EMV® SRC Addresses Gaps of Many Single Provider Solutions
One-off Fragmented - Potential-Risk - Lack of Scale - Current Gaps Solutions
Varied Experiences PAN Exposure Single Provider Merchant by Merchant
Common + Secure + Scalable + 360o Solution
Dynamic Data; Consistent EMV SRC Common Experience Ubiquitous Assurance Implementation Achieves Higher Cart Conversion Higher Authorisation Lower Cost of & Rates & Integration & Higher Higher Adoption More Engagement Low Fraud Losses Acceptance Rates
• Scale is fundamental to the effectiveness of solutions • Innovation in payment technologies mostly affects merchant-facing functions in the value chain • Integration of each new data source is resource and time consuming • Convenience over security is not an acceptable tradeoff for consumers and all want access to all their existing cards
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 14 EMV® SRC enables a Spectrum of Solutions
Individual SRC Programmes in conjunction with SRC Systems’ participation may offer a spectrum of solutions for consumers from anonymity to full convenience.
Consumer Experience Spectrum Consumers may want different experiences Guest Device Agnostic Device Specific Frictionless based on their confidence in the solution providers
Frequency One Time Repeat User Repeat User Repeat User
Enrol with Issuer but Enrol but do not Enrol and remember me Enrol and remember me Recognition do not store my remember/track me (no on this device on this device information device recognition)
I can prove it is my card Check to make sure it is Check to make sure it is Do not ask me for Assurance me, I can prove it’s me me on this device information if you know it’s me
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 15 SRC Specification Enabling an Ecosystem
Secure Remote Commerce is a catalyst that enables innovators to create compelling products and integrate simple and secure payments with interoperable interfaces defined within EMVCo
Onboarding and Registration Secure Remote Commerce is an evolution Enrolment of remote commerce that enables secure and interoperable payment acceptance from browser or applications based on dynamically created payload, SRC Issuing Bank Merchant Digital Wallets / Value Added Consumer / Device Aggregators Mobile Wallets Services Identity Managers checkout and common user experience based on specified messages
EMV® Secure Remote Commerce Specification for Common Integration BAU Authorisation
Cardholder Merchants / Digital Merchants / Wallets / Digital Payment Merchant and Acquiring Bank Payment Issuing Bank Shopping SRC Initiators Card Facilitators Network / SRC Intermediaries Network Applications System SRC Systems
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 16 SRC in Context of Merchant Environment version 1.0
Product Page Checkout Page Shipping Payment & Order & Confirmation Billing Review
3DS Authorisation
NOTE: The SRC Specification does not SRC Experience facilitated by SRC System mandate use or limit implementations Card Assurance & to a “Single Button”. Identity Selection Verification
Payment Required 3-D Secure Tokenisation Optional
Merchant experience varies by channel (web, mobile application, other technology) FOR ILLUSTRATIVE PURPOSES ONLY
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 17 SRC Specification Release Update
• Oct 2017 – Publish SRC Technical Framework • Oct 2018 – SRC Specification v0.9 released to the public • Why Publish v0.9? – Present to a broader population from the payments community, technical/industry bodies, and merchants – Increase visibility of the spec to encourage participation – Allow for product roadmap and investment planning – Encourage more companies to participate at an associate level – Expedite the release of the SRC Spec to address market needs
*The timeline and dates presented are provisional and subject to change.
Copyright ©2017©2018 EMVCo – Confidential 18 EMVCo Associates Programme (EAP) EAP Connects EMVCo to Industry Leaders
EMVCo Associates Programme provides:
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 20 Current EMVCo Business Associates
Business Associates (59)
ANZ AsiaPay* Australian Payments Network* Bancomat Bank of America Bank of America Banque Populaire Caisse Bundesverband deutscher Barclaycard* Bankalararasi Kart Merkezi* Merchant Services d’Epargne Banken Carrefour Banque* Cartao Elo* Cartes Bancaires* Citi* Conexxus
Creditcall Ltd.* Credit Mutuel Dutch Payments Association EFTPOS Australia* equensWorldline
European Card Payment EURO 6000, S.A. European Payments Council Expedia* First Data* Association Financial Software & Global Payments, Inc.* Google* Interac* JP Morgan Chase* Systems (FSS) Merchant Advisory National Credit Card Center Merchant e-Solutions Microsoft* Moneris Solutions* Group (MAG) of R.O.C.* National Payments NSPK* PAN-Nordic Card Association* PASA Poste Italiane* Corporation of India* Saudi Arabian Monetary Redsys SHAZAM* SIA-SSB Soft Space* Authority* Sony Interactive Square* SRC Research* STET Stripe* Entertainment LLC* Swedbank Target The Clearing House* TSYS* U.S. Bank* Vantiv* Verve International* WIBMO* Worldpay* ^ Participation as of 3 October 2018 | * Denotes dual Associates: registered as TA and BA
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 21 Current EMVCo Technical Associates Technical Associates (69)
Ant Financial Services Group AsiaPay* Australian Payments Network* Barclaycard* BKM, A.S.*
CA Technologies Carrefour Banque* Cartao Elo* Cartes Bancaires* Citi*
Consult Hyperion Creditcall Ltd.* CTC advanced GmbH EFTPOS Australia* Everi
Expedia* Feitian Technologies FIME First Data* FIS OTS Fujian LANDI Commercial Global Payments, Inc.* Google* Ingenico Terminals Intel Equipment Co. Interac* JP Morgan Chase* Micro Focus Microsoft* Modirum
National Payments Corporation Moneris Solutions* mSIGNIA National Credit Card Center of R.O.C.* Netcetera of India*
Nets DK NCR Financial Solutions Group NSPK* NTT DATA Corporation PAAY Panasonic Mobile PAN-Nordic Card Association* PAX Computer Technology Poste Italiane* Rambus Communications Saudi Arabian Monetary Sony Interactive Entertainment RSA SHAZAM* Soft Space* Authority* LLC* Square* SRC Research* Stripe* Thales Tencent
The Clearing House* ThreatMetrix Toshiba Global Commerce Solutions TRUXTUN Capital TSYS*
TTA TÜV SÜD UL U.S. Bank* Vantiv* Verifone Verve International* WIBMO* Worldpay* ^ Participation as of 3 October 2018 | * Denotes dual Associates: registered as TA and BA
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 22 Thank You! For more information visit www.emvco.com or join us on LinkedIn
Audio commentary is available to accompany these slides. View the ‘EMV SRC Presentation with Audio’ on the EMV SRC press kit page.
Copyright ©2017©2018 EMVCo – Unauthorised reproduction is prohibited 23