[Editor’s Note: Recently, Card Not Present ran a guest article authored by payments and fraud analyst Justin Staskiewicz raising concerns about Secure Remote Commerce—a standardized checkout process in development by EMVCo. In hopes of starting a dialogue to address this concern, Card Not Present invited EMVCo to share its perspective on the issue. We encourage our merchant readers and other industry stakeholders to provide feedback to EMVCo using the link at the end of this article. ]
By Brian Byrne, Director of Operations, EMVCo
The EMV Secure Remote Commerce (SRC) Specifications offer the potential to address common challenges within the remote commerce environment, promoting an easy, smart checkout experience for consumers. In addition to streamlining the customer experience, the EMV SRC Specifications offer flexibility to allow third-party implementations to deploy interoperable solutions that also address local needs, comply with legal and regulatory requirements, add enhanced security controls, and allow for features and functions that are not specified in the documents.
As the technical body developing, managing and evolving EMV Specifications, EMVCo plays an important role in bringing together stakeholder interests among payment industry participants. An example of this in the remote commerce space is the creation of the Web Payment Security Interest Group by EMVCo, the FIDO Alliance and World Wide Web Consortium (W3C) to focus on enhancing security and interoperability of web payments. EMVCo, however, is not engaged in specification implementation.
EMV SRC Specifications and Security
The EMV SRC Specifications provide the overall architecture, server-side API specifications and an SDK specification. Each of these offers levels of optionality for implementers of the specifications to add security layers based on the SRC solution provider’s own security requirements and risk controls. The baseline security requirements, principles and guidelines ensure stability across borders and create an international barrier against payment fraud, while still allowing individual SRC solution providers to add security features and adapt to new threats in the security ecosystem.
Device fingerprinting is a technique broadly used to identify an electronic device on the internet. A cookie stored by a browser may be one component of this identification process. The ability to maliciously access cookie data without permission and use it fraudulently is a known risk and is apparent in a number of scenarios beyond payment.
As EMV SRC is a recently launched specification, we welcome, encourage and expect technical feedback from the industry so it develops and matures in a manner that supports the marketplace.
EMVCo is committed to reviewing the remote payment space and will update the specification with additional security controls as necessary—our work is not static. We recognise that as SRC products come to market and are implemented, many questions on ‘how’ SRC operates will begin to be addressed.
To provide feedback and ask questions, please contact EMVCo through its ‘online query’ form on the EMVCo website so that they can be effectively addressed and a timely response provided.
Merchants Concerned by Potential Security Gap in EMVCo’s Secure Remote Commerce