PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® Secure Remote Commerce Specifications - API

v1.5 Specifications
Secure Remote Commerce
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® Secure Remote Commerce Specification – API Version 1.5 October 2025 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Legal Notice Page i / xiii The EMV® Specifications are provided “AS IS” without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in these Specifications. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THESE SPECIFICATIONS. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to the Specifications. EMVCo undertakes no responsibility to determine whether any implementation of the EMV® Specifications may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of the EMV® Specifications should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, the Specifications may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement these Specifications is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party’s infringement of any intellectual property rights in connection with the EMV® Specifications. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page ii / xiii Revision Log – Version 1.5 The following changes have been made to the document since the publication of version 1.4: • Minor editorial changes throughout the document, with sections and tables renumbered where necessary • Section 2.1 Complex Data Objects, the following complex data objects have been added: o AdditionalSource (Section 2.1.5) o DeviceIdentity (Section 2.1.26) o DeviceSpecificData (Section 2.1.27) • Table 2.10: AuthenticationMethod has been updated as follows: o uriData: Description updated to include the Identity Lookup response • Table 2.40: MaskedCard has been updated as follows: o panBin: Max Length has been changed from PAN Length - 10 to 8 and the description has been updated o tokenBinRange: Max Length has been changed from Payment Token Length 10 to 9 • Table 2.53: VerificationData Values has been updated as follows: o For the DEVICE Verification Type, the following Verification Events have been added: 01 Bind, 02 Checkout, 03 Renewal o For the DEVICE Verification Type, the following Verification Method has been added: 02 Public Key Infrastructure • Section 2.2.2 Use Case Specific Attributes has been added • Section 2.3 Enumerations, the following have been added or modified: o AuthenticationMethodType o DeviceIdentityProvider o DeviceIdentityType o IdentityValidationChannelType o SignedDataType • Table 3.2: Federated ID Token Claim Set has had the following private claims added: o id_type o passkey_enrolment_verification_type o passkey_enrolment_verification_time © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page iii / xiii • Table 5.4.3: Prepare SRC Profile Definition – Response Body has had the data element additionalSources added • Table 5.4.6: Add Consumer Identities Definition – Request Body has had the data element deviceIdentity added • Table 5.4.10: Unbind App Instance Definition – Query Parameters has had the data element signedObject added • Table 5.5.7: Checkout Definition – Request Body has had the data element deviceIdentity added • Table 5.7.3: Identity Lookup Definition – Response Body has had the data element authenticationMethod added • Annex A Use Case Specific Data has been added, which includes content from the original Annex A EMVCo Specification Mapping and Annex B 3DS Data o A.1 Merchant-Presented Mode – QR Code Payload contains the original A.1 Merchant-Presented Mode – QR Code Payload o A.2 3DS Data contains the original Annex B 3DS Data o A.3 EV Open Payments has been added © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page iv / xiii Contents Legal Notice ............................................................................................................. i Revision Log – Version 1.5..................................................................................... ii Contents ................................................................................................................. iv Tables ..................................................................................................................... ix 1 Introduction ....................................................................................................... 1 1.1 Scope ........................................................................................................ 1 1.2 Constraints ................................................................................................ 1 1.3 Audience ................................................................................................... 1 1.4 References ................................................................................................ 2 1.4.1 Normative References .................................................................... 2 1.4.2 Published EMVCo Documents ........................................................ 3 1.5 Definitions.................................................................................................. 4 1.6 Notational Conventions.............................................................................. 4 1.6.1 Abbreviations .................................................................................. 4 1.6.2 Terminology and Conventions......................................................... 4 2 Data Dictionary .................................................................................................. 5 2.1 Complex Data Objects............................................................................... 5 2.1.1 AcceptanceChannelData ................................................................ 5 2.1.2 AcceptanceChannelRelatedData .................................................... 6 2.1.3 AccountReference .......................................................................... 6 2.1.4 AdditionalAmount............................................................................ 7 2.1.5 AdditionalSource............................................................................. 7 2.1.6 Address .......................................................................................... 8 2.1.7 AppInstance.................................................................................. 11 2.1.8 AssuranceData ............................................................................. 11 2.1.9 AuthenticationContext DEPRECATED .......................................... 19 2.1.10 AuthenticationMethod ................................................................... 20 2.1.11 AuthenticationPreferences ............................................................ 21 2.1.12 BusinessIdentification ................................................................... 22 2.1.13 Card.............................................................................................. 22 2.1.14 CardholderData ............................................................................ 24 2.1.15 CommunicationsConsent .............................................................. 25 2.1.16 ComplianceResource.................................................................... 26 2.1.17 ComplianceSettings ...................................................................... 26 2.1.18 ConfirmationData DEPRECATED ................................................. 27 2.1.19 ConfirmationData2 ........................................................................ 29 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page v / xiii 2.1.20 Consent DEPRECATED ............................................................... 31 2.1.21 Consumer ..................................................................................... 32 2.1.22 ConsumerIdentity.......................................................................... 