EMV Payment Tokenisation – Payment Account Reference

CLARIFICATIONS FROM SPECIFICATION BULLETIN NO. 167, FIRST EDITION, JANUARY 2016

  1. What is the objective of Payment Account Reference (PAR)?
  2. Why did EMVCo introduce PAR?
  3. Can PAR Data be used to initiate a financial transaction or authorisation request?
  4. Is PAR Data unique to a PAN or a Payment Account?
  5. Is PAR considered PCI data?
  6. Is PAR a consumer identifier?
  7. Is PAR considered Personally Identifiable Information (PII) or Personal Data in accordance with privacy laws or regulations?
  8. Can PAR Data be encoded in a magnetic stripe of a payment card?
  9. How does PAR impact recurring payments?
  10. Will PAR Data be sent in an authorisation response?
  11. Who can generate PAR Data?
  12. Will PAR Data be generated and issued by a Token Service Provider (TSP)?
  13. Does the PAR Data apply to both EMVCo Payment Tokens and their underlying PANs?
  14. Will PAR Data be unique?
  15. Who assigns the BIN Controller Identifier?
  16. How many characters is the PAR Data and who decides its unique values?
  17. Is there any way of determining or predicting a Payment Token or a PAN from its PAR Data?
  18. How can terminals recognise PAR Data as part of an EMV transaction?
  19. Who governs a particular PAR implementation?
  20. Who provides the PAR Enquiry Mechanism and when is it needed?
  21. What are the permissible uses of PAR Data?
  22. Will a cardholder ever see the PAR Data?
  23. Can the same PAR Data continue to be used when there is a change in the PAN?
  24. Does PAR only relate to payment cards with EMV Payment Tokenisation?
  25. Does the PAR Data need to be included in signed data?
  26. After closure of a consumer account should PAR Data be reused and, if so, how long after closure does the retention period last?
  27. Can PAR Data alone be used to initiate chargebacks, returns or reversals?
  1. What is the objective of Payment Account Reference (PAR)?

    PAR re-introduces a relationship that already exists in the payment ecosystem today for Primary Account Number (PAN) post EMVCo Payment Tokenisation. PAR may be used to link transactions initiated on Payment Tokens with transactions initiated on the underlying PAN to support the needs of a variety of payment processing and value added services that rely on PAN prior to the introduction of Payment Tokenisation.

  2. Why did EMVCo introduce PAR?

    PAR was introduced to resolve the challenges faced in the broader acceptance community including Merchants, Acquirers and Payment Processors, in regards to linking Payment Token transactions with each other or transactions initiated on the underlying PAN. This supports a variety of payment processes and value added services.

  3. Can PAR Data be used to initiate a financial transaction or authorisation request?

    PAR Data alone cannot be used to initiate a financial transaction, authorisation request or any other message such as capture, clearing or chargeback.

  4. Is PAR Data unique to a PAN or a Payment Account?

    A Payment Account is the unique financial relationship between account holder(s) and a financial institution for a specific financial funding source (e.g. credit, debit, commercial, prepaid) represented by one or more PANs. The PAR Data is unique to a single PAN. A Payment Account that has multiple different PANs issued will need to ensure that unique PAR Data is generated for each unique PAN.

  5. Is PAR considered PCI data?

    Please refer to the PCI Security Standards Council website. PAR Data should be used and protected in accordance with national, regional and local laws and regulations, including privacy laws.

  6. Is PAR a consumer identifier?

    PAR is not intended to be a consumer identifier in a similar way that an EMVCo Payment Token or a PAN is not intended to be a consumer identifier.

  7. Is PAR considered Personally Identifiable Information (PII) or Personal Data in accordance with privacy laws or regulations?

    PAR is explicitly not intended to be used to identify cardholders and therefore it aims to minimise being categorised as PII (Personal Identifiable Information) / Personal Data. However, privacy laws vary by jurisdiction, and the categorisation of PAR may also depend on the manner of implementation. Since PAR is linked to the PAN, PAR might be governed under laws and BIN Controller requirements similar to those applicable to PAN.

  8. Can PAR Data be encoded in a magnetic stripe of a payment card?

    Within Track 1 and Track 2 of a magnetic stripe there is insufficient space for PAR Data alongside other existing track data.

  9. How does PAR impact recurring payments?

    PAR has no impact on recurring payments as PAR data alone cannot be used to initiate a financial transaction.

  10. Will PAR Data be sent in an authorisation response?

    PAR Data may be made available in the authorisation response message according to BIN Controller governance and Payment Network support of PAR Data in messages. The assigned PAR Field is Field 56 for ISO 8583 (1987), Field 112 for ISO 8583 (1993), and Field 51 for ISO 8583 (2003).

