The global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions has upgraded its specs.
In a press release yesterday (March 29), EMVCo — which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa — announced that it has updated the EMV Payment Tokenization Specification – Technical Framework with the addition of a "Payment Account Reference" (PAR).
As described in the release, PAR — for use by merchants, acquirers and payment processors — can enhance security by limiting references to a cardholder’s primary account number (PAN) in the payment ecosystem.
EMVCo goes on to explain that the introduction of PAR, which does not contain financially sensitive data, enables the payment acceptance community to link a cardholder's payment token with their PAN transactions without needing to use their underlying card account number, thus allowing for a consolidated view of transactions on a payment account, as well as addressing security and regulatory concerns, such as risk analysis and anti-money laundering. Additionally, notes the release, PAR is useful in transactions involving value-added services, such as loyalty, as such programs often leverage historical transactional data to derive analytics surrounding them.
"Payment tokenization enhances the underlying security of digital payments by limiting the risks associated with the compromise or unauthorized use of PANs," commented Mike Matan, current chair of the EMVCo executive committee, in the release. "As well as increasing security, we want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services, which are currently enabled by PAN. PAR addresses this by enabling all payment transactions — regardless of how they are initiated — to be processed in a consistent manner."
PAR enables the industry to move away from dependence on the PAN as the primary linkage, the release continues, explaining that PAR data cannot be reverse-engineered to reveal the PAN or EMV payment token and cannot be used on its own to initiate a transaction.
"EMVCo recognizes the need to continually adapt and advance the EMV payment infrastructure to support and promote user convenience without compromising security," Jack Pan, EMVCo board of managers chair, also stated in the press release. “Our work to establish a secure and scalable payment tokenization ecosystem is no different. Since EMVCo launched its activity to focus on the development of a tokenization specification, we have been working with industry stakeholders and EMVCo associates to solicit feedback and determine appropriate updates to the framework, which will optimize the benefits of this technology. In addition to PAR, EMVCo has launched a Token Service Provider (TSP) Registration Process, to promote transparency and interoperability of TSP entities. We look forward to continuing our work with the industry to manage and evolve this payment technology further."