Exploring PAR's role in enhancing digital payments and financial security
Payment Account Reference (PAR) was introduced in 2014 by EMVCo as the push to remove Primary Account Numbers (PANs) from the payments landscape and the rise of tokenization was creating new problems for merchants. But what is it and how does this new token live up to its potential?
Payment Account Reference (PAR) is actually an umbrella term for several pieces of information. The EMV Payment Tokenisation Specification from September 2017 actually describes PAR as a group of elements:
Most of the time and for this article, the term ‘PAR’ is referring to the PAR Data - the specific account reference value.
A 29 digit number with a specified (BIN), the PAR relates 1:1 with a PAN. The first four digits are the identifier of the BIN Controller, followed by 25 digits. The values are maintained by a registered BIN Controller, who is registered with EMVCo. However, most importantly, this value can not be used for any financial transactions and is not PCI data. This allows the PAR to be stored and used without the complications of financial data. It is also important to note that this is a reference value for the account, not the customer. This specification in the intention and expected usage of PAR is important so that the value does not have PII implications. There are also legitimate use cases which would restrict a PAR from being used to identify a specific customer. For example, a person can have multiple cardholders on an account where the card has the same PAN and these will all have the same PAR- identifying the account, not the customer. Since the PAR is related to the account and the PAN, the value may or may not change during a card lifecycle event. EMVCo has made management the decision of each BIN Controller rather than placing a ruling in the standard.
The goal of PAR is to address use cases that have historically kept PAN in the payments ecosystem.
The more places that record and transmit PAR in the payments ecosystem the more value it has, enabling better customer experiences and increasing security. PAR solves several issues, but is not ‘one token to rule them all’. How can we use a non-sensitive value to make things more secure without compromising functionality?
While PAR has been around for many years now it has not seen wide adoption. However, it is now picking up traction with networks like Mastercard and Discover, who are devoting time and resources to the topic and the many benefits it can bring. This has been working, as more processors are adding PAR to their digital payments API responses. However, the barrier to entry for the PAR promise is high: in order for it to work well, each place where PAN data is used must have a way to connect this value. That could mean changes to terminals, individual integrations, and internal systems to track and manage this new piece of information. However, removing PAN from the ecosystem increases security and PAR can provide tangible benefits for customers.
A few years ago, before I worked in payments, I was traveling to Barcelona and stayed at a well known hotel brand as I had loyalty points and status there. My card was actually a cobrand for the chain. I kept it on file with my account and it was the only card I would use when staying at these locations. This card was also loaded into my generic wallet on my phone. Now if you work in payments you probably have an inkling about what is about to happen… due to traveling all day and not wanting to get out my wallet, I tapped my phone for incidentals instead of swiping. Then for some reason which is lost to memory, the employee had to compare the receipt to my physical card -but the numbers didn't match! Now I'm trying to explain that I used the same card as what was on file. I even showed them the card art in my digital wallet, but I was just as confused as the employee. I ended up backtracking: swiping my card to reduce confusion and then I went to my room. As I said, it may be obvious to Payments people, but my card from my digital wallet was not actually using the same PAN - it used a dPAN (“digital” - or “device” primary account number) that is a tokenized value of my card. When compared to the physical card it won't match.
Now imagine the exact same scenario, but with a PAR implementation. If that merchant had adopted PAR, when I tapped on the terminal, the dPAN is provided for the transaction while the PAR value is recorded and then recognized by the system. It has the same PAR as the card on file! Same card, no problems. I'm in my hotel room without delay.
To provide that customer experience is potentially expensive, so is it worth it? Access to PAR across all payment systems opens the door to more use cases than just increased customer experience. I invite you to ask yourself a few questions:
If you answered “yes” to any of the above questions, you have at least one use case for PAR. The more yes responses, and the more expensive and painful each of those operations are to you, the more value you will be able to realize by utilizing PAR. Thankfully, as a merchant this is a great time to adopt PAR across your organization as the payments ecosystem is increasing adoption of this resource. This now offers the opportunity to utilize payment partners in secure ways, bringing a host of benefits without the overhead of linking and using PAN data.
Orchestration providers can play a key role in expanding PAR in the ecosystem. Often touching several different PAR data ingestion points, like the networks and gateways, they are able to optimize collection and disbursement of PAR to provide the most value. Merchants can use PAR from providers to get all of the data benefits without needing to handle the entire integration burden outside of their own systems.
Reach out to our team to learn more about how Spreedly is optimizing vaulting and transacting using features like PAR.