  11. Who can generate PAR Data?

    The BIN Controller is the entity that governs the generation of PAR Data and ensures PAR Data uniqueness.

  12. Will PAR Data be generated and issued by a Token Service Provider (TSP)?

    PAR governance, including the designation of entities eligible to generate PAR Data, is the responsibility of the BIN Controller. TSP may be aware of PAR in support of business processes such as Token Provisioning and involvement in PAR Data generation.

  13. Does the PAR Data apply to both EMVCo Payment Tokens and their underlying PANs?

    PAR Data is assigned to a single PAN and will be attributed to all Payment Tokens affiliated to that underlying PAN.

  14. Will PAR Data be unique?

    PAR Data is intended to be unique within the PAR ecosystem governed by the BIN Controller as delineated by the EMVCo-assigned BIN Controller Identifier. The BIN Controller is responsible for ensuring the uniqueness for PAR Data associated with its BIN Controller Identifier.

  15. Who assigns the BIN Controller Identifier?

    EMVCo assigns and maintains a list of BIN Controller Identifiers. Entities may register for a BIN Controller Identifier using EMVCo’s registration form and process.

  16. How many characters is the PAR Data and who decides its unique values?

    The PAR Data is made up of 29 characters and is comprised of a 4 character value that EMVCo assigns as the BIN Controller Identifier and a 25 character unique value that is generated and assigned in accordance with the governance of the BIN Controller.

  17. Is there any way of determining or predicting a Payment Token or a PAN from its PAR Data?

    PAR Data should be generated in such a way as to ensure that PAR Data cannot be reverse engineered to determine or predict a PAN or any Payment Token.

  18. How can terminals recognise PAR Data as part of an EMV transaction?

    EMVCo has assigned EMV Tag ‘9F24’ for the PAR Data. Terminals should be able to pass the PAR Data along with other EMV data to the Merchant’s Payment Processor or Acquirer within Field 55.

  19. Who governs a particular PAR implementation?

    The governance of a PAR implementation is under the control of the BIN Controller.

  20. Who provides the PAR Enquiry Mechanism and when is it needed?

    The PAR Enquiry Mechanism is supported by the entity that defines PAR in accordance with the BIN Controller’s governance of PAR. Merchants, Acquirers, Payment Processors, Token Service Providers and others can use the PAR Enquiry Mechanism to obtain the PAR Data in addition to or instead of the PAR Data’s inclusion in transaction processing.

  21. What are the permissible uses of PAR Data?

    PAR Data usage is limited to the following functions:

    • Completing the reversal of transactions with PAR Data and either a PAN or Payment Token (e.g. returns and chargebacks)
    • Complying with regulatory requirements (e.g. Anti-Money Laundering (AML))
    • Performing Risk Analysis (e.g. fraud detection and control services)
    • Performing other non-payment operational needs as defined by the registered BIN Controller (e.g. supporting a loyalty program for consumers that have opted in to the service, as permitted by law)

    All PAR implementations MUST NOT conflict with any national, regional or local laws or regulations, including those concerning privacy. Registered BIN Controllers MUST define appropriate rules governing the use of PAR Data for all implementations within the payment ecosystem.

  22. Will a cardholder ever see the PAR Data?

    Cardholders will be generally unaware of PAR Data even if provisioned. The lack of cardholder awareness of PAR Data should in no way impact the cardholder’s ability to transact. The length and format of PAR Data is not considered to be consumer friendly.

  23. Can the same PAR Data continue to be used when there is a change in the PAN?

    For payment account lifecycle events such as lost/stolen cards or card replacements, the same PAR Data should be used to represent the successor PAN for the same payment account. In these scenarios, the continued use of the same PAR Data is at the discretion of the BIN Controller.

  24. Does PAR only relate to payment cards with EMV Payment Tokenisation?

    PAR is intended to allow the linkage of Payment Token transactions to transactions associated with PANs that have been tokenised. While PAR can also have broader industry use such as being assigned to PANs prior to any payment tokenisation, the underlying details for such are at the discretion on the BIN Controller and are implementation-specific and outside of EMVCo scope.

  25. Does the PAR Data need to be included in signed data?

    This is under the discretion of the BIN Controller and is implementation-specific and outside of EMVCo scope.

  26. After closure of a consumer account should PAR Data be reused and, if so, how long after closure does the retention period last?

    This is under the discretion of the BIN Controller and is implementation-specific and outside of EMVCo scope.

  27. Can PAR Data alone be used to initiate chargebacks, returns or reversals?

    PAR Data alone cannot be used to initiate financial transactions. Transactions are initiated with a Payment Token or a PAN.