Great article in Digital Transactions that I missed in February
Quote “When a transaction is initiated with an EMV payment token, the functionality of these applications can be impacted since the full PAN may not be available to merchants, acquirers, and payment processors,” a recent EMVCo document says.
“All of a sudden, you lose visibility into your customers’ activity,” says payment-security analyst Julie Conroy, research director at Aite Group LLC, Boston. “The introduction of the PAR is really important to filling that gap.”
The current PAR spec calls for a 29-character value that could not be reverse-engineered to reveal the payment token or PAN. A PAR could only be used for completing transaction reversals, risk analysis, completing non-payment operations such as loyalty-program support, and complying with regulatory requirements such as anti-money-laundering rules, according to EMVCo.
PARs would be generated by token service providers—a role currently played in U.S. general-purpose card payments only by Visa, MasterCard, American Express, and Discover—but playing key supporting roles are acquirers, issuers, and processors.”
What does this mean? First a short history
When you swipe your card at the grocery store the mag stripe data had 24 characters of your name, and the primary account number (PAN) on it. EMV does NOTHING here.. the same name and PAN goes in the clear.. it adds a digital signature from the chip on the card to form a signed cryptogram verifying that the PAN came from an issuer approved card. Retailers are permitted to use the card number and name for the purposes of loyalty and marketing. Large retailers put hashed card numbers into a CRM database to track what you bought. They don’t know its you (PII), but they know card xxxxx bought Cheerios.
Tokenization impairs merchant CRM efforts as tokens can be dynamic. Tokens also impairs returns and charge backs, hence retailers have been asking for a de-tokenization service, or at least a service that helps them create a persistent (anonymous) to allow their existing facilities to function. In addition to these needs, holders of cards on file (COF) like Amazon, Apple and Google also need to de-tokenize. For example when Google Chrome performs and auto fill.
Tokens introduce significant new control points into payments (see blog), and enable much greater anonymity. Mobile has been the focus of bank token efforts with bank token efforts lead by The Clearing House (TCH) and Chase (see Civil War Blog). There is a battle for defining how the Token Service Provider “control point” works, with Visa, MasterCard and Amex defining the standard in EMVCo, and TCH looking to build a proprietary approach that interoperates with the EMVCo spec. This new EMVCo PAR effort addresses significant retailer and mobile wallet provider concerns. It also helps networks maintain a consistent view of consumers regardless of their role in the TSP service.
Per my Blog Authentication in Value Nets, Consumer Authentication is the linchpin service for: mobile, commerce, payments and advertising. Apple and Google have put security and authentication and the CENTER of the mobile platform (see blog). Every player in mobile wants to own consumer authentication process… With Apple in the lead as the Consumer Champion (they don’t want your data, the make money on the hardware biz).
The PAR construct helps to separate the roles of:
- consumer auth and use (ex ApplePay)
- Merchant CRM
All with consistent data access to what participants have today. I can’t remember the last time a significant change was planned to ISO 8583..
Payment constructs/standards must satisfy the needs of multiple parties:
- Bank Issuer
While banks would prefer a single consumer token stored in mobile with only banks able to translate.. this will not work at the point of sale. Consumers have entrusted both the merchant and wallets with their cards.. loyalty in payments is the next hot space… with much new work to be done in creating value.
Recalling the story above. Retailers have great trouble “activating” and using the data that they have on consumer behavior.. beyond setting the price on the shelf.