Payment Account Reference (PAR) will become a major force in changing in how recurring billing transactions are processed, and risks that merchants will bear. Swiped, key-entered, and e-commerce transactions are all impacted because merchants will need to tie subsequent token transactions to the original transaction that customer authorized. This raises questions as to what technology will be able to support it, and how quickly will companies be able to adopt it?
EMVco updated their EMV Payment Tokenization Specification Technical Framework earlier this year to include a new field for PAR. This field must transcend throughout the payment ecosystem to acquirers, issuers, and merchants by updating all those systems to support it. That means changes to payment terminals, gateways, processing systems, and potentially ERP and other integrated solutions. With the framework in place, the rest of the ecosystem can begin updating systems to take advantage of the benefits.
PAR enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number.
Merchant Liability
Official announcement is not yet available, however, following the logic of similar security updates, the merchant would risk chargeback on any transaction that does not include the PAR value. The issuer or the acquirer could potentially initiate on the premise there’s no proof customer approved, and therefore there’s fraud liability risk. To reduce their risk, the merchant could be held liable. That means 3 months into a service, all prior transactions could be ACH’d right out of merchant bank account, plus there’d be chargeback fees for each transaction. Additionally, with multiple chargebacks with a single cardholder it’s foreseeable merchants could end up in oversight pool for excessive chargebacks.
Timeline for Compliance
Official announcement is not yet available, however, technical framework specifications for developers were released about 6 months ago. Changes impacting processing fees etc. are typically effective October and April of each year.
Why PAR now?
PAR enables the industry to move away from dependence on the PAN as the primary linkage between various payment processing and value-added services, for example, loyalty programs. As EMV grows increasing card present security, fraud tends to move online; PAR is intended to reduce card not present fraud, increase security, and create a consistent global framework for all participants.
Current Recurring Billing Compliance
Today, when a merchant processes a transaction for a card the customer has authorized to keep on file, the ‘recurring‘ transaction type indicator is required to be sent with each authorization request. A payment gateway is a required, since physical terminals are unable to meet requirements. For example, a retail store sends a SALE transaction type, while a company offering SaaS sends Recurring Payment indicator in authorization messages. Business to business merchants run into compliance, and risk of chargeback losses, when a customer agrees authorizes keep card on file, and they key enter the card number. As far as the issuer and acquirer are concerned, it’s a retail sale, and all the rules of acceptance, risk, and interchange rate qualification apply.
Some companies use paper credit card authorization forms, and they key enter into a retail terminal or virtual terminal each and every time; those transactions are NOT sent correctly with RECURRING indicator.
Future Recurring Billing Compliance
Tokens replace sensitive card data and are then used to perform future variable, fixed, or installment recurring billing. PAR cannot be used to initiate payment transactions nor reverse engineered to obtain PAN data. When a token is created, a PAR value will also be created. The PAR must be supplied with all future authorization requests.
Merchants using ‘dumb terminals’, i.e. terminals that are not payment gateway driven, are incapable of supporting such a service. For omnichannel merchants, partnering with a progressive technology company that meets all current and future payment needs is going to be essential to comply with PAR and more payment changes likely to come.
“If your current provider was late to market with EMV, if they don’t support 3D Secure, if they can’t provide one payment gateway for all sales channels, it’s probably time to start looking for another payment technology partner,” Christine Speedy, Global Reseller for CenPOS, a merchant-centric, enterprise payment solutions company.