February 15, 2016
By Jim Daly
A new data element is getting a lot of discussion in merchant-acquiring and mobile-payments circles. It’s the so-called Payment Account Reference, or PAR, and it’s meant to associate all the payment tokens linked to a single credit or debit card primary account number, or PAN. But implementing PAR could be time-consuming and expensive.
Payments executives and researchers say PAR, or at least something like it, is needed to address a growing problem: tokens that can’t find the correct underlying PAN, thereby limiting the ability of merchants and acquirers to perform some important functions for which they need PANs. Think of a brood of ducklings separated from their hen and thus more vulnerable to predators.
EMVCo, the global standards body overseeing EMV chip card payments, is in charge of PAR development. EMVCo first floated its PAR proposal last May, and in January published a specification bulletin with numerous changes.
Payment tokens are stand-in numbers for PANs and are useless to fraudsters. They’re playing a greater role as chip cards take their place in U.S. card payments, and they’re a key part of the security fortifications for mobile payments used in such services as Apple Pay, Android Pay, and Samsung Pay. The payment card networks, which own EMVCo, all have tokenization initiatives under way.
Merchants and merchant acquirers often use full PANs for a number of pre- or post-authorization purposes, including returns and chargebacks, loyalty programs, and regulatory compliance. But in tokenized payment transactions, merchants and acquirers may not have access to a full PAN. And payment tokens associated with such a single PAN can multiply as the cardholder makes more transactions and uses multiple form factors, say a smart phone and plastic cards, associated with a single PAN.
“When a transaction is initiated with an EMV payment token, the functionality of these applications can be impacted since the full PAN may not be available to merchants, acquirers, and payment processors,” a recent EMVCo document says.
“All of a sudden, you lose visibility into your customers’ activity,” says payment-security analyst Julie Conroy, research director at Aite Group LLC, Boston. “The introduction of the PAR is really important to filling that gap.”
The current PAR spec calls for a 29-character value that could not be reverse-engineered to reveal the payment token or PAN. A PAR could only be used for completing transaction reversals, risk analysis, completing non-payment operations such as loyalty-program support, and complying with regulatory requirements such as anti-money-laundering rules, according to EMVCo.
PARs would be generated by token service providers—a role currently played in U.S. general-purpose card payments only by Visa, MasterCard, American Express, and Discover—but playing key supporting roles are acquirers, issuers, and processors.
Passing around a new data field, however, is something easier said than done. That has Conroy concluding that implementing PAR is “huge—a really big task if you think about all of the entities that are going to have to alter their authorization message.” Conroy estimates implementation could take 18 to 24 months.
Dave Fortney, executive vice president of product development and management at The Clearing House Payments Co. L.L.C., a bank-owned payments firm that operates one of the nation’s two automated clearing house switches, says The Clearing House strongly supports the PAR concept, but he too agrees it will take time to put into place. “Something this big probably will take many years to implement,” he says.
SPECIAL FEATURERead Digital Transactions Online