The attention around tokenization — replacing static account numbers with a one-time-use token — has been good for security but worrying for businesses that rely on a static identifier for future reference.
To address this concern, EMVCo has released specifications for a security measure that will help protect cardholders' personal account numbers while providing merchants more flexibility when needing to view or track consumer transactions.
The payment account reference (PAR) will essentially become the link to a payment token associated with a primary account number (PAN) when merchants are in need of an identifier for loyalty programs or recurring payments.
The payments industry has been
"It's really a great specification, because people were wondering for a long time if we were going to have a standard like this," said Avivah Litan, a vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc.
However, Litan is quick to point out that it took the card brands that operate EMVCo too long to create this extra security measure.
"It's like a token gesture to merchants that has some teeth in it, but probably should have been done about 10 years ago," said Litan, referring to how long EMV has already been in place in other parts of the world. The liability shift for EMV took hold last October in the U.S.
The
The development of a PAR specification does not mean issuers will automatically make the standard available immediately, "but at least it is there now and available," Litan added.
Merchants will find a PAR especially useful for research and marketing programs, said Thad Peterson, senior analyst with Boston-based Aite Group.
"If it is a purely tokenized transaction, you can't identify the customer at all," Peterson said. "This really allows the merchant to understand what the customer is doing without putting that customer's private information at risk."
Merchants feel the development of a PAR "is perhaps well-intentioned" but may be a costly enhancement for many, said Liz Garner of the Merchant Advisory Group. "It will be interesting to see how many merchants and issuers embrace the program."
The MAG also has concerns that PAR is an "over-complicated solution to a poorly devised tokenization platform created by EMVCo," Garner said. "It would be a lot more efficient to employ multi-stakeholder input aimed at resolving problems with the initial EMVCo tokenization specs."
The unique payment token created in tokenization is often restricted in its use for specific devices, merchants or transaction types, thus the traditional PAN-based payments will continue to be used alongside those EMV tokens, EMVCo stated in a March 29 press release. The PAR comes into play if a link to the customer is needed, while also helping payments companies as a risk analysis or anti-money laundering tool, EMVCo said.
The new PAR contains no financial data, allowing merchants to link a cardholder's payment token with their PAN transactions without using the underlying account number.
"As well as increasing security, we want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services which are currently enabled by the PAN," said Mike Matan, current chair of the EMVCo executive committee, stated in the release.
"PAR addresses this by enabling all payment transactions – regardless of how they are initiated – to be processed in a consistent manner,” Matan said of the global specification.
EMVCo, owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa, delivered the EMV payment tokenization specification and technical framework in March of 2014.
The new specification introduces PAR as an industry-aligned data structure, describes its use as a consistent value in tokenization and underlying PAN transactions, and outlines how acquirers, payment processors and merchants can link payment token transactions to those of an underlying PAN.