33 2.1.23 Dcf ................................................................................................ 33 2.1.24 DeliveryContactDetails.................................................................. 34 2.1.25 DeviceData ................................................................................... 35 2.1.26 DeviceIdentity ............................................................................... 35 2.1.27 DeviceSpecificData ....................................................................... 36 2.1.28 DigitalCardData ............................................................................ 36 2.1.29 DigitalCardFeature........................................................................ 37 2.1.30 DigitalCardUpdateNotification ....................................................... 38 2.1.31 DpaData ....................................................................................... 39 2.1.32 DpaTransactionOptions ................................................................ 42 2.1.33 DynamicData ................................................................................ 46 2.1.34 EnrollmentReferenceData ............................................................. 47 2.1.35 Error.............................................................................................. 47 2.1.36 ErrorDetail..................................................................................... 48 2.1.37 EventHistory ................................................................................. 48 2.1.38 IdentityValidationChannel ............................................................. 49 2.1.39 MaskedAddress ............................................................................ 50 2.1.40 MaskedCard ................................................................................. 51 2.1.41 MaskedConsumer......................................................................... 56 2.1.42 MaskedConsumerIdentity ............................................................. 57 2.1.43 Payload......................................................................................... 58 2.1.44 PaymentOptions ........................................................................... 64 2.1.45 PaymentToken.............................................................................. 64 2.1.46 PhoneNumber............................................................................... 65 2.1.47 RecurringData............................................................................... 66 2.1.48 RecognitionData ........................................................................... 68 2.1.49 SrcProfile ...................................................................................... 69 2.1.50 SignedData ................................................................................... 70 2.1.51 TransactionAmount....................................................................... 70 2.1.52 VerificationData ............................................................................ 71 2.1.53 UriData ......................................................................................... 77 2.2 JSON Attributes....................................................................................... 77 2.2.1 Authentication Facilitation ............................................................. 77 2.2.2 Use Case Specific Attributes......................................................... 80 2.3 Enumerations .......................................................................................... 81 2.4 Signed Checkout Objects ........................................................................ 86 2.4.1 Checkout Request JWS ................................................................ 86 2.4.2 Checkout Payload Response ........................................................ 89 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page vi / xiii 2.4.3 JWS JOSE Header ....................................................................... 93 2.5 Masking Rule........................................................................................... 94 3 Federated Identity ........................................................................................... 95 3.1 Authorisation Token................................................................................. 95 3.1.1 Token Header ............................................................................... 95 3.1.2 Token Claims ................................................................................ 96 3.1.3 Notes on Authentication .............................................................. 103 4 SRCI – DCF Interaction DEPRECATED........................................................ 105 4.1 Interaction Mechanisms......................................................................... 105 4.2 Launch The DCF ................................................................................... 106 4.3 Redirect back to SRCI ........................................................................... 106 5 Server-Side API ............................................................................................. 109 5.1 API Principles ........................................................................................ 109 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 Common HTTP Status Codes..................................................... 109 Error Handling............................................................................. 110 Conditionality of Data .................................................................. 110 Authorisation............................................................................... 110 Recognition................................................................................. 110 API Access Control ..................................................................... 112 API Tables .................................................................................. 112 5.2 Card Service.......................................................................................... 112 5.2.1 5.2.2 5.2.3 5.2.4 Card Enrolment........................................................................... 113 Delete Card................................................................................. 117 Add Billing Address ..................................................................... 119 Get Card Data............................................................................. 121 5.3 Address Service .................................................................................... 122 5.3.1 Add Shipping Address ................................................................ 122 5.3.2 Delete Shipping Address............................................................. 124 5.4 SRC Profile Service ............................................................................... 125 5.4.1 Prepare SRC Profile ................................................................... 125 5.4.2 Add Consumer Identities............................................................. 128 5.4.3 Unbind App Instance................................................................... 132 5.5 Checkout Service .................................................................................. 133 5.5.1 5.5.2 5.5.3 5.5.4 Prepare Checkout Data DEPRECATED ..................................... 134 Checkout .................................................................................... 136 Get Payload ................................................................................ 141 Make Payment ............................................................................ 143 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page vii / xiii 5.6 Confirmation Service ............................................................................. 