EMV® Payment Tokenisation enhances the underlying security of digital payments by limiting the risk typically associated with compromised, unauthorised or fraudulent use of primary account numbers (PANs).
Reducing the value and limiting the use of stolen or compromised payments information is critical to protecting consumers and businesses from malicious financial attacks. Merchants and payment card issuers use EMV Payment Tokenisation to increase protection of payment data throughout a transaction.
EMV Payment Tokenisation enhances in-store, e-commerce and remote payment security by removing the most valuable data to a fraudster, the primary account number (PAN), and replacing it with a unique alternative value, the EMV Payment Token. Importantly, an EMV Payment Token is constrained in how it can be used. For example, to a specific merchant, device or payment scenario.
The EMV Payment Tokenisation Specification – Technical Framework defines the roles, functions and requirements that need to be considered when introducing EMV Payment Tokens to work with the existing payment ecosystem. This work is supported by a Guide to Use Cases to show illustrative examples of the many new ways in which EMV Payment Tokens may be used. EMVCo also manages registration programmes to ensure global interoperability and support transparency.
EMV Payment Tokenisation offers consumers and merchants the ability to protect payment data throughout a transaction to support security.
Reduces the value of stolen or compromised payments information, as an EMV Payment Token should not be usable beyond a specific merchant, device or payment scenario.
As risk from payment data compromise is limited, the development of new payment technology and scenarios are possible, without impacting security, or adding cardholder friction.
Consumers can use their preferred devices to shop online and expect quicker, easier authentication, fewer purchases inaccurately declined, and confidence in the safety of the transaction.
Used in a payment transaction from point of purchase, through acquirers and passing across the payment networks to the card issuer for authorisation.
Co-exists with other forms of tokenisation, can support all use cases and applicable in any environment which currently uses a PAN.
EMV Payment Tokenisation enables a payment token to be used in a payment transaction from point of purchase, to an acquirer and then passing across the payment networks through to payment authorisation by the card issuer. This offers the benefits of payment tokenisation throughout the payment process.
Other forms of tokenisation can happen at different points within the payment process. For example, within the merchant environment tokenisation can happen between the merchant and acquirer.
EMV Payment Tokens are compatible with other forms of tokenisation such as acquirer and/or security tokens.
It offers card issuers, their cardholders and merchants the ability to increase protection of payment data increasing overall security.
This means that for cardholders and issuers, the impact from data compromise of payment tokens will be much less than if a card number (PAN) is exposed. This can reduce the need for card replacements and leverage the ability to control and replace payment tokens for specific merchants, devices or transaction types, often without any interaction from the cardholder.
As an EMV Payment Token limits potential risk from payment data compromise, it promotes the development of new payment technology and scenarios where the risk of using a PAN would be deemed too high.
This has enabled solutions, such as mobile payment applications, to scale and provides the ability to support high value transactions, offering consumer and merchant payment convenience.
Additionally, as EMV Payment Tokenisation uses the existing acceptance infrastructure technology, merchants, card issuers and others within the payment ecosystem can benefit from enabling new payment technology with no or only limited modifications required to existing systems and processes.
For cardholders, the payment process is not impacted, and existing behaviour does not need to change. It continues to be familiar, convenient and seamless, while supporting innovative new ways to pay such as mobile payment applications, in-app and QR Codes.
This is due to EMV Payment Tokenisation using the existing payments infrastructure and its ability to maintain compatibility with in-store, e-commerce and remote card payment technology.
EMVCo publishes and maintains the EMV Payment Tokenisation Specification – Technical Framework. The framework provides implementers with a common foundation that can be adapted to:
The Technical Framework also defines Payment Account Reference (PAR) as a way to link transactions that use EMV Payment Tokens with the PAN for which the Payment Tokens have been issued. This enables support for value added services such as fraud screening, anti-money laundering monitoring, some PAN-based loyalty systems, and new use cases, such as transit.
A Guide to Use Cases is supplement to the Technical Framework which details industry input and guidance on new ways in which EMV Payment Tokens can be used.
Product or solution implementation is beyond EMVCo’s remit. However, to ensure traceability and support EMV Payment Tokenisation transparency, EMVCo manages two registration programmes: Token Service Provider (TSP) Registration Programme and the BIN Controller Registration Programme.
No. Testing EMV Payment Tokens would be complex as they are not contained within one area of the payment ecosystem, but instead overlay the entire payment infrastructure. Testing, therefore, would be impractical as it would require many key elements of the payment infrastructure to be continually tested to support the pace of change. This would result in significant time and financial resource investment.
Any party within the payment community can use and access EMV Payment Tokenisation and realise the benefits of the technology. The technical documents are available, royalty-free from the EMVCo website.
EMV Payment Tokens have the ability to co-exist with other forms of tokenisation, support all use cases and are applicable in any environment which currently uses a PAN. The flexibility of the Technical Framework means EMV Payment Tokens can be implemented to meet global or different regional requirements.
This guide brings the Technical Framework to life using real-world examples that the payment community is familiar with.
It describes key elements, such as the token programme participants, the relationship between participants and the characteristics of payment tokens. It also offers examples of scenarios for how a payment token can be used and details their associated lifecycles.
The whitepaper offers a clear overview of PAR, such as its history, how it is used and its principles, as well as the PAR management and lifecycle. The document addresses the different considerations for stakeholders that implement and manage PAR across the payment ecosystem.
The paper also offers an extensive glossary.
More than a hundred organisations – including merchants, issuers, acquirers, payment networks, financial institutions, manufacturers, technology providers and testing laboratories – contribute their knowledge and expertise to the development of EMV Specifications.
EMVCo Associates can contribute their knowledge and expertise to shape the development of EMV Specifications.
EMVCo Subscribers can receive notice of pending EMV Specification developments and participate in a formal dialogue with EMVCo.
All industry participants can review and provide comments on new EMV Specifications and major updates before final publication.
EMVCo's new website and Participant Dashboard are now live. To access your account for the first time on our new website you'll need to carry out a password reset here. You will then be sent an email to reset your password.
EMVCo Associates, Subscribers and public users of emvco.com can create accounts to manage their engagement and participation with EMVCo. Using your EMVCo account, you can create your own watchlist of EMV technologies documents, monitor queries and responses, and manage your profile.