EMVCo Token Standards – The Complete Overview 2026

[Student]

(From official EMVCo documentation, bulletins, and public resources – December 2025)

EMVCo (the global standards body owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa) defines the EMV Payment Tokenisation Specification – Technical Framework. This framework standardizes payment tokenization – replacing the Primary Account Number (PAN) with a token (surrogate value) for secure digital/mobile payments.

Current Version (2025):

• EMV Payment Tokenisation Specification – Technical Framework v2.3.1 (latest referenced in EMVCo FAQs and bulletins).
• Guide to Use Cases v2.2.1 (January 2023, with ongoing updates).
• No major new version in 2025 – focus on bulletins and C-8 kernel integration.

Key Documents (Public Access on emvco.com):

• Technical Framework v2.3.1 – Core spec defining roles, token lifecycle, security.
• Guide to Use Cases v2.2.1 – Illustrative examples (e-commerce, mobile, IoT).
• FAQ v2.3.1 – General/technical questions.
• Bulletins – Updates (e.g., PAR enhancements, agentic payments).

Core Concepts of EMVCo Token Standards​

Token Definition:

• A payment token is a surrogate value (13–19 digits, Luhn-valid) replacing the PAN.
• Domain-restricted – limited to specific merchant, device, channel, or transaction type.
• Token BIN ranges – dedicated for tokens (flagged in BIN tables).

Token Lifecycle:

• Provisioning – Token request + issuer approval.
• Activation – Token usable.
• Suspension/Resumption – Temporary hold.
• Deletion – Permanent removal.

Roles in the Framework:

Role	Description	Examples
Token Requestor (TR)	Initiates token request (wallet, merchant, gateway)	Apple Pay, merchant app
Token Service Provider (TSP)	Generates/manages tokens	Visa Token Service, Mastercard MDES, UnionPay
Token Vault	Secure mapping token ↔ PAN	Network or issuer vault
Registration Authority	Manages TR registration	EMVCo or networks

Token Types:

• Payment Token – Standard replacement.
• Cryptogram Token – With dynamic cryptogram for high-value.
• Domain-Restricted – Merchant/device specific.

Token Assurance Level (TAL):

• Confidence in token-PAN binding (based on ID&V method).
• Higher TAL = fewer restrictions.

Security & Compliance Features (2025)​

• Detokenization – Only by authorized TSP (never exposed to merchant).
• Domain Control – Token restricted (e.g., only Apple Pay).
• Cryptogram – Dynamic for high-value (like ARQC).
• PCI DSS Scope Reduction – Merchants store tokens → lower compliance.
• Interoperability – Works with EMV 3DS, SRC, contactless kernels.

Agentic Payments Support (2025 Update):

• EMVCo exploring how tokenization supports AI agents (agentic commerce).

Bottom Line – December 2025​

EMVCo token standards (v2.3.1 framework) provide a global, interoperable tokenization framework – replacing PAN with restricted tokens for security.

It's the foundation for network tokens (Visa/MC/Amex/Discover) and device tokens (Apple Pay/Google Pay).

For implementation: Use network TSP APIs or EMVCo guidelines.

Stay safe – tokenization is core to modern payment security.

Your choice.

 

[Student]

Overview of EMVCo Token Standards​

EMVCo, the global technical body owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa, manages standards for secure payment transactions. One of its key areas is payment tokenisation (often spelled "tokenization" in American English), which enhances security for digital, mobile, e-commerce, and remote payments.

The core standard is the EMV® Payment Tokenisation Specification – Technical Framework. As of December 2025, the latest version referenced is v2.3.1 (with associated FAQs and bulletins). Supplementary documents include A Guide to Use Cases v2.2.1 (updated January 2023) and general/technical FAQs.

What is EMV Payment Tokenisation?​

EMV Payment Tokenisation replaces the sensitive Primary Account Number (PAN) — the 13–19 digit number on a payment card — with a non-sensitive surrogate value called an EMV Payment Token (or simply "payment token").