144 5.6.1 Confirmation ............................................................................... 144 5.7 Identity Service ...................................................................................... 146 5.7.1 5.7.2 5.7.3 5.7.4 Identity Lookup ........................................................................... 146 Initiate Identity Validation ............................................................ 148 Complete Identity Validation ....................................................... 149 Is Recognized ............................................................................. 151 5.8 Authentication Facilitation Service ......................................................... 154 5.8.1 Authentication Methods Lookup .................................................. 154 5.8.2 Authenticate................................................................................ 156 5.9 Public Keys Retrieval Service ................................................................ 159 5.9.1 Public Key Retrieval.................................................................... 160 5.10 Retrieve Latest Compliance Resources Service .................................... 161 5.10.1 Latest Compliance Resources Retrieval ..................................... 161 5.11 Management Service............................................................................. 163 5.11.1 DPA Registration ........................................................................ 163 6 Notification Service....................................................................................... 165 6.1 Notifications Principles........................................................................... 165 6.1.1 Data Delivery Modes................................................................... 165 6.1.2 Standard HTTP Status Codes..................................................... 165 6.2 Card Update Event Notification.............................................................. 166 6.3 Identity Validation Completion Event Notification ................................... 167 6.4 Authentication Event Notification ........................................................... 169 6.5 Payment Notification.............................................................................. 170 Annex A Use Case Specific Data .................................................................... 172 A.1 Merchant-Presented Mode – QR Code Payload .................................... 172 A.1.1 A.1.2 A.1.3 A.1.4 SRC Data Elements .................................................................... 172 QR Code specific Data Elements for Seller Data ........................ 173 QR Code specific Data Elements for Consumer Data ................. 174 QR Code Specific Data Elements for Additional Amounts ........... 178 A.2 3DS Data............................................................................................... 180 A.2.1 3DS Input Data ........................................................................... 180 A.2.2 3DS Output Data......................................................................... 181 A.3 EV Open Payments ............................................................................... 182 A.3.1 Assurance Data .......................................................................... 182 A.3.2 Signed Data Private Claim .......................................................... 184 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page viii / xiii A.3.3 Custom Data............................................................................... 184 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page ix / xiii Tables Table 1.1: Normative References.............................................................................. 2 Table 1.2: EMVCo References.................................................................................. 3 Table 2.1: AcceptanceChannelData .......................................................................... 5 Table 2.2: AcceptanceChannelRelatedData.............................................................. 6 Table 2.3: AccountReference.................................................................................... 6 Table 2.4: AdditionalAmount ..................................................................................... 7 Table 2.5: AdditionalSource ...................................................................................... 7 Table 2.6: Address .................................................................................................... 8 Table 2.7: AppInstance ........................................................................................... 11 Table 2.8: AssuranceData....................................................................................... 11 Table 2.9: AuthenticationContext DEPRECATED ................................................... 19 Table 2.10: AuthenticationMethod........................................................................... 20 Table 2.11: AuthenticationPreferences ................................................................... 21 Table 2.12: BusinessIdentification........................................................................... 22 Table 2.13: Card ..................................................................................................... 22 Table 2.14: CardholderData .................................................................................... 24 Table 2.15: CommunicationsConsent ..................................................................... 25 Table 2.16: ComplianceResource ........................................................................... 26 Table 2.17: ComplianceSettings ............................................................................. 26 Table 2.18: ConfirmationData DEPRECATED ........................................................ 27 Table 2.19: ConfirmationData2 ............................................................................... 29 Table 2.20: Consent DEPRECATED....................................................................... 31 Table 2.21: Consumer............................................................................................. 32 Table 2.22: ConsumerIdentity ................................................................................. 33 Table 2.23: Dcf........................................................................................................ 33 Table 2.24: DeliveryContactDetails ......................................................................... 34 Table 2.25: DeviceData........................................................................................... 35 Table 2.26: DeviceIdentity....................................................................................... 35 Table 2.27: Device Specific Data ............................................................................ 36 Table 2.28: DigitalCardData .................................................................................... 36 Table 2.29: DigitalCardFeature ............................................................................... 37 Table 2.30: DigitalCardUpdateNotification............................................................... 38 Table 2.31: DpaData ............................................................................................... 39 Table 2.32: DpaTransactionOptions........................................................................ 42 Table 2.33: DynamicData........................................................................................ 46 Table 2.34: EnrollmentReferenceData .................................................................... 47 Table 2.35: Error ..................................................................................................... 