What is an EMVCo compliant payment token?
A payment token based upon EMVCo Specifications is a reversible token generated at the payment issuer level. This means that the reversible token can be securely mapped back to its original card account number by the provider of the payment token and authorised entities only. It is used as part of the payment chain and, when submitted in a transaction to the payment system, would cause a payment to occur.
The tokenisation process happens in the background in a manner that is typically invisible to the consumer. Such tokens could be used by merchants or digital wallet operators, and can be stored in EMV chip cards and NFC devices. The payment tokens are restricted to specific domains. For example, a token may be usable only within the e-commerce acceptance channel at a specific merchant. An additional payment token capability is the ability to unlink the token from the original card account number in case that token is either no longer needed, or a mobile device or card has been lost or stolen. Payment tokens will be of particular value in card-not-present transactions, as well as in mobile devices and other form factors.
What is the first work item to be progressed by EMVCo?
EMVCo has released the EMV Payment Tokenisation Specification – Technical Framework v1.0.Available to download from the EMVCo website without charge, the technical document provides the payments community with the framework to facilitate consistent, secure and globally interoperable digital payments when using a mobile handset, tablet, personal computer or other smart device.
What will I learn from reading the EMV Payment Tokenisation Specification – Technical Framework v1.0?
The document provides readers with a clear insight into EMVCo's work and remit to standardise payment tokenisation and encourage global interoperability. It describes the payment tokenisation landscape, the key entities necessary to support payment tokenisation, the data fields that can be implemented to support a tokenisation service and the benefits of adopting a unified approach, as well as delineating several payment token use cases.
From a technical perspective, the document explains the role of the specification in facilitating broad-based acceptance of a payment token as a replacement for a traditional card account number. This includes data message formats to ensure the interoperability of payment tokens and the consistent approach that should be used to route and authenticate a payment token. The framework also explains how security can be improved by limiting payment tokens for use in a specific environment, and how an existing ecosystem can advance to become globally interoperable.
In addition, Section 1 of the EMV Payment Tokenisation Specification – Technical Framework v1.0 provides defined terms and other useful information relevant to parties new to payment tokenisation.
What is the difference between a specification and framework?
EMVCo calls this release a framework since it is the foundation of the tokenisation specification. It serves as a specification in that it is implementable for defined use cases and is available to download and use by the industry. EMVCo actively solicits EMVCo Associate, Subscriber and public feedback to support enhancements and inclusion of additional use cases and further ecosystem requirements. Over time, the specification will evolve with industry input to broaden its applicability to diverse marketplace needs.
Will the specification be available to all parties without charge?
Yes. All EMV Specifications, including the EMV Payment Tokenisation Specification – Technical Framework v1.0, are available to all payment participants in the industry, royalty-free. EMVCo has an established framework for delivering payment specifications through open and transparent processes in consultation with industry stakeholders.
What are the benefits of using a payment token based on EMVCo Specifications?
As the payment token generation process happens at the payment issuer level, it will bring many benefits to:
Issuers. Consistency in risk management processes and implementation of cardholder data for current and emerging mobile and digital solutions.
Acquirers. Enabling their merchants to securely participate in the payments system, using payment tokens that work with the existing services they provide today. Additionally they have the ability to provide new payment token services to their merchants.
Merchants. By utilising the current payments infrastructure, merchants may not have to build their own proprietary systems to secure payment data. Once they have put in place the capability to convert their account numbers into payment tokens, they can capitalise on existing integration processes within the larger payments community. Such payment tokens are also compatible with the existing acceptance infrastructure, so merchants can accept transactions initiated with payment tokens without needing to make substantial costly changes to their acceptance environments.
How will the specification be adopted by the payment systems and other payments stakeholders?
EMVCo recognises that what is being progressed today is comparable to how the industry came together to develop and implement the required infrastructure for magnetic stripe, chip-based and NFC payments on a global scale. While EMVCo provides a ‘tool box’ of specifications, these are adaptable to meet regional variations and the unique needs of different industry stakeholders. It is ultimately up to the stakeholders to determine how the EMVCo Specifications will be adopted.
