Consumer Tokens

Great article in Digital Transactions that I missed in February

PAR – Consumer Tokens, February 2016

Quote “When a transaction is initiated with an EMV payment token, the functionality of these applications can be impacted since the full PAN may not be available to merchants, acquirers, and payment processors,” a recent EMVCo document says.

“All of a sudden, you lose visibility into your customers’ activity,” says payment-security analyst Julie Conroy, research director at Aite Group LLC, Boston. “The introduction of the PAR is really important to filling that gap.”

The current PAR spec calls for a 29-character value that could not be reverse-engineered to reveal the payment token or PAN. A PAR could only be used for completing transaction reversals, risk analysis, completing non-payment operations such as loyalty-program support, and complying with regulatory requirements such as anti-money-laundering rules, according to EMVCo.

PARs would be generated by token service providers—a role currently played in U.S. general-purpose card payments only by Visa, MasterCard, American Express, and Discover—but playing key supporting roles are acquirers, issuers, and processors.”

See EMVCo Token Presentation – Smart Card Alliance

PAR Principles

What does this mean? First a short history

When you swipe your card at the grocery store the mag stripe data had 24 characters of your name, and the primary account number (PAN) on it. EMV does NOTHING here.. the same name and PAN goes in the clear.. it adds a digital signature from the chip on the card to form a signed cryptogram verifying that the PAN came from an issuer approved card. Retailers are permitted to use the card number and name for the purposes of loyalty and marketing. Large retailers put hashed card numbers into a CRM database to track what you bought. They don’t know its you (PII), but they know card xxxxx bought Cheerios.

Tokenization impairs merchant CRM efforts as tokens can be dynamic. Tokens also impairs returns and charge backs, hence retailers have been asking for a de-tokenization service, or at least a service that helps them create a persistent (anonymous) to allow their existing facilities to function. In addition to these needs, holders of cards on file (COF) like Amazon, Apple and Google also need to de-tokenize. For example when Google Chrome performs and auto fill.

Tokens introduce significant new control points into payments (see blog), and enable much greater anonymity. Mobile has been the focus of bank token efforts with bank token efforts lead by The Clearing House (TCH) and Chase (see Civil War Blog). There is a battle for defining how the Token Service Provider “control point” works, with Visa, MasterCard and Amex defining the standard in EMVCo, and TCH looking to build a proprietary approach that interoperates with the EMVCo spec. This new EMVCo PAR effort addresses significant retailer and mobile wallet provider concerns. It also helps networks maintain a consistent view of consumers regardless of their role in the TSP service.

Per my Blog Authentication in Value Nets, Consumer Authentication is the linchpin service for: mobile, commerce, payments and advertising. Apple and Google have put security and authentication and the CENTER of the mobile platform (see blog). Every player in mobile wants to own consumer authentication process… With Apple in the lead as the Consumer Champion (they don’t want your data, the make money on the hardware biz).

The PAR construct helps to separate the roles of:

  • Issuance/provisioning
  • consumer auth and use (ex ApplePay)
  • Merchant CRM

All with consistent data access to what participants have today. I can’t remember the last time a significant change was planned to ISO 8583..

Consumer Tokens

Payment constructs/standards must satisfy the needs of multiple parties:

  • Merchant
  • Consumer
  • Bank Issuer
  • Acquirer
  • Wallet

While banks would prefer a single consumer token stored in mobile with only banks able to translate.. this will not work at the point of sale. Consumers have entrusted both the merchant and wallets with their cards.. loyalty in payments is the next hot space… with much new work to be done in creating value.

Recalling the story above. Retailers have great trouble “activating” and using the data that they have on consumer behavior.. beyond setting the price on the shelf.



One thought on “Consumer Tokens”

  1. Couple comments…
    It seems that EMVCo has positioned PAR to not be a ‘consumer token’. In theory and probably practice it does fill that function – but there are boundries we all must draw on calling it a consumer identifier given implications of PII and meaning to PCI standards.
    Also, given PAR will most likely become a standard data element for transaction processing, the implications to PAR generation now would extend beyond the digital platforms of the networks to the Issuers. As magstripe will live on in some form or fashion, PAR needs to be part of that transaction flow as well, albeit in response data from the Issuer (as no TSP would be invoked for PAN transactions).
    While the value seems very black and white; perhaps you have some perspective on adoption. There have been a handful of significant players looking at alternatives as they view the investment to be too much cost? Do you see an alternative?

Leave a Reply

Your email address will not be published.