47 Table 2.36: ErrorDetail ............................................................................................ 48 Table 2.37: EventHistory ......................................................................................... 48 Table 2.38: IdentityValidationChannel ..................................................................... 49 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page x / xiii Table 2.39: MaskedAddress.................................................................................... 50 Table 2.40: MaskedCard ......................................................................................... 51 Table 2.41: MaskedConsumer ................................................................................ 56 Table 2.42: MaskedConsumerIdentity ..................................................................... 57 Table 2.43: Payload ................................................................................................ 58 Table 2.44: PaymentOptions................................................................................... 64 Table 2.45: PaymentToken ..................................................................................... 64 Table 2.46: PhoneNumber ...................................................................................... 65 Table 2.47: RecurringData ...................................................................................... 66 Table 2.48: RecognitionData................................................................................... 68 Table 2.49: SrcProfile.............................................................................................. 69 Table 2.50: SignedData .......................................................................................... 70 Table 2.51: TransactionAmount .............................................................................. 70 Table 2.52: VerificationData .................................................................................... 71 Table 2.53: VerificationData Values ........................................................................ 72 Table 2.54: UriData ................................................................................................. 77 Table 2.55: JSON Attributes for CSC_VALIDATION ............................................... 78 Table 2.56: JSON Attributes for SMS_OTP, EMAIL_OTP, APP_OTP..................... 78 Table 2.57: JSON Attributes for ADDRESS_VERFICATION................................... 78 Table 2.58: JSON Attributes for SPC (Authenticate response) ................................ 79 Table 2.59: JSON Attributes for SPC (Authenticate request)................................... 79 Table 2.60: JSON Attributes for 3DS....................................................................... 79 Table 2.61: JSON Attributes for Consumer Authentication ...................................... 80 Table 2.62: Device Specific Data for EV Open Payments Use Case ....................... 80 Table 2.63: Contract Certificate for EV Open Payments Use Case ......................... 81 Table 2.64: Enumerations ....................................................................................... 81 Table 2.65: Checkout Request JOSE Header ......................................................... 86 Table 2.66: Checkout Request Claim Set................................................................ 87 Table 2.67: Checkout Payload Response ............................................................... 89 Table 2.68: JWS JOSE Header............................................................................... 93 Table 3.1: JOSE Header ......................................................................................... 95 Table 3.2: Federated ID Token Claim Set ............................................................... 96 Table 4.1: Error Codes.......................................................................................... 107 Table 5.1: Recognition Token Claim Set ............................................................... 111 Table 5.2.1: Card Enrolment Definition – HTTP Verb, Path and Parameters......... 113 Table 5.2.2: Card Enrolment Definition – Request Body ....................................... 113 Table 5.2.3: Card Enrolment Definition – Response Body..................................... 115 Table 5.2.4: Card Enrolment Definition – HTTP Status Codes .............................. 117 Table 5.2.5: Delete Card Definition – HTTP Verb, Path and Parameters............... 117 Table 5.2.6: Delete Card Definition – Query Parameters....................................... 117 Table 5.2.7: Delete Card Definition – Response Body........................................... 118 Table 5.2.8: Delete Card Definition – HTTP Status Codes .................................... 118 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page xi / xiii Table 5.2.9: Add Billing Address Definition – HTTP Verb, Path and Parameters ... 119 Table 5.2.10: Add Billing Address Definition – Request Body................................ 119 Table 5.2.11: Add Billing Address Definition – Response Body ............................. 120 Table 5.2.12: Add Billing Address Definition – HTTP Status Codes ...................... 120 Table 5.2.13: Get Card Data Definition – HTTP Verb, Path and Parameters......... 121 Table 5.2.14: Get Card Data Definition – Query Parameters................................. 121 Table 5.2.15: Get Card Data Definition – Response Body..................................... 122 Table 5.2.16: Get Card Data Definition – HTTP Status Codes .............................. 122 Table 5.3.1: Add Shipping Address Definition – HTTP Verb, Path and Parameters122 Table 5.3.2: Add Shipping Address Definition – Request Body ............................. 123 Table 5.3.3: Add Shipping Address Definition – Response Body .......................... 123 Table 5.3.4: Add Shipping Address Definition – HTTP Status Codes .................... 124 Table 5.3.5: Delete Shipping Address Definition – HTTP Verb, Path and Parameters124 Table 5.3.6: Delete Shipping Address Definition – Query Parameters................... 124 Table 5.3.7: Delete Shipping Address Definition – Response Body....................... 125 Table 5.3.8: Delete Shipping Address Definition – HTTP Status Codes ................ 125 Table 5.4.1: Prepare SRC Profile Definition – HTTP Verb, Path and Parameters . 126 Table 5.4.2: Prepare SRC Profile Definition – Request Body ................................ 126 Table 5.4.3: Prepare SRC Profile Definition – Response Body ............................. 127 Table 5.4.4: Prepare SRC Profile Definition – HTTP Status Codes ....................... 128 Table 5.4.5: Add Consumer Identities Definition – HTTP Verb, Path and Parameters129 Table 5.4.6: Add Consumer Identities Definition – Request Body.......................... 129 Table 5.4.7: Add Consumer Identities Definition – Response Body....................... 130 Table 5.4.8: Add Consumer Identities Definition – HTTP Status Codes ................ 131 Table 5.4.9: Unbind App Instance Definition – HTTP Verb, Path and Parameters. 132 Table 5.4.10: Unbind App Instance Definition – Query Parameters....................... 132 Table 5.4.11: Unbind App Instance Definition – Response Body........................... 133 Table 5.4.12: Unbind App Instance Definition – HTTP Status Codes .................... 133 Table 5.5.1: Prepare Checkout Data Definition – HTTP Verb, Path and Parameters134 Table 5.5.2: Prepare Checkout Data Definition – Request Body ........................... 134 Table 5.5.3: Prepare Checkout Data Definition – Response Body......................... 136 Table 5.5.4: Prepare Checkout Data Definition – HTTP Status Codes .................. 136 Table 5.5.5: Checkout Definition – HTTP Verb, Path and Parameters .................. 137 Table 5.5.6: Checkout Definition – Request Body DEPRECATED ........................ 