Merchants have complained that tokenization eliminates their ability to know who the customer is because the card number is no longer visible to them. In theory this issue was to be addressed by each acquirer, as acquirers can request the original card number from the network. However, relying on the acquirer to resolve the problem meant that each solution was unique to each acquirer. This places a burden on merchants, especially those that utilize multiple acquirers which is not uncommon.
Two years late, EMVCo has released a bulletin for review that standardizes this access mechanism as iderntified by bobsguide.com:
“Global technical body EMVCo has released a bulletin updating the EMV® Payment Tokenisation Specification – Technical Framework to provide the payment community with a global, consistent framework to implement ‘Payment Account Reference’ (PAR). To be used by merchants, acquirers and payment processors, PAR can enhance security by limiting references to a cardholder’s primary account number (PAN) in the payment ecosystem.
Payment tokenisation is the process of replacing a PAN with a unique payment token that may be restricted in its usage, for example, with a specific device, merchant, transaction type or channel. Traditional PAN-based payments will continue to be used alongside EMV Payment Tokens. The introduction of PAR, which does not contain financially sensitive data, enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number. This allows for a consolidated view of transactions on a payment account. This is also needed for security and regulatory reasons, such as risk analysis and anti-money laundering. It is also important for value-added services, as these often leverage historical transactional data to derive analytics and measurements to support customer programmes such as loyalty.
Mike Matan, current Chair of the EMVCo Executive Committee, comments: “Payment tokenisation enhances the underlying security of digital payments by limiting the risks associated with the compromise or unauthorised use of PANs. As well as increasing security, we want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services which are currently enabled by PAN. PAR addresses this by enabling all payment transactions – regardless of how they are initiated – to be processed in a consistent manner.”
The presence of PAR fulfils a fundamental need to link PAN-based and token-based transactions together. PAR enables the industry to move away from dependence on the PAN as the primary linkage. PAR data cannot be reverse-engineered to reveal the PAN or EMV Payment Token and cannot be used on its own to initiate a transaction such as authorisation, capture, clearing or chargeback. Users of PAR data are required to protect PAR data in accordance with national, regional or local laws and regulations.
‘EMVCo recognises the need to continually adapt and advance the EMV payment infrastructure to support and promote user convenience without compromising security,’ adds Jack Pan, EMVCo Board of Managers Chair. ‘ Our work to establish a secure and scalable payment tokenisation ecosystem is no different. Since EMVCo launched its activity to focus on the development of a tokenisation specification, we have been working with industry stakeholders and EMVCo Associates to solicit feedback and determine appropriate updates to the framework, which will optimise the benefits of this technology. In addition to PAR, EMVCo has launched a Token Service Provider (TSP) Registration Process, to promote transparency and interoperability of TSP entities. We look forward to continuing our work with the industry to manage and evolve this payment technology further.’ ”
Note however that a few discussion points are missing from this article
First, it should be pointed out that EMVCo requires a subscription to gain access to Draft Specifications/Bulletins which costs $2,500 for a business. Merchants will need to be very motivated to participate in this review process.
The last statement made by Jack Pan is also worth considering. He states that “In addition to PAR, EMVCo has launched a Token Service Provider (TSP) Registration Process, to promote transparency and interoperability of TSP entities.” This is of dubious value given every network has already signed up a range of device manufacturers and partners to be Token Service Providers which suggests the networks have already established a TSP identification program. This EMVCo initiative was launched in November of last year and has exactly zero TSPs registered as of today and it is unclear why a TSP, that must pass certification with each payment network, would be inclined to register with EMVCo.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here