Will the specification work for all brands, card products, networks and payment types such as credit, debit, prepaid, etc.?
Yes, the specification is designed to be inclusive of all product types and adaptable to implementer requirements.
Can EMVCo's Specification be used for non-payments?
The aim of the specification is to create a set of requirements where payment tokens can interoperate and be used in a secure manner. These same requirements, while not designed for non-payment use, can be applied as best practices for non-payment tokens where applicable, for example, with merchant closed loop loyalty cards.
Will EMVCo's Specification support multiple payment environments, for example e-commerce, m-commerce as well as in-store transactions or online purchases?
EMV Payment Tokenisation Specification – Technical Framework v1.0 is form factor agnostic and is designed to support end-to-end tokenisation for the above use cases.
At this early stage, EMVCo is aware that additional work may need to be undertaken to include and address new use cases and operational considerations. EMVCo is working with multiple standards organisations to discuss its tokenisation specification, as well as engaging with industry participants directly through the EMVCo Associates Programme. For further details see below – EMVCo Tokenisation Activity and the Wider Payments Community.
It is worth noting that since payment tokens based on EMVCo Specifications must be domain-limited, there are some use cases for which an EMVCo token would not be suitable, for example, a token for a magnetic stripe card. Such a token would have to be usable at any location where magnetic stripe cards are used, and this would be too broad a domain for a token as defined by EMVCo to add value.
Are the EMVCo Specifications available to all parties who wish to participate in the payment tokenisation space?
Yes, EMVCo provides a 'tool box' of royalty-free specifications which are available to be adapted to meet regional variations and the unique needs of different industry stakeholders.
Those wishing to build EMVCo specification-compliant products or services can use the specification to meet EMVCo's global requirements.
Can industry participants develop proprietary frameworks that will operate in adherence to the specification?
While EMVCo Specifications are designed for global interoperability, there is ample opportunity within these specifications for implementers to create their own business solutions and proprietary add-ons, alongside additional services.
This level of implementation flexibility and support for a range of business models and use cases has been core to the EMVCo Specifications and continues to be a key priority for its tokenisation work.
To create a technology neutral specification requires broad industry participation in its development. Will other industry stakeholders be able to provide input into EMVCo's payment tokenisation activity?
The EMV® Payment Tokenisation Specification - Technical Framework v1.0 was published in March 2014 on EMVCo's website. It can be downloaded without charge and implemented royalty-free. EMVCo's aim in publically sharing this specification framework is to promote transparency, maximise industry engagement, and encourage market comments so that the document can evolve in line with commercial and technical market needs.
EMVCo has already witnessed significant industry interest in the specifications and calls on other parties to engage in its work through the EMVCo Associates Programme, a framework that allows stakeholders to play an active role in providing input to the technical and operational issues connected to all the EMV Specifications – including tokenisation – and related processes.
In addition to engagement with industry participants through the EMVCo Associates Programme, how is EMVCo engaging with other standardisation bodies?
EMVCo does not work in isolation. It engages with other industry bodies, including many merchant groups globally, to understand and support individual sector requirements. EMVCo has started engagement with ANSI ASC X9, ISO TC68/SC2/WG13, PCI SSC and other industry partners to advance the various tokenisation specifications and ensure a harmonised set of industry documents related to payment and non-payment tokenisation. Clarity and consistent use of terminology will allow specifications and their offering to be clearly communicated to the marketplace.
Is EMVCo's work complementary to that being developed by other bodies?
EMVCo has developed a technical specification which will enable the creation of a globally interoperable, implementable tokenisation framework used for payment initiation. The specification from EMVCo maintains compatibility with the current payment infrastructure and is intended to complement the existing EMV Chip Specifications to ensure consistency across all payment environments.
By adopting consist terminology and remaining engaged with the various national and international standards groups, the goal is to allow market stakeholders to easily understand its offering and how it interconnects with other standards and specifications as and when they are brought to market.
At this stage, EMVCo is not aware of any conflicts between its specification and other tokenisation standards which are scheduled for market release.