137 Table 5.5.7: Checkout Definition – Request Body ................................................. 138 Table 5.5.8: Checkout Definition – Response Body .............................................. 140 Table 5.5.9: Checkout Definition – HTTP Status Codes ........................................ 141 Table 5.5.10: Get Payload Definition – HTTP Verb, Path and Parameters ............ 141 Table 5.5.11: Get Payload Definition – Query Parameters .................................... 141 Table 5.5.12: Get Payload Definition – Response Body ........................................ 143 Table 5.5.13: Get Payload Definition – HTTP Status Codes.................................. 143 Table 5.5.14: Make Payment Definition – HTTP Verb, Path and Parameters ........ 143 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page xii / xiii Table 5.5.15: Make Payment Definition – Request Body....................................... 143 Table 5.5.16: Make Payment Definition – HTTP Status Codes ............................. 144 Table 5.6.1: Confirmation Definition – HTTP Verb, Path and Parameters ............. 144 Table 5.6.2: Confirmation Definition – Request Body ............................................ 144 Table 5.6.3: Confirmation Definition – HTTP Status Codes ................................... 145 Table 5.7.1: Identity Lookup Definition – HTTP Verb, Path and Parameters ......... 146 Table 5.7.2: Identity Lookup Definition – Request Body ........................................ 146 Table 5.7.3: Identity Lookup Definition – Response Body ..................................... 147 Table 5.7.4: Identity Lookup Definition – HTTP Status Codes ............................... 147 Table 5.7.5: Initiate Identity Validation Definition – HTTP Verb, Path and Parameters148 Table 5.7.6: Initiate Identity Validation Definition – Request Body ......................... 148 Table 5.7.7: Initiate Identity Validation Definition – Response Body ...................... 149 Table 5.7.8: Initiate Identity Validation Definition – HTTP Status Codes................ 149 Table 5.7.9: Complete Identity Validation Definition – HTTP Verb, Path and Parameters 150 Table 5.7.10: Complete Identity Validation Definition – Request Body .................. 150 Table 5.7.11: Complete Identity Validation Definition – Response Headers .......... 150 Table 5.7.12: Complete Identity Validation Definition – Response Body ............... 151 Table 5.7.13: Complete Identity Validation Definition – HTTP Status Codes ......... 151 Table 5.7.14: Is Recognized Definition – HTTP Verb, Path and Parameters ......... 151 Table 5.7.15: Is Recognized Definition – Query Parameters ................................. 152 Table 5.7.16: Is Recognized Definition – Response Body ..................................... 152 Table 5.7.17: Is Recognized Definition – HTTP Status Codes............................... 153 Table 5.8.1: Authentication Methods Lookup Definition – HTTP Verb, Path and Parameters ........................................................................................................... 154 Table 5.8.2: Authentication Methods Lookup Definition – Request Body............... 154 Table 5.8.3: Authentication Methods Lookup Definition – Response Body ............ 155 Table 5.8.4: Authentication Methods Lookup Definition – HTTP Status Codes ..... 156 Table 5.8.5: Authenticate Definition – HTTP Verb, Path and Parameters.............. 156 Table 5.8.6: Authenticate Definition – Request Body ............................................ 156 Table 5.8.7: Authenticate Definition – Response Body.......................................... 158 Table 5.8.8: Authenticate Definition – Response Headers .................................... 158 Table 5.8.9: Authenticate Definition – HTTP Status Codes ................................... 159 Table 5.9.1: Public Key Retrieval Definition – HTTP Verb, Path and Parameters .. 160 Table 5.9.2: Public Key Retrieval Definition – Response Body .............................. 160 Table 5.9.3: Public Key Retrieval Definition – HTTP Status Codes ....................... 161 Table 5.10.1: Latest Compliance Resources Retrieval Definition – HTTP Verb, Path and Parameters......................................................................................... 161 Table 5.10.2: Latest Compliance Resources Retrieval Definition – Request Body 161 Table 5.10.3: Latest Compliance Resources Retrieval Definition – Response Body162 Table 5.10.4: Latest Compliance Resources Retrieval Definition – HTTP Status Codes 163 Table 5.11.1: DPA Registration Definition – HTTP Verb, Path and Parameters .... 163 Table 5.11.2: DPA Registration Definition – Request Body ................................... 163 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page xiii / xiii Table 5.11.3: DPA Registration Definition – Response Body ................................ 164 Table 5.11.4: DPA Registration Definition – HTTP Status Codes .......................... 164 Table 6.1: Standard HTTP Status Codes .............................................................. 166 Table 6.2.1: Card Update Event Notification Definition – HTTP Verb, Path and Parameters ........................................................................................................... 167 Table 6.2.2: Card Update Event Notification Definition – Request Body................ 167 Table 6.2.3: Card Update Event Notification Definition – HTTP Status Codes....... 167 Table 6.3.1: Identity Validation Completion Event Notification Definition – HTTP Verb, Path and Parameters .................................................................................. 168 Table 6.3.2: Identity Validation Completion Event Notification Definition – Request Body 168 Table 6.3.3: Identity Validation Completion Event Notification Definition – HTTP Status Codes................................................................................................. 168 Table 6.4.1: Authentication Event Notification Definition – HTTP Verb, Path and Parameters ........................................................................................................... 169 Table 6.4.2: Authentication Event Notification Definition – Request Body ............. 169 Table 6.4.3: Authentication Event Notification Definition – HTTP Status Codes .... 170 Table 6.5.1: Payment Notification Definition – HTTP Verb, Path and Parameters . 170 Table 6.5.2: Payment Notification Definition – Request Body................................ 170 Table 6.5.3: Payment Notification Definition – HTTP Status Codes....................... 171 Table A.1.1: SRC API Usage for QR Code Payload.............................................. 174 Table A.1.2: SRC API Usage for Bill Number ........................................................ 174 Table A.1.3: SRC API Usage for Mobile Number .................................................. 175 Table A.1.4: SRC API Usage for Store Label ........................................................ 175 Table A.1.5: SRC API Usage for Loyalty Number ................................................. 175 Table A.1.6: SRC API Usage for Reference Label ................................................ 176 Table A.1.7: SRC API Usage for Customer Label ................................................. 176 Table A.1.8: SRC API Usage for Terminal Label................................................... 177 Table A.1.9: SRC API Usage for Purpose of Transaction...................................... 177 Table A.1.10: SRC API Usage for Email ............................................................... 177 Table A.1.11: SRC API Usage for Phone Number ................................................ 178 Table A.1.12: SRC API Usage for Address ........................................................... 178 Table A.1.13: SRC API Usage for Tip ................................................................... 