On September 2019, EMVCo published the White Paper on Payment Account Reference (PAR);
PAR is a new data element that is assigned to each unique PAN and used to link a payment account represented by that PAN to its affiliated payment tokens;
The purpose of PAR is to allow systems that need to uniquely identify a card or cardholder to do so without storing PANs or other sensitive data.
Point of View
The global digital payments market was valued at US$3,417.4 billion in 2018 and is expected to reach US$7,640 billion by 2024. Australia is aligned to this trend, with Australians making 33.5 million digital payments each day in 2017. This is a 62.6% increase from 2012, when 20.6 million digital payments were made per day. However, as growth in digital payments accelerates, so too does the level of fraud. In Australia, card-not-present (CNP) fraud is still the most prevalent type of card fraud, accounting for 85% of all fraud on Australian cards in 2018. EMV Payment Tokenisation (Payment Tokenisation) is seen as one element in the fraud prevention toolkit to reduce CNP Fraud. The key goal of Payment Tokenisation is to remove sensitive payment data from the payments system.
Payment Tokenisation replaces the cardholder’s 16-digit primary account number (PAN) with a unique EMV Payment Token. The Payment Token can be configured to be processed in specific scenarios, including using specific device or at a nominated merchant. During a transaction, the Payment Token is passed to the Token Service Provider (TSP) who detokenises the Payment Token back to the PAN. The PAN is then passed to the Issuer for payment authorisation. In a Payment Tokenisation scenario, the payment network plays the role of the TSP.
On September 2017, EMVCo published its Payment Tokenisation Technical Framework (v2). In this report, a newly refined data element called the Payment Account Reference (PAR) was introduced. The PAR is designed to further enhance security in the payments system by limiting references to a cardholder’s Primary Account Number (PAN) during a transaction. The purpose of PAR is to allow systems that need to uniquely identify a card or cardholder to do so without storing PANs or other sensitive data.
The PAR is a fixed-length, 29 character uppercase alphanumeric data element. It is comprised of a 4 character BIN Controller identifier, followed by a unique 25 character value. This non-financial reference is assigned to each unique PAN and used to link a payment account represented by that PAN to its affiliated payment tokens. When a cardholder’s PAN is replaced with a Payment Token during a transaction, the PAR is designed to act as a mechanism to link the Payment Token to the PAN. This can be done without needing to know the cardholder’s underlying PAN. A single PAN may have multiple affiliated Payment Tokens to enable payments on multiple devices and across multiple merchants. Thus, the PAR has a one-on-one relationship with the PAN and a one-to-many relationship with the payment tokens.
Payment Tokenisation raises certain challenges for the payments acceptance community that need to be addressed.
The PAR fulfils a requirement to link PAN-based and Payment Token-based transactions together. It enables the payments system to move away from using the PAN to link the transaction to the customer. PAR will also play a crucial role within the merchant’s loyalty and rewards programs by acting as a link between multiple transactions performed on a single card. This will be done without using the PAN to identify cards, providing a viable alternative for merchants to store the PAR as opposed to a PAN.
According to Mike Matan, chair of the EMVCo Executive Committee, “as well as increasing security, we want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services which are currently enabled by PAN. PAR addresses this by enabling all payment transactions – regardless of how they are initiated – to be processed in a consistent manner.”
The EMVCo White Paper on PAR was published on September 2019. The paper states it is the responsibility of the registered BIN Controllers to specify how PAR data is used in the payment system. BIN controllers will also determine the governance of PAR and work with the appropriate entities to incorporate this information into the message specifications. The paper highlights the importance of having PAR data widely available within the payment system to ensure its effectiveness and broad adoption. For instance, in PAN-based transactions where Payment Tokens have not yet been generated. This practice is considered to provide consistency across the payment system. It will also justify enhancements to business practices to leverage on PAR as the link between the PAN and Payment Tokens.
There are a range of ways PAR data may be provided or used within a payment processing environment:
Populated as part of the authorisation response;
Passed from a payment device (i.e. physical card, mobile phone) to a payment terminal, if the device has been provisioned with the payment token and the PAR, and if the terminal supports PAR data;
Using a PAR inquiry service.
There two key benefits offered by implementing PAR. These are as follows:
The PAR is designed to be unique across the global payments ecosystem. It cannot be reverse engineered to reveal the PAN or Payment Token.
PAR data cannot be used to initiate financial transactions such as authorisation, capture, clearing or chargeback.
Entities are able to link transaction activity across payment transactions without using the underlying PAN. This reduces PCI obligations in terms of storing sensitive data and also reduces the impact of compromised data in a security attack.
Increased customer visibility
PAR will provide a consolidated view of customer transaction activities that are performed across multiple form factors (cards, phones and wearables). This will benefit risk/fraud management systems that need to meet regulatory and anti-money laundering requirements.
Data analytics can be run using PAR which will assist with deriving measurements to support customer programs such as loyalty/rewards schemes.
In Australia, the PAR is currently not being configured as part of the physical card chip. The card issuing community in Australia is considering the timelines for implementing this step. However, the digital provisioning of cards into payment wallets does include the addition of the PAR onto the digital equivalent of the chip.
From a life cycle perspective, the PAR should be common across multiple ‘instances’ of a card as well as the different form factors. This includes instances such as when:
The original PAN is replaced by the card issuer with a new PAN (i.e. card reissuance due to expiration or lost/stolen cards). The reissuance of a new underlying PAN does not require for new PAR data to be generated.
Card issuers may remap the PAR data to the new PAN, so all existing Payment Tokens are affiliated with the new underlying PAN.
The PAR could also be particularly useful in an open-loop transit use case. In the current scenario, transit merchants need to link tokenised PANs back to the cardholder’s primary account number to gather a range of information. For instance, to display journey information, correctly describe applied pricing and billing and provide the appropriate customer service for the underlying account. The use of PAR could help transit merchants identify customers at the PAN level where it would otherwise be unavailable. It would allow acquirers and merchants to track and manage accounts across multiple changing EMV payment tokens without relying on the PAN. Additionally, PAR would also enable a commuter to tap on with one form factor, such as their phone and tap off with another, such as a wearable and have the payment information consolidated to the one user.
The use of PAR with multi-network cards is an area that requires further consideration for the Australian market. When multi-network cards are used for a domestic transaction, a PAR is created by the payment scheme which owns the ISO issued BIN, the international scheme. When the international schemes assign a PAR to a PAN, there needs to considerations for how they inform the domestic scheme of the assigned PAR so the benefits of PAR can continue to be shared across the payments community.
The PAR was introduced to address some of the challenges with Payment Tokenisation; delivering a link between transactions and the customer processed on different underlying credentials. It is not expected for the PAR to fully replace the PAN for financial transactions. Additionally, the process of having PAR data available on every form factor, including physical cards is still a work in progress and one that will take many years to work through the payments network. To promote widespread adoption of PAR, all payments participants will need to support the availability of PAR data across all channels. This will ensure the payments community can reliably shift from relying on the PAN to PAR to link transactions performed across variable form factors.