The SRC Express

A network-sponsored spec for streamlined digital payments rolls toward implementation later this year, promising cleaner checkouts but also stirring questions about how it will work.

Remember all the excitement last spring about a so-called common buy button the major card networks were working on (“The Shared Checkout’s Slow Check-in,” June)? Well, that concept—faster, easier, and more secure online checkout—is now much closer to reality. And while the Secure Remote Commerce specification was understood to apply to e-commerce, the clearer picture that has emerged in recent months indicates the spec will apply also in emerging technologies like the Internet of Things and voice commerce.

What has also become clear is that the networks aren’t the only parties trying to work out a better consumer experience online. A technical body called the World Wide Web Consortium has been designing a specification for browser-based payments not just from cards but also from bank accounts. Alphabet Inc.’s Google unit has already adopted it, with more deployments in the works.

Now the two specs are barreling toward the finish line on parallel rails, and experts are starting to sweat the details on how they will interact.

So when will the SRC, shared check-in and all, become a commercial reality? American Express Co. says it will have something in the market by the middle of the year. Visa Inc. likewise says first half of 2019. But this is a complicated enterprise.

“We’re only at the spec level. Nobody has developed the actual application,” says Thad Peterson, a senior analyst who follows digital payments at Aite Group LLC, a Boston-based consultancy. “I think we’ll see an execution [this] year. I don’t think we’ll see scale.”

And skeptics fret that SRC could pose serious challenges. “The question remains with implementation. That’s where we have fears,” says Laura Townsend, senior vice president of operations at the Merchant Advisory Group, a payments-focused trade association for the nation’s biggest retail chains and airlines.

‘Tons of Questions’

SRC is the brainchild of EMVCo, the standards body run by six big card networks, including American Express, Discover, Mastercard, and Visa. In coordinated fashion, the networks released a close-to-finished SRC spec, dubbed version 0.9, in October and asked for comment, setting a Dec. 3 deadline. And, in an unusual move, EMVCo allowed entities submitting comments to indicate whether they wanted them to be public or private. Visa says about 130 comments had been submitted by the deadline, but at the time of this writing the public comments had not yet been posted.

Based on the submissions he had seen by early December, “There were no big surprises,” says TS Anil, global head for payment products and platforms at Visa. “We’re feeling pretty good about the process and the feedback to it.”

SRC represents an ambitious effort to fix two glaring problems in e-commerce: clunky checkouts and rising fraud. Both problems, observers say, are only getting worse.

The degree of difficulty and confusion besetting consumers once they proceed to eheckout is important because for some consumers the slightest inconvenience can result in cart abandonment. The overall average abandonment rate varies by source, but most sources put it at well over 60%, though it’s typically higher on mobile phones than on desktop machines.

SRC seeks to fix this problem with a smoother flow and a swifter checkout based on card credentials and shipping information already enrolled by the consumer. The spec envisions a cleaner checkout screen featuring not the usual jumble of buy buttons but a single SRC button that would lead to the registered card or to other choices enrolled by the consumer.

The result, say the networks, should be less frustration and a higher completion rate at checkout. “It’s incredibly hard to put numbers on it, but we certainly expect abandonment rates to drop,” says Anil, though not all at once. “It will be a buildup,” he cautions, though he points with optimism to how the spec will make for sleeker transactions in emerging technologies like the IoT.

“The next two-to-five years is the real journey,” says Anil. “There will be new form factors. Ultimately, any digital experience [should incorporate SRC].”

Given that many of the common causes of abandonment relate to the checkout, he could be right. But observers aren’t so sure. “The process flow is pretty complex,” warns Aite’s Peterson. “I still have tons of questions about how this is going to work.”

Indeed, SRC may well reduce some of the clutter but not all of it, he argues, since it applies only to the major card systems. Non-EMVCo payment systems, such as PayPal or Amazon, aren’t contemplated in the spec.

Dodgy Transactions

Nor can anyone be sure how well SRC will tackle fraud until it has been fully deployed. Losses from dodgy transactions have long been a problem in online commerce, but they have grown worse in recent years with the U.S. rollout of EMV chip technology in physical stores.

A study out last month from Lexis-Nexis Risk Solutions, for example, found a 35% increase in just one year in fraud attempts at online stores.

EMVCo has already updated its online authentication standard, 3-D Secure, to make it much more sophisticated and less likely to interfere with merchants’ interaction with customers. SRC now adds a tokenization regime that will mask card credentials with randomized bits of code.

That reliance on tokens, though, is what has some merchants concerned. They’re not worried so much about the spec itself, but rather with business rules applying to SRC transactions.

For example, network rules concerning tokens could interfere with merchants’ freedom to route debit transactions to the network of their choice, argues the MAG’s Townsend, if the rules prevent outside networks from receiving access to the full set of security control validation and PAN data in the detokenization response provided by the payment network.

“We shouldn’t have to choose between security and our routing rights,” she says.

Visa’s Anil argues this is a non-issue. “That should not be a concern,” he says. “Visa is tokenizing the transaction, we’re standing by the security.” Cases where networks can’t decipher the credentials behind a transaction also shouldn’t occur, he says, as merchants “get the associated data.”

The Other Spec

But the SRC spec isn’t the only blueprint looking to enable sleeker and more secure transactions online. The major networks are also participating in the Web Payments Working Group, a committee formed in 2015 by the World Wide Web Consortium, or W3C, as it’s known, to create a standard for browser-based payments.

The group, which also comprises tech companies and financial institutions, is looking to exploit the insight that browsers already serve as repositories of multiple bits of information, including shipping addresses and sometimes payment data.

But while the SRC and W3C specs have a common objective, the latter’s scope is broader, as it would enable payments based on both non-card and card information.

“We’d like to support methods like cryptocurrency and Klarna, for example, though we include card payments,” says Ian Jacobs, a W3C spokesman.

At the same time, the W3C initiative is limited to the Web, while the SRC spec contemplates environments not necessarily dependent on the Web. Where the two initiatives intersect, then, is where they might find scope to work together, Jacobs adds.

The W3C spec contemplates two application programming interfaces, a Payment Request API and a Payment Handler API. The former issues a call for payment credentials, shipping data, and contact information that can be interpreted and fulfilled by the Payment Handler, typically a digital wallet.

The Payment Request API has already been adopted by Google’s Chrome browser, while the Handler API is expected later this year. A proto­type of the complete system should be in place by year’s end, Jacobs says.

How Many Wrinkles?

How to get the two specs to work together is the next question. “We will see experiments with SRC in 2019,” Jacobs predicts. Much needs to be worked out yet, but one possible scenario, he says, involves the user selecting a card in the Payment Handler, which would call out to the SRC environment for data that it would then pass on to the browser.

“We’re still very much in discussions” with the SRC initiative, Jacobs cautions.

The good news out of all of this for the payments business is that, one way or another, smoother, more secure e-commerce is coming. How soon will depend on how many wrinkles need to be ironed out, and how big an iron will be required.