179 Table A.1.14: SRC API Usage for Convenience Fee ............................................ 179 Table A.1.15: SRC API Usage for Sub Total ......................................................... 180 Table A.2.1: 3DS Input Data ................................................................................. 180 Table A.2.2: 3DS Output Data............................................................................... 181 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 1 / 185 1 Introduction Secure Remote Commerce (SRC) is an evolution of remote commerce that provides for secure and interoperable card acceptance established through a standard specification. This document, the EMV® Secure Remote Commerce Specification – API, (hereafter the “SRC API Specification”), contains server-based APIs which can be used to securely build interfaces between SRC Systems and SRC System Participants. It is intended to be used in conjunction with the SRC Specifications (see Section 1.4.2 Published EMVCo Documents). 1.1 Scope The SRC API Specification describes APIs to be used for the transmission of data between SRC Systems and SRC System Participants. These APIs are based on the following assumptions: • The server-based APIs provide a toolkit for SRC System Participants • They are not intended to provide context for all scenarios or use cases, and individual SRC Systems are responsible for creating implementation instructions for their SRC System Participants • They do not preclude an SRC System from providing additional technical components to support their implementations • The EMV SRC API specification offers levels of optionality for implementers of the specifications to add security layers based on the SRC solution provider’s own security requirements and risk controls 1.2 Constraints The SRC API Specification is designed to work within the constraints described in the SRC Core Specification. In particular, the SRC API Specification or any implementation of the SRC API Specification is not intended to replace or interfere with any international, regional, national or local laws and regulations; those governing requirements supersede any industry standards. 1.3 Audience This document is intended for use by SRC Systems and SRC System Participants. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 2 / 185 1.4 References The latest version of any reference, including all published amendments, shall apply unless a publication date is explicitly stated. 1.4.1 Normative References The standards in Table 1.1 may be associated with the SRC API Specification. All ISO specifications can be found at https://www.iso.org/store.html. Reference Table 1.1: Normative References Publication Name ISO 639 Language Codes — ISO 639 ISO 3166 Country Codes — ISO 3166 ISO 4217 Currency Codes — ISO 4217 ISO/IEC 7812 Identification cards — Identification of issuers ISO 8583 Interchange Message Specifications — ISO 8583 ISO 15118 ISO 15118-2 Road vehicles — Vehicle-to-Grid Communication Interface — Part 2: Network and application protocol requirements ISO 15118-20 Road vehicles — Vehicle-to-Grid Communication Interface — Part 20: 2nd generation network layer and application layer requirements OCPI Open Charge Point Interface (located at https://evroaming.org/ocpi/) RFC 3339 Date and Time on the Internet (https://tools.ietf.org/html/rfc3339) RFC 3447 Public-Key Cryptography Standards (https://tools.ietf.org/html/rfc3447) RFC 5322 Internet Message Format (https://tools.ietf.org/html/rfc5322) RFC 7515 JSON Web Signature (https://tools.ietf.org/html/rfc7515) RFC 7516 JSON Web Encryption (https://tools.ietf.org/html/rfc7516) RFC 7517 JSON Web Key (https://tools.ietf.org/html/rfc7517) © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 3 / 185 Reference Publication Name RFC 7518 JSON Web Algorithms (https://tools.ietf.org/html/rfc7518) RFC 7519 JSON Web Token (https://tools.ietf.org/html/rfc7519) RFC 8176 Authentication Method Reference Values (https://tools.ietf.org/html/rfc8176) 1.4.2 Published EMVCo Documents The documents in Table 1.2 are related to or are associated with SRC and are located at www.emvco.com. Reference Table 1.2: EMVCo References Publication Name EMV 3-D Secure Specification EMV® 3-D Secure – Protocol and Core Functions Specification Merchant-Presented EMV® QR Code Specification for Payment Systems (EMV QRCPS) Mode – Merchant-Presented Mode Payment Tokenisation EMV® Payment Tokenisation Specification – Technical Framework SRC Core Specification EMV® Secure Remote Commerce Specification SRC Reproduction Requirements EMV® Secure Remote Commerce (SRC): Click to Pay Icon Reproduction Requirements SRC UI Guidelines and Requirements EMV® Secure Remote Commerce Specification – User Interface Guidelines and Requirements SRC JavaScript SDK EMV® Secure Remote Commerce Specification – JavaScript SDK SRC Version Management EMV® Secure Remote Commerce Version Management for SRC API and SRC JavaScript SDK Specifications SRC Use Cases EMV® Secure Remote Commerce Use Cases SRC CX Guidelines EMV® Secure Remote Commerce – Click to Pay Customer Experience (CX) Guidelines © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 4 / 185 Collectively, the term SRC Specifications refers to: • SRC Core Specification • SRC Reproduction Requirements • SRC UI Guidelines and Requirements • SRC API (this document) • SRC JavaScript SDK • SRC Version Management 1.5 Definitions For the definition of the terms used in the SRC API Specification, refer to Table 1.3: Definitions in the SRC Core Specification. For definitions of data elements refer to Section 2 Data Dictionary. 1.6 Notational Conventions 1.6.1 Abbreviations For the definition of the abbreviations used in the SRC API Specification, refer to Section 1.9.1 Abbreviations in the SRC Core Specification. 1.6.2 Terminology and Conventions For the definition of the terminology and conventions used in the SRC API Specification, refer to Section 1.9.2 Terminology and Conventions in the SRC Core Specification. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 5 / 185 2 Data Dictionary 2.1 Complex Data Objects Table 2.1 to Table 2.54 introduce the common data objects used across the APIs defined in the SRC API Specification. Each table defines a single data object. The column headed R/C/O in each table refers to whether the data element is required, conditional or optional. The following notation is used: • R = Required – always present • C = Conditional – present under certain conditions (as specified in the description) • O = Optional – can be present 2.1.1 AcceptanceChannelData Table 2.1: AcceptanceChannelData Data Element consumerData Type: JSONObject sellerData Type: JSONObject R/C/O Constraints C Acceptance channel specific C Acceptance channel specific Description Consumer supplied data, either manually entered (or supplied by other means, e.g. voice, camera etc.) or previously stored Conditionality: At least one of consumerData or sellerData is required Seller supplied data supplied over the acceptance channel technology, or other means Conditionality: At least one of consumerData or sellerData is required © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 6 / 185 2.1.2 AcceptanceChannelRelatedData Table 2.2: AcceptanceChannelRelatedData Data Element R/C/O Constraints Description acceptanceChannelType Type: AcceptanceChannelType R See Type of acceptance channel AcceptanceChan nelType acceptanceChannelTechnol ogy Type: AcceptanceChannelTechnolog y O See Technology used to AcceptanceChan transmit/receive the nelTechnology acceptance channel data acceptanceChannelData Type: AcceptanceChannelData R See Acceptance channel data AcceptanceChan nelData 2.1.3 AccountReference Table 2.3: AccountReference Data Element srcDigitalCardId Type: String consumerIdentity Type: ConsumerIdentity R/C/O Constraints Description