EMVCo, the chip card standards body owned by the world’s largest payment card networks, on Tuesday formally updated its tokenization specification to include the new Payment Account Reference data element. The purpose of PAR is to match tokens to the underlying primary account number of a credit or debit card and thereby reduce the exposure of PANs to hackers.
Tokens, which replace PANs with strings of digits that are useless to data thieves, are multiplying on the U.S. payments landscape as token-using mobile-payment services and EMV chip cards take hold. An emerging problem with tokens, however, is that sometimes they can’t be matched with the underlying PAN. In addition, merchants and merchant acquirers traditionally have used PANs for functions such as chargeback processing, management of rewards and loyalty programs, risk control, and regulatory compliance. As tokenization advances, PAR is supposed to help make all that happen while keeping PANs out of sight. And cardholders will be unaware of PARs.
EMVCo floated its draft PAR proposal last May and published the first version of the data element in January. Based on input from payments-industry firms, the standards body over the winter made a number of additions and changes to what it calls PAR’s first edition.
“The introduction of PAR, which does not contain financially sensitive data, enables the payment-acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number,” EMVCo said in a statement. “This allows for a consolidated view of transactions on a payment account. This is also needed for security and regulatory reasons, such as risk analysis and anti-money laundering. It is also important for value-added services, as these often leverage historical transactional data to derive analytics and measurements to support customer programs such as loyalty.”
Under the tokenization spec, so-called token service providers (TSPs), a role currently filled by the payment card networks, generate PARs. A PAR data field consists of 29 upper-case alpha-numeric characters, with the first four essentially identifying the card issuer and the other 25 assigning a unique value to the underlying PAN. PAR data may be included in authorization and clearing and chargeback messages, according to EMVCo, and must be included in payment-token response messages.
Julie Conroy, research director at Boston-based Aite Group LLC, says the PAR concept is sound.
“Many merchants and processors and even third-party vendors [such as device fingerprint providers] had been relying on the PAN as a unique customer identifier that could help them analyze customer behavior across channels,” Conroy tells Digital Transactions News by email. “With the introduction of EMVCo tokenization, many of these analytic routines no longer worked, because instead of one static account number there were multiple tokens which the merchant/processor had no ability to correlate. The PAR will provide a new value that can be used for these analytics, but has no value to criminals, since it can’t initiate payment.”
Some payments executives, however, have predicted that implementing PAR could be time-consuming and expensive. Conroy says it will take some work, but it is doable.
“I don’t think including this detail in communications to merchants will be a big task, and it’s positive that the BIN [bank identification number] is still included, as a number of analytic routines do rely on the BIN,” she says. “However, any change to the auth message takes some time to implement, as it will require IT changes up and down the payment ecosystem.”
Conroy adds that a notable addition to the spec is a reference to the EMV chip. “While current EMVCo tokenization efforts have focused primarily on card-not-present transactions, card-present transactions are the next logical evolution. It’s great to see the spec actively contemplating that.”