EMV Secure Remote Commerce – Device Fingerprint Security Statement

EMV Secure Remote Commerce – Device Fingerprint Security Statement

September 5, 2019

[Editor’s Note: Recently, Card Not Present ran a guest article authored by payments and fraud analyst Justin Staskiewicz raising concerns about Secure Remote Commerce—a standardized checkout process in development by EMVCo. In hopes of starting a dialogue to address this concern, Card Not Present invited EMVCo to share its perspective on the issue. We encourage our merchant readers and other industry stakeholders to provide feedback to EMVCo using the link at the end of this article. ]

 By Brian Byrne, Director of Operations, EMVCo

The EMV Secure Remote Commerce (SRC) Specifications offer the potential to address common challenges within the remote commerce environment, promoting an easy, smart checkout experience for consumers. In addition to streamlining the customer experience, the EMV SRC Specifications offer flexibility to allow third-party implementations to deploy interoperable solutions that also address local needs, comply with legal and regulatory requirements, add enhanced security controls, and allow for features and functions that are not specified in the documents.

As the technical body developing, managing and evolving EMV Specifications, EMVCo plays an important role in bringing together stakeholder interests among payment industry participants. An example of this in the remote commerce space is the creation of the Web Payment Security Interest Group by EMVCo, the FIDO Alliance and World Wide Web Consortium (W3C) to focus on enhancing security and interoperability of web payments. EMVCo, however, is not engaged in specification implementation.

EMV SRC Specifications and Security

The EMV SRC Specifications provide the overall architecture, server-side API specifications and an SDK specification. Each of these offers levels of optionality for implementers of the specifications to add security layers based on the SRC solution provider’s own security requirements and risk controls. The baseline security requirements, principles and guidelines ensure stability across borders and create an international barrier against payment fraud, while still allowing individual SRC solution providers to add security features and adapt to new threats in the security ecosystem.

Device Fingerprinting

Device fingerprinting is a technique broadly used to identify an electronic device on the internet. A cookie stored by a browser may be one component of this identification process. The ability to maliciously access cookie data without permission and use it fraudulently is a known risk and is apparent in a number of scenarios beyond payment. 

In acknowledgement of this, EMV SRC Specifications do not require that implementations use cookies to achieve device identification. Furthermore, when cookies are used, there is no expectation that a cookie forms the central part of the actual end-user recognition mechanism as this is again an implementation choice. Each SRC solution provider would assess the risk profile and mitigate accordingly. For example, if an SRC solution provider determined that there was insufficient or incorrect device identification data, another form of cardholder authentication would be required.

Industry Feedback

As EMV SRC is a recently launched specification, we welcome, encourage and expect technical feedback from the industry so it develops and matures in a manner that supports the marketplace.

EMVCo is committed to reviewing the remote payment space and will update the specification with additional security controls as necessary—our work is not static. We recognise that as SRC products come to market and are implemented, many questions on ‘how’ SRC operates will begin to be addressed.

To provide feedback and ask questions, please contact EMVCo through its ‘online query’ form on the EMVCo website so that they can be effectively addressed and a timely response provided.

If you would like to learn more about EMV SRC, please download the press kit and visit the technology page at www.emvco.com.  

Previous-Article-CNP  Next-Article-CNP

Merchants Concerned by Potential Security Gap in EMVCo’s Secure Remote Commerce






  • Share this Article:
DJ Murphy

Lastest Fraud News