MyDebit Secure Remote Commerce (SRC)
Introduction
Secure Remote Commerce (SRC), commonly referred to as ‘Click to Pay’, is a SRC system with consistent framework and interfaces across the remote commerce environment where participants in the payments ecosystem facilitate a streamlined and secure checkout process.
The digital payment solution based on the EMV® Secure Remote Commerce (SRC) industry standard, provides online shoppers with a fast, simple, and secure way to pay online which replaces the need to manually key-in personal and card information on multiple eCommerce sites and works across multiple devices. An easier and frictionless checkout process enhances the online shoppers experience and helps merchants reduce cart abandonment.
The EMV® Secure Remote Commerce (SRC) Specifications enable a common consumer e-checkout that promotes simplicity, familiarity, interoperability, convenience, and trust. The specification defines a number of roles and functions to facilitate this secure and seamless experience by which consumers access their card and personal information. The click to pay experience has been adopted by the global payment networks to provide consumers with a more seamless and consistent checkout experience.
1. PayNet SRC Program Overview
MyDebit SRC is an “Add-on” application to MyDebit Tokenisation to promote the adoption of network/payment tokens driven from scheme perspective.
Built on EMVCo standards, MyDebit SRC gives consumers that are shopping online an easy, secure, and consistent way to checkout and thereby speeding up checkout time and reducing cart abandonment
1.1 SRC Participants
Roles | Responsibilities | Parties |
---|---|---|
SRC System | Orchestrates all technical activities and facilitates the interactions between SRC participants. |
|
SRCI | Integrate and interact with the DPA and MyDebit SRC system.
|
|
DPA | Any website, mobile application or IoT devices that enabled customers to purchase goods or services.
|
|
DCF | Provides access to customer data such as payment card information, shipping address and others.
|
|
SRCPI | Enable the enrollment of it’s cardholders and their related PANs to MyDebit SRC system.
|
|
1.3 Abbreviations and Key Term
For abbreviations and key term, you can click this link : Abbreviations and key terms
2. Benefits
- Simplify and expedite your online Customer’s checkout process as MyDebit SRC allows Customer’s to seamlessly make payments without the hassle of manually key in the Debit Card details or delivery address.
- Merchants get to minimize card abandonment and increase sales through seamless payment process.
- Leads to higher approval rates and lower fraud risk.
- Works seamlessly with your existing 3DS solution.
3. Overview of MyDebit SRC Architecture and Process Flow
- Consumers initiate checkout on the platform provided by DPA.
- Upon consumers’ selection of MyDebit SRC as the checkout method, SRCI connects to MyDebit SRC system on behalf of DPA. The consumers are required to perform registration/login to MyDebit SRC account.
- SRCI must provide consumers the option to add/select card based on their preference. Upon card selection from the SRC candidate list, SRCI invokes DCF.
- DCF displays the selected card’s details. May also capture and display address details, contact information and cardholder authentication as required.
- All the information gathered is sent to MyDebit SRC system. MyDebit SRC system in turn returns the checkout payload to DCF.
- DCF passes the checkout payload to SRCI.
- SRCI returns the checkout payload to DPA to be reviewed and confirmed by the consumers.
- Upon confirmation of the checkout information, SRCI is invoked to process the transaction.
- PayNet TSP detokenises and verifies the Token PAN and returns the PAN to MyDebit NET.
- MyDebit NET sends PAN information to the Issuer for Authorization including certain checkout data. SRCPI returns an Approval response to MyDebit NET.
- MyDebit NET routes back the Approval response with the Token PAN.
4. Use Case
Upon using SRC for the first time, consumers are required to enroll their payment card and shipping address to sign up with the service. Subsequent purchases allow consumers to easily sign in to their SRC profile using their registered email address, accessing profile data for quick checkout, Consequently, consumers are categorized into distinct scenarios based on their interactions with SRC.
