EMV Payment Tokenization Specification – Technical Framework
EMVCo has published version two of its EMV Payment Tokenization Specification. The technical framework document – which can be downloaded here – addresses the adoption of payment token use cases in e-commerce beyond existing card-on-file and explores how payment tokens can be controlled within a single payments channel.
“EMVCo has been working closely with the payments community to develop the technical framework to create a common functional baseline for payment tokenization solutions to achieve worldwide interoperability,” Jack Pan, EMVCo Executive Committee Chair, stated in a September 8th press release.
“This latest version offers significant updates and use cases that reflect payment industry input to define how EMV payment tokens are generated, deployed and managed. The level of detail assists in establishing a stable payment environment and delivering a common set of tools to facilitate transaction security.”
Indeed, version 2.0 of the spec builds on the ecosystem established in version 1.0 by refining the EMV payment tokenization roles of token service provider (TSP) and token requestor; introducing the roles of the token program and token user; and detailing their interrelationships within the global payments environment. The document also describes the payment tokenization ecosystem, the key roles of participants, as well as expanded concepts supporting multiple use cases. This level of commonality and interoperability between solutions strives to promote innovation in implementation approaches – without impacting usability or security.
Additional key version 2.0 updates include:
- Recognition that the entity introducing payment tokenization to a payment ecosystem is responsible for establishing a payment token program. This will help define the business policies and processes for the generation, issuance and full lifecycle management of payment tokens to ensure their effective delivery.
- Additional details about payment token processing to clarify the use of a payment token in the authorization process.
- Introduction of new concepts around shared and limited use payment token to support the expansion of e-commerce use cases.
- Introduction of the payment token assurance method (replacing token assurance level) to enable a token requestor, such as an issuer, digital wallet provider or merchant, to have information available related to the identification and verification processes associated with the issuance of a payment token.
- Expansion of the payment token issuance processes to enable the request of a payment token with a value other than a PAN.
EMV Payment Account Reference (PAR)
It should also be noted that since the publication of EMVCo’s first payment tokenization spec, the company has defined a new data element known as EMV Payment Account Reference (PAR).
Essentially, PAR enables merchants, acquirers and payment processors to link together a cardholder’s EMV payment token and PAN transactions. In addition to PAR, EMVCo has rolled out new registration programs for TSPs and Bank Identification Number (BIN) Controllers.
A common framework and set of industry definitions
Put simply, payment tokenization describes the process of replacing a primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel. EMVCo first published version 1.0 of its tokenization technical framework in 2014 to address the various requirements of digital payments, such as e-commerce and minimizing the fraud risk associated with the potential exposure of primary account numbers (PANs).
“The updated framework from EMVCo, at a standards level, clarifies and identifies additional key concepts and mechanisms that the individual payment schemes have implemented in parallel, or may adopt in future, as part of each individual payment brand’s token program and specifications,” David Worthington, VP Business Development, Office of the CTO at Rambus, explained.
“This includes the token program itself, as a set of policies, processes and registration activities; the BIN controller role in the clarifications around potential use of PAR; use cases for both cardholder and merchant initiated transactions; shared payment tokens and token users; and industry definition of multiple token requestor types.”
In short, says Worthington, EMVCo provides a common framework and set of industry definitions to enable all players in the ecosystem, particularly TSPs, to better understand and implement both the similarities and differences in supporting tokenization for the different international and domestic card brands.