Just when retail treasurers seemed to be getting their minds wrapped around EMV chip cards, they now find themselves facing a new security challenge—EMV Secure Remote Commerce (SRC). Attendees of the 2019 AFP Retail Roundtable weighed in on the issues surrounding SRC.
EMVCo developed SRC with the intent of creating a “virtual payment terminal.” It consists of specifications that would enable more secure e-commerce transactions over multiple remote-checkout environments and consumer devices.
EMV chip cards have had success reducing counterfeit fraud at point-of-sale (POS) terminals. However, until now, no such security specifications have been adopted for remote commerce. With remote commerce steadily becoming a more enticing target for cybercriminals, EMVCo saw the need to establish common specifications that protect stakeholders.
Although many retail apps have implemented card-on-file methodology, the basic method of delivery of payment cards tends to be insecure and unauthenticated. “While account data storage standards such as Payment Card Industry Data Security Standards (PCI DSS) have been a staple in this environment, there is no common specification to address the functional interactions and transmission of data between the participants,” EMVCo explained.
Even as retail data breaches have made national news, consumers are constantly entering payment data on multiple retail sites and apps, making fraud attempts much easier for bad actors. SRC equips retailers with a universal buy button on their checkout pages. In addition to making the online payment process more secure, it also makes it more convenient, as consumers don’t have to enter their card information for every new site or app where they make a purchase.
“From a consumer standpoint, this looks to be a good thing, especially if you don’t like to sign up for new accounts for each store,” said Magnus Carlsson, AFP’s manager of treasury and payments. “This should also be able to help retailers’ chargeback issues in the long run.”
CHALLENGES FOR MERCHANTS
But while SRC does allow for a safer and more streamlined online checkout experience, getting it up and running has been a challenge for retailers.
“I see this being good for consumers, and it’s good that the card networks have agreed on the same standard. But retailers have been facing a lot of pain points with this,” Carlsson said.
An assistant treasurer for a major quick service restaurant (QSR) chain noted that to adopt the technology, retailers need to have an SRC Integrator (SRCI), which currently they can only get from Visa or MasterCard. “And [Visa and MasterCard] force you to do certain things that you may not want to do,” she said.
Right now, retailers who don’t have Visa Checkout, Masterpass or American Express Checkout have some time to determine how they want to adopt SRC. But merchants that already have these checkout functions don’t have a choice. “We already have Masterpass and Visa Checkout on our app,” said the assistant treasurer. “And Visa Checkout is automatically converting to SRC in September. MasterCard is doing it a little differently; you have to do some very minor changes to your URL. But if you accept both of them, you have to make a decision whether you’re going to automatically convert Visa, or get rid of Visa and just convert Masterpass. It’s just a lot of decisions and both of them have little tweaks.”
Along with the enrollment questions, merchants are also uneasy about a particular aspect of SRC once it’s been implemented. “Once you have the button, a consumer can enroll during checkout,” the assistant treasurer said. “It redirects them out of your site or app, so there a fear of abandonment from the customer. That’s the part that merchants really don’t like.”
Merchants with branded credit cards also have an issue with the checkout process. When enrolled customers go to pay, the cards they have on file will come up and they can select whichever one they want to pay with. However, the cards are displayed according to the last one used. Merchants with branded cards would obviously want their own card to come up first, but that’s not going to happen unless the customer’s last purchase was also from their site or app.
One particularly controversial issue with SRC has been Card-on-file tokenization. Visa and MasterCard want to use their own token service providers, VTS and MDES, giving them more control over transactions. The Merchant Advisory Group told the NFC Times last year that this practice could allow Visa and MasterCard to circumvent the Durbin Amendment, which requires debit card issuers to support at least two unaffiliated debit networks for transactions.
The assistant treasurer agreed. “It impairs merchants’ ability to route debit transactions,” she said. “So if you currently route your online transactions for better pricing, it could impede that. So merchants are upset about that.”
Lastly, there’s also the question of what party is legally held responsible when fraud occurs. Retailers will remember that the EMV liability shift, which went into effect in 2015, put them on the hook for fraudulent card transactions if they didn’t adopt EMV technology. In the case of SRC, retailers aren’t sure whether they are liable or not. “They're being very coy on the fraud liability shift with SRC,” the assistant treasurer said. “I think merchants are still responsible for fraud.”