Payment tokenisation is the process of replacing a traditional primary account number (PAN) with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. It therefore enhances the underlying security of digital payments by potentially limiting the risk typically associated with compromised, unauthorised or fraudulent use of PANs.
An EMV® Payment Token is used as part of the payment chain and, when submitted in a transaction to the payment system, would cause a payment to occur. One PAN may have multiple EMV® Payment Tokens associated with it depending on the usage scenario.
EMVCo first launched its EMV® Payment Tokenisation Specification – Technical Framework in 2014 to address the needs of digital payments including e-commerce, and minimise the fraud risk associated to an exposure of PANs. The document describes the payment tokenisation landscape, key entities and the data fields to be implemented to support a payment tokenisation service. From a technical perspective, the framework explains the acceptance of payment tokens as a replacement to PANs and how security can be improved by limiting their use to a specific environment.
Any industry participant wanting to build an EMV® payment token solution can use the technical framework.
In addition to the specification technical framework, EMVCo manages and evolves:
For further technical details visit the EMV® Payment Tokenisation webpages.
Please note that EMVCo does not mandate the use of its specifications and industry participants are free to choose from any or all of the related EMV® technical documents to address their customer and market needs. Learn more about how EMVCo operates.
Q: What is an EMV® Payment Token?
A: An EMV® Payment Token is a surrogate value that replaces a primary account number (PAN) in the payment ecosystem. It is used as part of the payment chain and, when submitted in a transaction to the payment system, would cause a payment to occur. One PAN may have multiple EMV® Payment Tokens associated with it depending on the usage scenario. Payment tokens are restricted to specific domains. For example, a payment token may be usable only within the e-commerce acceptance channel at a specific merchant. They can be updated for a variety of reasons, such as in the event of a lost or stolen device or other lifecycle events.
Q: What is the role of EMVCo within this area?
A: EMVCo defines the technical framework to generate, deploy and manage payment tokens in a reliable and interoperable manner globally. This technical framework must maintain compatibility with the existing payment infrastructure while delivering consistency and achieving a common level of robust security.
Q: What are the benefits of using a payment token based on EMVCo’s framework?
A: Payment tokenisation enhances the underlying security of digital payments by potentially limiting the risk typically associated with compromised, unauthorised or fraudulent use of PANs. Payment tokenisation achieves this by replacing PANs with payment tokens that differ significantly in terms of the ability to control or restrict usage to a particular transaction environment, device or other domain. The implementation of payment tokenisation solutions aligned with EMV® Payment Tokenisation Specification – Technical Framework v2.0 provides opportunities to enhance the security of digital payments for issuers, merchants, acquirers, payment processors and stakeholders in the broader acceptance community.View all related FAQs (PDF)
In this webcast, recorded in October 2016, Clinton Allen, Chair of EMVCo’s Payment Tokenisation Working Group, provides an overview of Payment Account Reference (PAR) and why it has been introduced, and offers insight into the focus and nature of EMVCo’s activity in this area.
On 16 November 2017, EMVCo partnered with the Secure Technology Alliance to deliver a webinar on the latest EMV® Payment Tokenisation Specification – Technical Framework v2.0 updates.