SRC and W3C

I don’t like being a long toothed payment historian…. So please pardon my reluctance here… and let me know of any errors.

My Previous Blogs on Topic


  • EMVco is a payment network standards group.. only the networks belong. Things like EMV and 3DS, come out of this body.
  • EMVCo announced Secure Remote Commerce (SRC) back last year (see this great Digital Transaction article)
  • Banks and networks win when there is consistency and consumer trust. EMVCo established consistency in acceptance at the POS (see example), but banks largely “missed” the opportunity to play role in eCommerce.
  • Important to note that EMVCo standards involve CERTIFICATION. In other words Verifone, Ingenico, Square,First Data all submit devices (and solutions) for certification to networks.
  • In 2006/2007 Visa and MA rolled out 3DS (VBV/MSC) in UK. 3DS was a [broken] EMVCo standard. These services did not come to US.. for good reason. They were rife with fraud.. and the liability shift put the pressure on banks to manage it without any tools to do so. Thus the only issuer option was to decline any transaction (or merchant) that was suspicious. This is the WORST of all merchant nightmares.. Implement a standard, interrupt the consumer checkout process (with a pop up from a 3rd party URL) and then decline the transaction. After this “lesson” they began to think about owning the consumer experience (hence the birth of Checkout and Masterpass)
  • The market caps of Paypal, Stripe, Adyen, … are all built on this network miss… and there is now uniform agreement between networks that a common standard for ECOMMERCE acceptance will help all equally. eCommerce certainly included browser based payments…. but also “in App” and anything else that rides as CNP in mobile/computer paradigm (not telephone payments)
  • Visa Checkout and Mastercard’s Masterpass are complete failures. If there are 100,000 consumers active on either one I would be amazed. Did you notice that the stellar Visa Checkout advertisements were gone from the olympics (the marketing was great).
  • The “proven” network success is when they own platform and common standards (staying away from the consumer experience).
  • The W3C has implemented a new browser based “payment” standard with support of Google and Microsoft. Think of the browser as a wallet with ability to pass a credential. Key point here is that APPLE AND GOOGLE OWN THE CONSUMER EXPERIENCE.. they need support on the back end (tokenization, liability shift, rate reduction). See
  • The “best experience” in online checkout today is now owned by Apple (Apple Pay in App and in Browser) and Google’s GPay (supported by the W3C standards). Apple and Google have created a new “standard” consumer payment experience for Mobile, and eCommerce (in browser). These experiences “ride” on Network Services (ie VTS/MDES), but are owned and controlled by the platforms.
  • eCommerce is a VERY VERY CONCENTRATED market. With 8 key players in the US: Chase Payment Tech (processes 70% of eCom volume), Amazon, Google, Apple, Paypal, Stripe, Walmart.

My analysis

SRC would have been a home run.. if delivered 11 yrs ago. W3C allows a single “Buy button” that is controlled by the browser. Apple has a single buy button controlled by Apple.  There must be a carrot for merchants, acquirers and platforms to take this up.. for example certifying the SRC standards in the existing VBV/MSC rate tiers (liability shift + 10bps reduction in interchange).

Perhaps the most perplexing (and recent) development is that Google (GPay) built direct custom integrations to each processor to support token exchange with acquirers. This allows them to circumvent the networks own tokenization services, and keep COF. No one will give up Cards on File without an economic value exchange.

While Paypal may face some threat because of Google/Apple efforts, I don’t see merchant uptake on this without VBV/MSC certification. Given the leadership of the front end experience already in place (ie Google/Apple/W3C), SRC will most likely evolve to token exchange standards that support W3C and Apple. SRC is a great move by the networks.. but now that they all agree .. they must get the rest of the industry on board. Unfortunately the incentives that need to exist come out of the pocket of issuers.

The key open question for me.. is how to “manage” tokenization of cards on file, as each issuer has the control over whether to tokenize or not. This is THE KEY ITEM that must be addressed. Will there be “network tokens” AND issuer tokens? Will w3C morph into a quasi wallet which must be permissioned by each issuer?  Google/Apple have none of these problems today.. and are not likely to jump in until they are resolved.. PLUS a carrot.


I would greatly encourage the networks to be aggressive in their leadership here. While issuers will balk at moving away from CNP revenue (and a liability shift), the threats to Cards are real (paypal, Alipay, Google, Apple, …). If the networks can establish a standard (done), they now need to create the incentives. By creating a better value proposition for online payments, and taking control of tokenization, they have created a sustainable moat AND a great consumer experience. My top recommendations for networks are thus:

  • Define how SRC works with W3C. Recommend allowing W3C to run the consumer facing element (other than a SRC logo or something) and SRC is the routing, rules, and certification/acceptance.
  • Notify issuers of the planned changes to certify SRC in the VBV/MSC rate scheme (that has existed since 2004).
  • Define the plan for tokenizing COF, and particularly cards in the W3C scheme.. the option for banks is that the Platforms will tokenize (without banks). Direct Platform integrations (ie Google/Apple) into acquirers and issuers is a threat. Of course Google/Apple must integrate into local debit schemes globally (CUP, ELO, Rupay, …) so they always must have this capability, but allowing platforms to steer payments will have significant control implications over next 20 yrs.
  • Create momentum.. through success and some of that phenomenal marketing. They story is that V/MA are making payments so great you don’t even think about them…  they are the easiest, safest, most secure payment products in the world. That would be a VERY GOOD STORY. Stories about security, privacy and trust are also what consumers need to hear.

For PayPal investors, SRC is a non issue until there are financial incentives for merchants. W3C has no financial incentives, but ease of use, consumer experience, integrated browser support and ease of implementation make this the much bigger threat.

5 thoughts on “SRC and W3C”

  1. I think Mastercard should move with their issuers to the MSC rate for SRC transactions, effectively putting Chase and Visa in a really bad spot. Mastercard has virtually no share at Chase and it would create a really interesting dynamic, if the issuer/acquirer most reliant on ecomm was suddenly seen as fleecing merchants.

    1. This would certainly start the ball rolling…. but this means dictating to Citi (their largest US issuer) that they will tokenize COF.. ?without their consent?..

  2. Great summary Tom. I feel like the other thing being over blown by the media is timing. You’d think the visa checkout button was going away tomorrow if you read all the articles, but I don’t believe we will see those checkout flows go away (if it all) for years. I think the real implementation ends up being more of a SRC seal of approval than the network branded checkouts disappearing. This will also vary greatly by market.

  3. Now is the time to abandon card-present, card-not-present and replace them with account-holder-is-present and account-holder-was-present or something similar.

Leave a Reply

Your email address will not be published.