Let us begin with some basics. A token is a card-on-file value that can be used for subsequent transactions such as automatic refunds, monthly subscriptions or completing a partial order. The tokenization process in payment transactions replaces the primary account number (PAN) data with a substitute value. The use of this replacement value—or token —provides “more protection against fraud and account data compromise by removing the PAN from potentially vulnerable parts” of the payment environment.
Although tokenization has improved the payments ecosystem’s overall security, it has created some pain points. These challenges have impinged on products and services that depend on the PAN to identify a customer’s account—such as loyalty and rewards accounts—and operational services associated with a payment transaction, including client care. As one example from the days before payment tokenization, it was customary to rely solely on the PAN to identify a customer’s loyalty account. The availability of this stored data, encrypted or not, still made for an attractive option for potential hackers and could lead to more extensive—and bountiful—data breaches.
Several years ago, EMVCo began introducing a new data element called the Payment Account Reference (PAR) to address these challenges. The PAR is a unique identifier—and a non-financial reference—associated with a specific cardholder PAN. This 29-character identification can be used to replace and facilitate sensitive consumer identification fields in their transmission across the payments networks. It would allow acquirers and merchants to track and manage accounts across multiple changing tokens without relying on a PAN.
It has also recently returned as a topic, as Network Associations and Acquirers have started making provisions to accommodate this change, turning it over to us, as middleware providers, to do our part to provide this functionality.
Since PAR’s introduction allows for transaction activity to be linked across the PAN and related payment tokens, using it to connect these related transactions provides two predominant benefits: a reduction in the risks associated with PAN storage and consistency in the execution of non-payment functions.
Since we know that one of PAR’s primary long-term benefits is helping the industry’s goal to limit PAN storage within the payment environments, let’s briefly look at some of the benefits resulting from its use.
As a non-financial attribute, PAR enables transaction activity associations across related payment transactions without using the PAN. It cannot be used to initiate a payment transaction and removing PAN references from systems logically reduces risk and PCI DSS scope for merchants. There is little argument that when comparing risk for PAN vs. PAR, as identifiers, PAR inevitably comes out on top.
Visibility and Availability of Consolidated history: Systems that rely on transaction history and tracking can benefit from using PAR. It wouldn’t be an overstatement to point out that the ability to link related transactions to the customer’s PAN is likely to prove invaluable in client care services.
With PAR’s use, visibility would be extended to risk and fraud management systems across related payment token-based and PAN-based transaction activity. Better visibility and increased efficacy of such systems to identify fraud could lead to an overall reduction in fraud.
The PAR will persist through the PAN lifecycle changes. For instance, when a payment card is re-issued, the PAN is changed, leading any system relying on PAN as an identifier to be updated. Granted, those in the industry have long been used to this by now but using PAR as an identifier would do away with the need for these regular updates.
Opportunities: PAR’s introduction may offer opportunities to implement new or enhance loyalty or rewards programs and CRM systems currently in place. Better tracking inevitably supports improved account management.
PAR’s adoption affects numerous vital actors in the financial payments environments, including merchants and acquirers, as well as related services and systems providers. Let’s take a brief look at th e impacts for the parties affected.
Acquirers : All acquirers would need to ensure this change is mapped out for their systems and supply specifications on the message format changes that we will accommodate. Updates to their environments would occur prior to the completion of our work with MCM.
Providers: Payment middleware providers, such as Tender Retail, will also be affected by the introduction of the PAR. Our software will need to be updated to accommodate the field and data addition and ensure that backward compatibility is maintained for systems that may not be ready for—or opposed to—PAR’s implementation.
Since PAR is a new data field that will be transmitted, our software will need to request, recognize, and parse the PAR data so that it may be interpreted and processed correctly. Providers of loyalty, CRM, or risk/fraud management services—internal to the merchant or by third-party— who wish to implement and work with PAR data will be required to make changes to their systems.
Merchants: A merchant may opt to support PAR once all mechanisms involving systems and processes at the acquirer, gateway, and processor levels have been established. Tender Retail would ensure our MCM middleware application certification to support PAR—in both the authorization request and the payment transactions’ response messages. While additional analysis may be needed, updates to POS software and other back-office and customer support systems (such as those supporting loyalty programs) may also be required.
It is widely recognized that payment tokenization was introduced “to enhance the security of processing payments across card-present and card-not-present channels by reducing PAN exposure.” The evolution of the payments system has improved security exponentially, but until the inception of PAR, the challenges surrounding PAN use would persist long into the future.
When used within the scope as defined by EMVCo.—which includes returns, chargebacks, fraud risk analysis, regulatory needs, and non-payment-related purposes—it is thought that widespread adoption will be incremental but eventually universal. PAR’s role in linking multiple payment tokens with a PAN will address many of the challenges faced today. In time, it’s expected to become part of all payment interactions once all impacted stakeholders, across all channels, have accounted for this change. We’re certainly doing our part to prepare.
There is still much to clarify, coordinate, and execute, followed by quite a bit of due diligence, as is customary with such an impactful change. We’ll be sure to provide more information as we continue to navigate and progress through the evolution of this change.