Glossary

October 18, 2022

Secure Remote Commerce

SRC provides consumers with a digital wallet where they can store all their credit card details. It attempts to address some of the disadvantages of Card on File (COF) payments by ensuring that credit card details are always up-to-date and provides consumers with a single unified platform to manage their payments.

Secure Remote Commerce was recently introduced by EMVCo (owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa) as a means of unifying online credit card payments. Marketed to consumers as “Click to Pay”, SRC provides consumers with a digital wallet where they can store all their credit card details. It attempts to address some of the disadvantages of Card on File (COF) payments by ensuring that credit card details are always up-to-date and provides consumers with a single unified platform to manage their payments.

Merchants need to actively participate in SRC to be able to offer Click to Pay on their websites. Consumers can enroll for the service using several methods: creating a profile at checkout, adding cards on the card scheme’s website, or enrolling through the card issuer’s website or app.

SRC is based on network tokenization, which ensures that sensitive credit card details are not stored locally. Instead, credit card details are stored by the credit card schemes in a secure vault and merchants are instead issued a so-called token to be used in transactions instead. The token provides a reference to the payment details stored in the secure vault, and contains no sensitive data itself. Tokens are device or merchant-specific. This means that in the case of a data breach, no sensitive credit card information is leaked. Tokens from one merchant also cannot be used on any other platform because they are merchant-specific. This is not the case if credit card details themselves are exposed, as the PAN can be used at any merchant that accepts the card.

In order to be able to offer Click to Pay (the name used to market SRC to consumers), merchants need to sign up to participate in the program. Credit card details are only stored in a secure vault hosted by the credit card schemes themselves. Each merchant can request a so-called token that is unique for each merchant. Merchants store this token locally to facilitate Card on File (COF) transactions (e.g. for returning customers or subscriptions). When requesting a payment, the merchant simply forwards the token to the credit card schemes who can then translate the token into the actual credit card details and charge the corresponding card.

Besides storing the token used to process payments, merchants can also display so-called card art, which displays a graphical representation of the consumer’s card including the last 4 digits of the PAN, making it easy to identify the correct card when making a payment.

For a more detailed explanation, please refer to the credit card schemes themselves, e.g. Mastercard.

EMVCo is privately owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, 5 major credit card schemes. EMVCo was founded in 1999 to manage EMV specifications that facilitate credit card payments globally and to promote secure technology designed to reduce credit card fraud. Secure Remote Commerce (SRC) (aka Click to Pay) was introduced recently to further these aims and to provide a unified authentication method across the card schemes.