EMV Payment Tokenization Primer and Lessons Learned
Publication Date: June 2019
Tokenization substitutes placeholder characters or a surrogate, called a payment token, for the primary account number (PAN) in a financial transaction. Tokenization protects payment data using a combination of techniques, such as secure storage of sensitive data or and/cryptographic controls, ensuring that an unauthorized party cannot mathematically reverse the token value to the original PAN. Token domain controls protect the token against unauthorized use.
While tokenization within the card payments industry takes various forms, the U.S. Payments Forum Mobile and Contactless Payments Working Committee developed this white paper as a primer on payment tokenization as defined by EMVCo in the Payment Tokenization Technical Framework. EMV payment tokens are valid for the entire lifecycle of a transaction and are now implemented in several payment channels, including payments made using Near Field Communication (NFC)-enabled mobile phones.
This paper focuses on the current state of EMV payment tokenization, providing the reader with an understanding of payment tokenization, the payment scenarios in which tokenization can be used, and the services that are commonly used in payment tokenization. Topics covered in the white paper include:
- Definitions of the different forms of tokenization
- Scenarios for using EMV payment tokens across various channels
- Payment tokenization stakeholder roles
- Payment tokenization provisioning and processing flows
- Payment tokenization impact on merchants
- Lessons learned from implementing EMV payment tokenization as specified in EMVCo Payment Tokenization Framework, v1.0.
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.