Secure Remote Commerce – May 2022

Short Blog. I wanted to follow up on the last point I made in Bank ID Service – What Is It?

Some US Banks are refusing to jump on board SRC. As managers of risk, Banks are reluctant to accept network services which level the playing field in both managing risk and “diluting” their brand.… In some respects Authentify is a response to SRC.

Secure Remote Commerce (see blog) has been 12 yrs in the making. It is the evolution of EMV for eCommerce, 3DS, and early “checkout” services. Today SRC is live in over 20 countries, with 100s of merchants using. It is being acted on by the eCom “ecosystem” including: 

 The success of any payment network is highly dependent on trust of both merchant and consumer. As such, V/MA/Amex must drive standards to address fraud and improve on the failures of 3DS. Logically any effective fraud solution must combine some form of identity. 

SRC is making significant global progress across all networks. Globally merchants see this as a no brainer. SRC is the replacement of 3DS v1.0. Within the EEA (PSD2 Markets), new rules for Strong Customer Authentication (SCA) came into effect. Part of the ECB’s revised PSD2 SCA mandate has been to use 3DS 2.0+ to authenticate payments.  In October 2022, the V/MA announced, issuers and acquirers will be required to support the enhanced standard for securing online payments (EMV 3DS 2.2) in Europe. 3DS v1.0 will no longer be supported – Oct 22, 2022

Key points (for Europe an 3DS markets)

    • Complete reworking of 3DS into a global standard (EMVCo and W3C)
    • Integrated tokenization, strong customer authentication, with the new secure remote commerce specification
    • Globally merchants, processors and issuers are supporting
    • In PSD2 space, this will impact the opportunity for consumer wallets and PSPs
    • I believe the combination of standard, PSD2 and SCA is actually benefiting V/MA and further entrenching their networks as the best, most secure channel for payment. 
    • Currently, Issuer participation is required to provision PANs into SRC. This is very similar to the process in which cards are provisioned into Apple Pay (and VTS/MDES). 

US eCommerce

In the US, 3DS v.1.0 was never implemented; it was a completely broken standard with an idiotic consumer experience (consumer iframe pop-up asking for your bank log in). Of course the other “benefit” of this broken service was a rate reduction and a liability shift (see blog). 

The majority of US card issuers see Visa/MA as a “golden goose” and SRC as a tool which will improve the card eCom purchase experience. Better payment experience leads to increased use and reinforced consumer behavior. 

While MA may have all top issuers on board, I see only one of the top US Visa issuers participating in SRC. While SRC + Tokenization portends a sea change in fraud. However if less than 50% of issuers participate it will be 6-8 yrs before SRC is widely adopted in US. What are Issuers concerns? 

    1. The Digital Card Facilitator (DCF) role is being assumed by the network. Although there is technical separation of consumer data, and tokenization, and SRC services, issuers have never allowed the networks to hold consumer data. 
    2. Network risk reduction (for all issuers). The top banks have invested billions in risk management. SRC is a network wide solution levels the playing field for all issuers (see blog)
    3. No room for Bank Identity solution (see Authentify Blog). Directly tying Identity – Token – Card leaves very little room for other solutions. Not only does SRC decrease the need for bank data it democratizes access
    4. Control. SRC has moved the industry: a defined standard with EMVCo and W3C. But standards are not high margin business models. Within SRC banks have a binary decision on card and initiator. They can choose which consumers to enroll and which initiators to accept. However, SRC standardizes an area where banks have long held “wallet” ambitions. Banks have no ability to brand, customize or develop a competing “wallet” solution (see Chase Pay example)
    5. Customer experience. Similar to above, SRC will mean complete loss of the customer experience in eCom, just as Apple Pay did in 2015.
    6. Potential rate change and fraud liability shift. V/MA instituted in EEA and other geographies in 2008, but was never instituted in US (see card holder present blog). 
    7. History. SRC is still unproven and the last attempt (3DS 1.0 in 2008) was a complete failure. US banks are well served by being a late follower here. 

Unfortunately a 6-8 yr delay leaves more time for Apple, Stripe, Shopify and other to create better/more secure payment process. Or even perhaps create a product like Affirm Debit+ which “end runs” the banks, directly connects to consumers (and implements SRC). 

It seems the “non participating” issuers have their own plans for a wallet like solution. What will it compete with? 

    1. Apple Pay
    2. PayPal
    3. Retailer solutions (Amazon, Walmart, Redcard, Starbucks, …)
    4. SRC with 90% of Mastercard issuers, and 30% of Visa
    5. …etc. (see blog on intersections)

These banks represent more than 50% of all credit cards, and can certainly impair the US success of SRC, but can they:

    1. Build a competing scheme? (Yes)
    2. Gain ubiquitous merchant coverage (NO, 20% at best)
    3. Gain consumer adoption (no, 20% of merchant will not drive adoption)
    4. Get others to invest (no)

IMHO the global standard will eventually win given the shared investment (open standard) and momentum (powered by PSD2 and 3DS mandates). Merchants will want SRC to happen.. it solves their problem. 

Thoughts appreciated. 

Leave a Reply

Your email address will not be published.