Glossary

Q: How does SRC improve the security of credit card payments?

SRC is based on network tokenization , which ensures that sensitive credit card details are not stored locally. Instead, credit card details are stored by the credit card schemes in a secure vault and merchants are instead issued a so-called token to be used in transactions instead. The token provides a reference to the payment details stored in the secure vault, and contains no sensitive data itself. Tokens are device or merchant-specific. This means that in the case of a data breach, no sensitive credit card information is leaked. Tokens from one merchant also cannot be used on any other platform because they are merchant-specific. This is not the case if credit card details themselves are exposed, as the PAN can be used at any merchant that accepts the card.

October 18, 2022

Secure Remote Commerce

SRC provides consumers with a digital wallet where they can store all their credit card details. It attempts to address some of the disadvantages of Card on File (COF) payments by ensuring that credit card details are always up-to-date and provides consumers with a single unified platform to manage their payments.

What is Secure Remote Commerce (SRC)?

Secure Remote Commerce was recently introduced by EMVCo (owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa) as a means of unifying online credit card payments. Marketed to consumers as “Click to Pay”, SRC provides consumers with a digital wallet where they can store all their credit card details. It attempts to address some of the disadvantages of Card on File (COF) payments by ensuring that credit card details are always up-to-date and provides consumers with a single unified platform to manage their payments.

Merchants need to actively participate in SRC to be able to offer Click to Pay on their websites. Consumers can enroll for the service using several methods: creating a profile at checkout, adding cards on the card scheme’s website, or enrolling through the card issuer’s website or app.

How does SRC improve the security of credit card payments?

SRC is based on network tokenization, which ensures that sensitive credit card details are not stored locally. Instead, credit card details are stored by the credit card schemes in a secure vault and merchants are instead issued a so-called token to be used in transactions instead. The token provides a reference to the payment details stored in the secure vault, and contains no sensitive data itself. Tokens are device or merchant-specific. This means that in the case of a data breach, no sensitive credit card information is leaked. Tokens from one merchant also cannot be used on any other platform because they are merchant-specific. This is not the case if credit card details themselves are exposed, as the PAN can be used at any merchant that accepts the card.

How does SRC work?

In order to be able to offer Click to Pay (the name used to market SRC to consumers), merchants need to sign up to participate in the program. Credit card details are only stored in a secure vault hosted by the credit card schemes themselves. Each merchant can request a so-called token that is unique for each merchant. Merchants store this token locally to facilitate Card on File (COF) transactions (e.g. for returning customers or subscriptions). When requesting a payment, the merchant simply forwards the token to the credit card schemes who can then translate the token into the actual credit card details and charge the corresponding card.

Besides storing the token used to process payments, merchants can also display so-called card art, which displays a graphical representation of the consumer’s card including the last 4 digits of the PAN, making it easy to identify the correct card when making a payment.

For a more detailed explanation, please refer to the credit card schemes themselves, e.g. Mastercard.

Who/what is EMVCo?

EMVCo is privately owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, 5 major credit card schemes. EMVCo was founded in 1999 to manage EMV specifications that facilitate credit card payments globally and to promote secure technology designed to reduce credit card fraud. Secure Remote Commerce (SRC) (aka Click to Pay) was introduced recently to further these aims and to provide a unified authentication method across the card schemes.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months