Key characteristics:

• The token is a numeric value (typically 13–19 digits) that resembles a PAN to minimize changes to existing payment systems.
• Tokens are domain-restricted: They can be limited by channel (e.g., e-commerce only), device, merchant, transaction type, or usage count (single-use vs. multi-use).
• Tokens are routed through existing payment networks (like VisaNet or Banknet) and detokenised only by the issuer or authorised Token Service Provider (TSP).
• Each transaction often includes a dynamic cryptogram (similar to EMV chip cryptograms) for added security.

This differs from other tokenisation forms (e.g., merchant-specific or acquirer tokens) because EMV tokens are interoperable across the global payment ecosystem and flow end-to-end from merchant to issuer.

Primary Benefits​

Stakeholder	Benefits
Consumers	Reduced risk of data breaches; seamless updates (e.g., expired cards auto-update tokens).
Merchants	Lower PCI DSS scope (tokens are not card data); higher authorisation rates; better fraud protection.
Issuers	Remote control over tokens (suspend/activate without reissuing cards); reduced fraud losses.
Acquirers/Networks	Improved transaction integrity; support for network-level tokens (e.g., Visa Token Service, Mastercard Digital Enablement Service).

Key Components and Concepts​

Concept	Description
Payment Token	Surrogate for PAN; starts with a specific BIN range to identify it as a token.
Token BIN Range	EMVCo assigns ranges to ensure tokens are distinguishable from real PANs.
Domain Restrictions	Controls (e.g., merchant-locked, device-bound) enforced via Token Assurance Level and cryptograms.
Payment Account Reference (PAR)	29-character alphanumeric identifier linking all tokens (and the original PAN) for one account. Enables loyalty programs, fraud tracking, and chargebacks without exposing PAN. Not PCI-scope data.
Token Cryptogram	Dynamic one-time code (like ARQC in chip transactions) proving token authenticity and freshness.
Token Assurance Level	Score (from ID&V process) indicating confidence in token provisioning (e.g., cardholder verification method).

Roles in the Ecosystem​

Role	Responsibilities
Token Requestor (TR)	Entity requesting a token (e.g., merchant, digital wallet like Apple Pay/Google Pay). Registered with a TSP.
Token Service Provider (TSP)	Generates, provisions, and manages tokens (usually networks like Visa/Mastercard or issuers). Must register with EMVCo for a TSP Code.
Token Programme	Overarching scheme (e.g., Visa Token Service) defining specific rules.
BIN Controller	Entity (usually issuer) controlling token BINs; assigned a unique BCID by EMVCo.
Registration Authority	EMVCo manages registrations for transparency and interoperability.

EMVCo runs registration programmes for:

• Token Requestor IDs (TRID = TSP Code + unique suffix).
• TSP Codes (3-digit identifiers).
• BIN Controller IDs (BCID).

Evolution of the Specification​

Version	Release Year	Key Changes/Features
v1.0	2014	Initial framework; focused on mobile/NFC provisioning.
v2.0	2017–2019	Introduced PAR, refined roles, expanded e-commerce use cases, shared/limited-use tokens.
v2.3.1	~2020s (latest referenced)	Ongoing refinements for interoperability, cryptogram enhancements, integration with EMV 3-D Secure and SRC (Secure Remote Commerce).
Supplements	2023–2025	Updated Guide to Use Cases (v2.2.1); bulletins on fees and agentic payments support.

As of 2025, EMVCo continues evolving the standards to support emerging trends like agentic payments (AI-driven), electric vehicle charging, and post-quantum readiness.

Relation to Other EMV Technologies​

• Network Tokens: High-assurance tokens provided by card networks (e.g., MDES for Mastercard, VTS for Visa) — the most common implementation of EMVCo standards.
• Often combined with EMV 3-D Secure for risk-based authentication and EMV SRC (Click to Pay) for streamlined checkout.

EMVCo tokenisation is the foundation for modern digital wallets (Apple Pay, Google Pay, Samsung Pay) and network token services, dramatically reducing card-not-present fraud while enabling innovation. For the latest documents, visit emvco.com/emv-technologies/payment-tokenisation/.