EMVCo is getting formal about tokenization.
The chip card standards body, which manages the Europay/MasterCard/Visa (EMV) payment technology standard, this week officially updated its tokenization specification to include the new Payment Account Reference (PAR) data element. In keeping with the formalized specification, token service providers (TSPs)—at present, payment card networks—will generate these PARs, with the data field of each PAR consisting of 29 upper-case alpha-numeric characters. The first four characters will essentially identify the card issuer, and the remaining 25 will assign a unique value to the underlying payment account number (PAN). PAR data must be included in payment-token response messages; its incorporation into authorization, clearing, and chargeback messages is optional.
According to EMVCo, the presence of PAR fulfills “a fundamental need” to link together PAN- and token-based transactions. Moreover, PAR is seen as enabling the industry to move away from dependence on the PAN as the primary linkage, as it reduces the exposure of PANs to hackers by matching tokens connected with the underlying PAN of a credit or debit card. PAR data cannot, a statement from EMVCo stipulates, be reverse-engineered to reveal the PAN or EMV payment token, nor can it be used on its own to initiate transactions—e.g. such as authorization, capture, clearing, or chargeback. Parties that use PAR data are required to safeguard it in accordance with national, regional, or local laws and regulations.
Beyond the above-mentioned basics, EMVCo perceives PAR as bringing to the table a multitude of benefits. In a statement issued when the update to the tokenization specification was announced, EMVCo Executive Committee Chair Mike Matan noted that while tokenization enhances digital payment security by “limiting the risks associated with the compromise or unauthorized use of PANs,” the standards body wants to do more than that. “We want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services…currently enabled by PAN. PAR addresses this by enabling all payment transactions—regardless of how they are initiated—to be processed in a consistent manner.”
Elsewhere in the statement, EMVCo directors observed that the use of PAR allows for a consolidated view of transactions on payment accounts—a view that is needed for security and regulatory purposes, such as risk analysis and anti-money laundering measures. “It is also important for value-added services, as these often leverage historical transactional data to derive analytics and measurements to support customer programs such as loyalty,” the statement reads.
According to Digital Transactions, payment executives and security researchers agree that the PAR concept is sound, but believe its implementation could take years to complete and prove expensive for merchant acquirers to achieve. We have no quarrel with that, but feel PAR is a must-have in an increasingly complex and ever-changing data security landscape.