The introduction of Payment Tokenisation has allowed the payment industry to operate with an increased level of security. By restricting Payment Tokens to a device or channel and making them decipherable only by a Token Service Provider (TSP), the references to a cardholder’s Primary Account Number (PAN) have been limited, thus rendering these pieces of information of little to no value to fraudsters.
The rise of mobile transactions with the likes of Android Pay and Apple Pay has also brought unanticipated complexities. Businesses have seen their ability to monitor consumer behaviour and provide extra services like loyalty schemes and couponing severely impaired as this has been largely based on linking transactions with the same PAN.
Payment Account Reference (PAR) is a new data element released by EMVCo to address some of the challenges Tokenisation has introduced to the payment ecosystem whilst maintaining the current level of security provided by tokens.
Published in January 2016, EMVCO specification bulletin 167 describes changes to the Payment Tokenisation specs, assigning EMV Tag 9F24 to PAR Data. This element is comprised of 29 alphanumeric characters - 4 representing a BIN Controller Identifier assigned by EMVCo and 25 representing a unique identifier which corresponds to a PAN. This enables merchants to recognise transactions issued with different payment tokens as belonging to the same PAN if they have a common PAR.
PAR Data is unique to a Primary Account Number (PAN) and all its associated Payment Tokens. However it’s not meant to be used as a consumer identifier (neither are PANs) so as to avoid being categorised as Personal Identifiable Information or Personal Data. Ultimately this will all depend on regional regulations and laws. On its own PAR cannot be used to start financial transactions, as the presence of a PAN or Payment Token will still be necessary, but it does allow for completing reversals of transactions, complying with regulatory requirements (i.e. money laundering regulations), performing risk analysis and supporting loyalty programs.
A clearer example of the benefits this could yield is to be found in transit systems with variable fares. The addition in recent years of ‘Touch In Touch Out’ functionality (which allows customers to be identified via their bank card) has been quickly adopted by commuters as an alternative to proprietary fare cards (e.g. Oyster on London Underground). With the use of PAR consumers would be able to enter using a card stored in Android/Apple Pay and exit using the card’s physical counterpart, therefore no longer resulting in unnecessary charges if the device runs out of battery half way through the trip.