Professional Documents
Culture Documents
EMV Payment Tokenization Primer Lessons Learned FINAL June 2019
EMV Payment Tokenization Primer Lessons Learned FINAL June 2019
EMV Payment Tokenization Primer Lessons Learned FINAL June 2019
Version 1.0
Publication Date: June 2019
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark
elsewhere. The EMV trademark is owned by EMVCo, LLC.
Copyright ©2019 U.S. Payments Forum and Secure Technology Alliance. All rights reserved. Comments
or recommendations for edits or additions to this document should be submitted to:
info@uspaymentsforum.org.
1
https://www.emvco.com/emv-technologies/payment-tokenisation/.
2
Available on the U.S. Payments Forum web site, https://www.uspaymentsforum.org/mobile-and-digital-wallets-
u-s-landscape-and-strategic-considerations-for-merchants-and-financial-institutions/.
2.3.1 Cryptography
Cryptography protects information by transforming it into a format only readable by authorized entities.
Cryptography is often used to secure sensitive information, such as a PIN, or to authenticate an entity,
such as an issuer or cardholder.
3 See the U.S. Payments Forum white paper, “Mobile and Digital Wallets: U.S. Landscape and Strategic Considerations for
Merchants and Financial Institutions,” available at http://www.uspaymentsforum.org/mobile-and-digital-wallets-u-s-
landscape-and-strategic-considerations-for-merchants-and-financial-institutions/, for additional information on different
wallet models.
Token
ID&V
Vaulting
Token
Token
Domain
Issuance
Control
4.2.6 Reporting
Token reporting can be provided by either the TSP or a partner with access to the token data. Reports
typically provide historical data on the PAN or token volume, token transaction volume, current
enablement, or lifecycle status. Refer to the EMVCo Payment Tokenization Technical Framework for
additional details on reports.
4.2.7 ID&V
Before a token can be created and provided to a token requestor, the issuer of the PAN must
authenticate the cardholder and approve tokenizing the account through the identification and
verification (ID&V) process. The ID&V process typically has three stages: request, verification, and
outcome. The decision paths are typically identified by a color.
Token lifecycle management is critical to the success of a wallet or card-on-file token solution. The PAN
must remain associated with all appropriate tokens to ensure the best user experience. This
relationship is managed by the TSP, which allows tokens and PANs to have independent lifecycles.
Tokens and the plastic card or other form factor associated with a single PAN should also be managed
independently, so that changes to one do not affect the other. Changes to a particular token, such as
token suspension or resumption of active status, do not need to impact all tokens associated with the
PAN. Likewise, changes to the plastic card, such as an expiration update or reissuance, do not need to
impact the tokens.
Various methods can be used to manage token lifecycles, depending on the payment network and issuer
implementation. Issuers can use tools from the payment networks to update the token vault manually.
Web service APIs can also be used, or enhanced network messages. In addition, certain PAN lifecycle
updates can be made through other services, such as account updater services. Issuers should check
with the payment network to determine the best method to use for token lifecycle management. They
should consider factors such as the size of their card base and the availability of resources to keep up
with changes to various APIs, files, and messages.
In addition, customers can perform token maintenance within the wallet applications (for example,
removing the card/token from their wallet).
4
Another term that is used is “unlinked” where the payment token is disconnected from the PAN and the
mapping is disabled for further use.
5
Note that token recycling is possible, based on a feature of the BIN owner. Token vaults typically allow for all
related transaction, chargeback, and dispute processes to complete before considering reuse of a token. The
amount of time involved may vary by payment network and is typically intended to allow enough time to
complete any chargeback and settlement activity.
Figure 6. Processing a Contactless EMV Transaction Using an NFC-Enabled Device-Centric Digital Wallet
6
Note that not all Track 2 discretionary data is provided to the issuer with the clear PAN, which could have
implications for issuer verification.
Figure 8. Token Provisioning at Merchant Sites that Store a Card (Card on File)
Figure 9. Process for Transactions Using a Merchant-Stored Tokenized Card (COF) Based on American Express,
Discover, Mastercard or Visa TSP Tokens
Figure 10. Process for Transactions Using a Merchant-Stored Tokenized Card (COF) Based on Third-Party TSP
Tokens
7
The payment transaction identifier is a unique number identifying a transaction the customer has accepted on
the cloud wallet server. It does not include a token or cryptogram data.
However, as shown in Section 5, merchants may not be able to route certain card-on-file or card-not-
present debit transactions based on payment network, where tokenization is used. Merchants are
advised to consult with the payment networks for additional information.
8
EMVCo, “EMV® Payment Tokenisation Specification – Technical Framework,” Sept. 8, 2017, and Secure
Technology Alliance, “EMVCo Payment Account Reference (PAR): A Primer,” April 2018.
9
Mastercard provides the full PAN to acquirers for tokenized transactions in ISO messaging DE 48 Sub-element
33. However, acquirers may not be passing the last four digits to the merchant; Mastercard has not created a
best practice for acquirers to share the last four of a PAN as of yet. Visa uses field 4415, which is the last four
digits of the PAN. Discover enabled the passage for the last four digits of the PAN when it updated its ISO in
2015 to support EMV tokens. The last four digits of the PAN can be found in Field 106 (Transactional Data), Data
set 61 (Payment Token Data), Tag 1.
10
As of June 2018, some global networks have begun to enable PAR for tokenized credentials only.
11
Some merchants admit to having lax return and refund policies and process returns or refunds without a receipt
for the sake of customer experience.
12
MSD contactless transactions work differently and is out of scope for this paper.
13
CDCVM uses a passcode or biometric on the mobile device.
14
U.S. Payments Forum, “PIN Bypass in the U.S. Market,” February 2019.
(1) Source: U.S. Payments Forum Mobile and Contactless Payments Glossary
(2) Source: EMVCO EMV Payment Tokenization Specification
Technical Framework v2.0
15
Source: White-box Cryptography