C Max Length = 36 Reference identifier to the Digital Card representing the PAN or Payment Token Conditionality: Required when consumerIdentity is not present C See Primary verifiable ConsumerIdentity Consumer Identity within an SRC Profile (e.g. an email address or a mobile phone number) Conditionality: Required when srcDigitalCardId is not present © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 7 / 185 2.1.4 AdditionalAmount Table 2.4: AdditionalAmount Data Element additionalAmountType Type: AdditionalAmountType additionalAmountValue Type: String R/C/O Constraints Description R See Type of additional amount AdditionalAmount Type R Value of the additional amount 2.1.5 AdditionalSource Table 2.5: AdditionalSource Data Element additionalSourceId Type: String R/C/O Constraints Description C Max Length = 255 Additional source identifier associated with an SRC System specific configuration Conditionality: Either additionalSourceID or uriData must be present © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 8 / 185 uriData Type: UriData displayName Type: String artUri Type: String artHeight Type: String (Numeric) artWidth Type: String (Numeric) 2.1.6 Address Data Element addressId Type: String C See UriData URI associated with the additional source that the SRC Initiator may use to trigger consent flows. Response to the flow may be provided asynchronously using a cross origin post message between the windows (i.e. the caller and the SRC System). Response must be either: • CHANGE_CARD • CANCEL Conditionality: Either uriData or additionalSourceID must be present R Max Length = 255 Presentation text created by the SRC System to enable Consumer consent flows O Max Length = 1024 URI that hosts the image to be used for presentation purposes O Height of the image in pixels O Width of the image in pixels Table 2.6: Address R/C/O Constraints O UUID Description Reference identifier of the address © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 9 / 185 Data Element name Type: String line1 Type: String line2 Type: String line3 Type: String city Type: String R/C/O Constraints Description O Max Length = 100 Name of the Consumer C Max Length = 75 Address line 1 Conditionality: Required when used with the DPA Registration operation in the Management Service APIs O Max Length = 75 Address line 2 O Max Length = 75 Address line 3 C Max Length = 50 Address city Conditionality: When used with the DPA Registration operation in the Management Service APIs at least one of the following is required: • both city and state • zip © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 10 / 185 Data Element state Type: String zip Type: String countryCode Type: String deliveryContactDetails Type: DeliveryContactDetails R/C/O Constraints Description C Max Length = 30 Address state Recommendation to support ISO 3166-2 format i.e. made up of ISO 3166-1 alpha 2 country code, followed by an alphanumeric string of 3 characters representing the state or sub-division Conditionality: When used with the DPA Registration operation in the Management Service APIs at least one of the following is required: • both city and state • zip C Max Length = 16 Address zip/postal code Conditionality: When used with the DPA Registration operation in the Management Service APIs at least one of the following is required: • both city and state • zip C ISO 3166-1 Address country code alpha-2 country code Conditionality: Required when used with the DPA Registration operation in the Management Service APIs O See Delivery contact details DeliveryContactD etails © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 11 / 185 Data Element createTime Type: String (Numeric) lastUsedTime Type: String (Numeric) R/C/O Constraints Description O UTC time in Unix Date and time the address epoch format was created O UTC time in Unix Date and time the address epoch format was last used 2.1.7 AppInstance Data Element userAgent Type: String applicationName Type: String countryCode Type: String deviceData Type: DeviceData Table 2.7: AppInstance R/C/O Constraints Description C N/A User agent string of the connecting client application Conditionality: • Required for browsers • Optional for non- browsers O Max Length = 255 Name of the connecting client application O ISO 3166-1 The country where the alpha-2 country Consumer is accessing the code service from O See DeviceData Device specific data 2.1.8 AssuranceData Table 2.8: AssuranceData Data Element verificationData Type: List R/C/O Constraints R See VerificationData Description Set of verification data structures relating to different types of assurance © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 12 / 185 Data Element eci Type: String cardVerificationEntity Type: String (Numeric) DEPRECATED cardVerificationMethod Type: String (Numeric) DEPRECATED R/C/O Constraints O Max Length = 2 O Length = 2 O Length = 2 Description Payment System-specific value to indicate the results of the attempt to authenticate the Cardholder and whether this resulted in an authenticated payload Entity performing card verification. Valid values are: • 01 SRC Initiator • 02 SRC System • 03 SRCPI • 04 DCF • 05 DPA • 06 - 99 Others Card verification check to validate that the PAN is active and valid at the Card Issuer. Valid values are: • 01 $0 authorisation, or single unit of currency authorisation • 02 Card Verification Number validation • 03 Postal code and address verification, where supported • 04 - 20 EMVCo future use • 21 - 99 SRC System specific © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 13 / 185 Data Element R/C/O Constraints Description cardVerificationResults Type: String (Numeric) DEPRECATED O Length = 2 Verification status of the PAN. Valid values are: • 01 Verified • 02 Not Verified • 03 Not performed • 04 - 20 EMVCo future use • 21 - 99 SRC System specific cardVerificationTimestamp Type: String (Numeric) DEPRECATED O UTC time in Unix Date and time when the epoch format card verification was conducted cardAssuranceData O Type: String DEPRECATED Data collected that is associated with the PAN and presented to the SRC System cardholderAuthenticationEnt O Max Length = 64 Entity performing ity Cardholder authentication Type: String DEPRECATED © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 14 / 185 Data Element R/C/O Constraints Description cardholderAuthenticationMe thod Type: String (Numeric) DEPRECATED O Length = 2 Card Issuer verification of the Cardholder. Valid values are: • 01 Use of a 3-D Secure ACS • 02 Mobile banking verification of the Cardholder with an authentication code • 03 Federated login systems • 04 A shared secret between the Card Issuer and the Cardholder such as One Time Passcode (OTP), activation code • 05 - 20 EMVCo future use • 21 - 99 SRC System specific cardholderAuthenticationRe sults Type: String (Numeric) DEPRECATED O Length = 2 Indicates whether the Cardholder was verified or not, and what the results are when verified. • 01 Verified • 02 Not Verified • 03 Not performed • 04 - 20 EMVCo future use • 21 - 99 SRC System specific cardholderAuthenticationTi mestamp Type: String (Numeric) DEPRECATED O UTC time in Unix Date and time when the epoch format Cardholder authentication was conducted © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 15 / 185 Data Element R/C/O Constraints Description cardholderAssuranceData O Type: String DEPRECATED Data collected that is associated with the Cardholder and presented to the SRC System consumerVerificationEntity Type: String DEPRECATED O Max Length = 64 Entity performing Consumer verification consumerVerificationMethod O Length = 2 Type: String (Numeric) DEPRECATED The verification method used to verify Consumer credential. Valid values are: • 01 Static Passcode • 02 SMS One Time Passcode (OTP) • 03 Keyfob or EMV cardreader One Time Passcode (OTP) • 04 Application One Time Passcode (OTP) • 