USE CASE | DESCRIPTION |
---|---|
New User | Consumers who have not registered with SRC and are using SRC for the first time need to enter their payment card and shipping address before checkout. An one-time-passcode (OTP) to an email for a verification |
Existing User On Unrecognised Device | Consumers who have a SRC profile, will need to enter the email address associated with their SRC payment profile. Consumers need to verify their identity with a one-time-passcode (OTP) sent to their email address. |
Existing User On Recognised Device | Consumers who have enrolled in SRC and are checking out using a recognized device will have the fastest checkout experience. In this case, (user verification) OTP step is not required , consumers just need to insert email address and confirm the payment card and shipping address they wish to use for the transaction. |
4.1. First Time User
No. | Consumer journey | Sample Picture |
---|---|---|
1 | Upon consumers’ selection to checkout via MyDebit SRC. DPA invokes SRCI. | |
2 | SRCI invokes SRC system enabling consumers to register with MyDebit SRC | |
3 | Consumers may register their desired MyDebit card | |
4 | SRCI will send security code to the registered email for an authentication | |
5 | SRCI will invoke 3DS procedure for a card enrollment | |
6 |
| |
7 | Upon confirmation, the checkout information will be passed back to DPA to display. | |
8 | The following process will not be within the MyDebit SRC framework as SRCI proceeds to invoke the normal payment process which may include the 3DS procedure. | |
9 | SRC checkout are complete. |
4.2. Returning User On Unrecognised Device
No. | Consumer journey | Sample Picture |
---|---|---|
1 | Upon consumers’ selection to checkout via MyDebit SRC. DPA invokes SRCI. | |
2 | SRCI invokes SRC system enabling consumers to login to MyDebit SRC via consumer identity. | |
3 | MyDebit SRC system will verify the consumer’s identity (Email). | |
4 | SRCI displays the consumer profile from MyDebit SRC. | |
5 |
| |
6 | Upon confirmation, the checkout information will be passed back to DPA to display. | |
7 | The following process will not be within the MyDebit SRC framework as SRCI proceeds to invoke the normal payment process which may include the 3DS procedure. | |
8 | SRC checkout are complete. |
4.3. Returning User On Recognised Device
No. | Consumer journey | Sample Picture |
---|---|---|
1 | Upon consumers’ selection to checkout via MyDebit SRC. DPA invokes SRCI. | |
2 | SRCI invokes SRC system enabling consumers to login to MyDebit SRC via consumer identity. | |
4 |
| |
5 |
| |
6 | Upon confirmation, the checkout information will be passed back to DPA to display. | |
7 | The following process will not be within the MyDebit SRC framework as SRCI proceeds to invoke the normal payment process which may include the 3DS procedure. | |
8 | SRC checkout are complete. |
5. SRCI Onboarding to SRC
5.1. SRCI Onboarding process
5.1.1. Register with MyDebit SRC
SRCI must enroll and adhere to MyDebit SRC Program requirements. Upon successful registration, the following items to be obtained from PayNet:
- Login credentials for SRCI Portal will be provided by PayNet.
- There are 2 integration models provided: Hosted Checkout and SDK model.
- It is recommended to integrate with MyDebit SRC using the Hosted Checkout model.
- For detail integration specification, please refer document: MyDebit SRC JavaScript SDK.
- To integrate using the SDK model, kindly contact PayNet for more information
SRC Initiator (SRCI) Portal is a self-service web portal that allows SRCI’s users to view and monitor resources that are related to them only.
High level overview of modules in SRCI Portal includes:
- Login Screen
- Dashboard
- Checkout Management
- SRC Client Profile
- Merchant Management
5.1.2. Onboarding Merchants and DPAs
Upon the completion of SRCI registration, SRCI is responsible to register their respective merchants and DPAs who wish to support MyDebit SRC checkout method.
Registration can be done via the SRCI portal that is provided.
- SRCI needs to create a merchant account in the SRCI Portal.
- Subsequently, SRCI can create the DPA account(s) for the merchant.
- A merchant can have more than 1 DPA account.
6 Client Side Integration
6.1 Hosted Checkout
The hosted checkout model is best fit for merchants who wish to focus on their business logic instead of developing their own checkout interface and maintain the complexity of the integration. With this model, a standard interface will be shown to consumers, and all the functionalities that are required by the SRC system will be taken care of.
6.1.1 Integrate via Hosted Checkout
To start integrating Hosted Checkout, merchants need to import the sdk into their website.
<script src='SRC_SDK_URL'></script>
The SRC_SDK_URL will be given to participant after onboarding.
Initialise the SDK with the data provided by the SRCI.
window.SRCSDK_MYDEBIT.init({
srcInitiatorId,
serviceId,
srcDpaId,
srciTransactionId,
dpaTransactionOptions: {
transactionAmount: {
transactionAmount: 199.99,
transactionCurrencyCode: 'MYR'
},
transactionType: 'PURCHASE',
merchantOrderId: 'ORD-2022030001',
threeDsPreference: 'ONBEHALF',
threeDsInputData: {
returnUrl: 'https://merchant.com/3ds-return-url'
}
}
})
Prepare the button for calling Click To Pay action.
<button type="button" class="btn btn-primary" onClick='window.SRCSDK_MYDEBIT.clickToPay()'>
<img src="/images/mydebit-src-logo.svg" width="100" height="26" />
</button>
6.1.2 Handle Response from Hosted Checkout
To handle the response from the hosted checkout, merchants need to use an event listener.
window.addEventListener('message', function(event) {
if(event.origin == SRC_CHECKOUT_DOMAIN) {
//code to receive response data from hosted checkout
const data = event.data
console.log(data.checkoutResponse)
console.log(data.srcCorrelationId)
//code to decrypt checkoutResponseJws
..
}
});
The response data is a signed JWS with nested encrypted JWE. Only the SRCI can decrypt the JWE to retrieve payment authorization data. In cases where the merchant needs the payment information such as recipient name, shipping address or masked card number, SRCI should provide the API for the merchant.
You can also find our sample hosted checkout in resources section.