Payment Account Reference (PAR)

As the global payments ecosystem shifts towards increased security through EMVCo tokenisation, merchants face a growing "visibility gap." While tokens (such as those used in Apple Pay, Google Pay, and merchant-specific network tokens) protect sensitive data, they also fragment the customer view. Because a single physical card can be represented by dozens of different tokens across various devices and channels, merchants can no longer use the card number as a reliable primary key for customer identification.

Whilst this has been a problem since the introduction of ApplePay around 10 years ago, the growth in Digital Wallets, the rollout out of click to pay and the forthcoming Mastercard Mandate to make all e-commerce transactions Network Token based by 2030 mean this takes on even greater importance.

The Payment Account Reference (PAR) is the industry’s standardised solution to this problem. It is a non-sensitive, unique identifier that links all tokens and the underlying Primary Account Number (PAN) to a single account.

This paper takes delves into PARs and highlights what every retailer should be undertaking as part of their payment strategy.

Understanding PAR:

The Payment Account Reference (PAR) was introduced by EMVCo to provide a persistent, non-financial identifier for a payment account.

• Structure: A 29-character alphanumeric value (e.g., 9ABCDE1234567890FGHIJKLMN1234).
• Relationship: It maintains a one-to-one relationship with the underlying PAN and a one-to-many relationship with all associated tokens (device tokens, e-commerce tokens, and physical card taps). It cannot be used to obtain a PAN, albeit with a PAN (or Network Token) a PAR can be looked up
• Persistence: Unlike a PAN, which may change due to expiry or theft, or a token, which is device-specific, the PAR is designed to remain constant throughout the lifecycle of the account. If a card is reissued with a new PAN but tied to the same underlying credit/debit account, the PAR typically remains unchanged.
• Non-Financial Nature: Critically, a PAR cannot be used to initiate a transaction. It is an administrative and analytical tool, not a payment credential.
• Availability: Authorisation response messages contain the PAR types of transactions and can be looked up with Scheme APIs.
• Uniqueness: A Payment Account is the unique financial relationship between account holder(s) and a financial institution for a specific financial funding source (e.g. credit, debit, commercial, prepaid) represented by one or more PANs. The PAR Data is unique to a single PAN. A Payment Account that has multiple different PANs issued will need to ensure that unique PAR Data is generated for each unique PAN.

Why PAR is Critical for Merchants?

The primary challenge of the increased use of EMV Tokens is the loss of a unified transaction history. PAR restores this visibility without re-introducing PCI DSS risks.

Omnichannel Customer Recognition

Without PAR, a customer who taps their physical card in-store, uses Apple Pay on their iPhone the next day, and uses an e-commerce "Card on File" token the following week appears to the merchant as three distinct customers. PAR links these disparate data points, enabling accurate loyalty Attribution and personalised Marketing.

Advanced Fraud & Risk Management

Fraudsters often exploit the anonymity of tokens to circumvent velocity checks. PAR allows risk engines to set rules at the account level rather than the token level. If a single PAR is associated with 50 transactions across 10 different tokens in an hour, it triggers a fraud alert that would be missed if each token were analysed in isolation.

Streamlined Operations & Returns

Identifying a transaction for a return is simplified. If a customer loses their receipt, the merchant can use the PAR from the card or device presented at the POS to find the original online transaction. Because PAR persists even when cards are reissued, it helps maintain continuity in recurring billing logic and customer support workflows.

Reduced PCI DSS Scope

Because PAR is not considered sensitive payment data (it cannot be used to transact), it can be stored in CRM and analytics systems that are not PCI-compliant. This allows technical teams to move customer profiling out of the "Secure Zone," reducing compliance overhead.

Conclusion

For the modern merchant, PAR is no longer an optional "extra" but a fundamental requirement for operating in a tokenised world. It successfully balances the consumer’s need for data privacy and security with the merchant’s need for operational visibility and risk control. By adopting PAR, organisations can future-proof their payment infrastructure and reclaim the customer insights lost to tokenisation.

What Should Retailers Do Next?

1. Engage with your PSPs to confirm the PAR can be returned in the authorisation response (ISO 8583/20022 messages). Most major acquirers now support this field.
2. Make sure you can ingest the PAR in your operational, fraud risk and MI/CRM systems to make full use of it.
3. Quantify the commercial upside of getting the full visibility using PAR in your data products.
4. Build a roadmap to make the most of the opportunities to strengthen your fraud, loyalty and omnichannel data.

CBS Change Partners have 20 years of experience across the evolving payments landscape. We can help you identify the opportunities and implement a practical strategy to unlock the full value of PARs.

Retail Perspective #7 : PAR