05 One Time Passcode (OTP) Other • 06 Knowledge Based Authentication (KBA) • 07 Out of Band Biometrics • 08 Out of Band Login • 09 Out of Band Other • 10 Risk-Based • 11 Other • 12 - 99 EMVCo future use © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 16 / 185 Data Element R/C/O Constraints Description consumerVerificationResult s Type: String (Numeric) DEPRECATED O Length = 2 Indicates whether the Consumer was verified or not, and what the results are when verified. Valid values are: • 01 Verified • 02 Not Verified • 03 Not performed • 04 - 20 EMVCo future use • 21 - 99 SRC System specific consumerVerificationTimest amp Type: String (Numeric) DEPRECATED O UTC time in Unix Date and time when the epoch format Consumer verification was conducted consumerAssuranceData O Type: String DEPRECATED Data collected that is associated with the Consumer for assurance purposes deviceVerificationEntity Type: String (Numeric) DEPRECATED O Length = 2 Entity performing device verification. The valid values are: • 01 SRC Initiator • 02 SRC System • 03 SRCPI • 04 DCF • 05 DPA • 06 - 99 Others © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 17 / 185 Data Element deviceVerificationMethod Type: String (Numeric) DEPRECATED deviceVerificationResults Type: String (Numeric) DEPRECATED deviceVerificationTimestam p Type: String (Numeric) DEPRECATED deviceAssuranceData Type: String DEPRECATED R/C/O Constraints O Length = 2 O Length = 2 O UTC time in Unix epoch format O Description Verification method used to verify Consumer Device information. Valid values are: • 01 - 20 EMVCo future use • 21 - 99 SRC System specific Indicates whether the device was verified or not, and what the results are when verified. Valid values are: • 01 Verified • 02 Not Verified • 03 Not performed • 04 - 20 EMVCo future use • 21 - 99 SRC System specific Date and time when the device verification was conducted Data collected that is associated with the device for assurance purposes © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 18 / 185 Data Element R/C/O Constraints Description relationshipVerificationEntit y Type: String (Numeric) DEPRECATED O Length = 2 Entity performing relationship verification of a combination of data. The valid values are: • 01 SRC Initiator • 02 SRC System • 03 SRCPI • 04 DCF • 05 DPA • 06 - 99 Others relationshipVerificationMeth od Type: String (Numeric) DEPRECATED O Max Length = 2 Verification method used to verify information associated with the relationship relationshipVerificationResu lts Type: String (Numeric) DEPRECATED O Max Length = 2 Results of the verification of the relationship of a combination of data relationshipVerificationTime stamp Type: String (Numeric) DEPRECATED O UTC time in Unix Date and time when the epoch format relationship verification was conducted relationshipAssuranceData O Type: String DEPRECATED Data collected that is associated with the binding relationship for assurance purposes © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 19 / 185 2.1.9 AuthenticationContext DEPRECATED Table 2.9: AuthenticationContext DEPRECATED Data Element R/C/O Constraints Description authenticationReasons Type: List DEPRECATED R See AuthenticationRe ason srcDpaId Type: String DEPRECATED dpaData Type: DpaData DEPRECATED C Max length = 255 Conditionality: When authenticationReason s contains TRANSACTION_AUTHENT C ICATION exactly one of srcDpaId or dpaData must be provided dpaTransactionOptions Type: DpaTransactionOptions DEPRECATED C See Conditionality: Required DpaTransactionO when ptions authenticationReason s contains TRANSACTION_AUTHENT ICATION. In this case, dpaTransactionOption s must contain the same data that is supplied in Checkout acquirerMerchantId Type: String DEPRECATED O Max Length = 35 Acquirer-assigned Merchant identifier acquirerBIN Type: String DEPRECATED O Max Length = 11 Acquirer BIN merchantName O Type: String DEPRECATED Merchant name assigned by the Acquirer or Payment System © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 20 / 185 2.1.10 AuthenticationMethod Table 2.10: AuthenticationMethod Data Element authenticationMethodType Type: AuthenticationMethodType authenticationSubject Type: AuthenticationSubject uriData Type: UriData R/C/O Constraints Description R See AuthenticationMet hodType R See AuthenticationSu bject O See UriData URI associated with the authentication method (only valid in the Authentication Method Lookup and Identity Lookup responses) When authentication is invoked by launching the URI then AssuranceData, AuthenticationStatus, AuthenticationResult and any relevant session ids should be provided back asynchronously when authentication completes. It can be achieved by cross origin post message between the windows i.e. the caller and the authenticator. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 21 / 185 Data Element R/C/O Constraints Description authenticationCredentialRef erence Type: String O Max Length = 255 May be provided by the identity provider once an authentication is initiated to qualify the nature of the authentication method (e.g. for SMS_OTP, this may include the masked mobile number "***-***-1234", which can be displayed to the Consumer to aid method selection) methodAttributes O Type: JSONObject Attributes associated with the authenticationMethod Type (see Section 2.2.1 Authentication Facilitation) 2.1.11 AuthenticationPreferences Table 2.11: AuthenticationPreferences Data Element authenticationMethods Type: List supressChallenge Type: Boolean payloadRequested Type: PayloadRequested R/C/O Constraints Description O See The list of authentication AuthenticationMet methods and associated hod parameters is populated by the SRCI: • in its preferred order; or • as instructed by the SRC System O SRCI preference to indicate challenge suppression O See Indicates whether the SRCI PayloadRequeste or Merchant prefers an d authenticated or non- authenticated payload © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 22 / 185 Note: SRC System authentication decisions may override any SRCI preferences 2.1.12 BusinessIdentification Table 2.12: BusinessIdentification Data Element businessIdentificationType Type: String businessIdentificationValue Type: String acquirerMerchantId Type: String R/C/O Constraints C Max Length = 50 C Max Length = 30 O Max Length = 35 Description Conditionality: Required when acquirerMerchantId is not present or when businessIdenfication Value is present Conditionality: Required when acquirerMerchantId is not present or when businessIdentificati onType is present Acquirer-assigned merchant identifier 2.1.13 Card Data Element primaryAccountNumber Type: String (Numeric) Table 2.13: Card R/C/O Constraints R Min Length = 9 Max Length = 19 Description Primary Account Number. A variable length, ISO/IEC 7812-compliant account number that is generated within account ranges associated with a BIN by a Card Issuer © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Secure Remote Commerce Specification – API v1.5 Page 23 / 185 Data Element panExpirationMonth Type: String (Numeric) panExpirationYear Type: String (Numeric) cardSecurityCode Type: String (Numeric) cardholderFullName Type: String cardholderFirstName Type: String cardholderLastName Type: String billingAddress Type: Address paymentAccountReference Type: String R/C/O Constraints C Length = 2 C Length = 4 O Length = 3 or 4 Description Expiration month expressed as a two-digit month (MM) Conditionality: Required when specified for the Card (PAN) Expiration year expressed as a four-digit calendar year (YYYY) Conditionality: Required when specified for the Card (PAN) Card security code O Max Length = 100 Cardholder name O Max Length = 50 Cardholder first name O Max Length = 50 Cardholder last name O See Address Billing address O Max Length = 29 A non-financial reference assigned to each unique PAN and used to link a payment