(From official EMVCo documentation, bulletins, and public resources – December 2025)
EMVCo (the global standards body owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa) defines the EMV Payment Tokenisation Specification – Technical Framework. This framework standardizes payment tokenization – replacing the Primary Account Number (PAN) with a token (surrogate value) for secure digital/mobile payments.
Current Version (2025):
Key Documents (Public Access on emvco.com):
Token Lifecycle:
Roles in the Framework:
Token Types:
Token Assurance Level (TAL):
Agentic Payments Support (2025 Update):
It's the foundation for network tokens (Visa/MC/Amex/Discover) and device tokens (Apple Pay/Google Pay).
For implementation: Use network TSP APIs or EMVCo guidelines.
Stay safe – tokenization is core to modern payment security.
Your choice.
EMVCo (the global standards body owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa) defines the EMV Payment Tokenisation Specification – Technical Framework. This framework standardizes payment tokenization – replacing the Primary Account Number (PAN) with a token (surrogate value) for secure digital/mobile payments.
Current Version (2025):
- EMV Payment Tokenisation Specification – Technical Framework v2.3.1 (latest referenced in EMVCo FAQs and bulletins).
- Guide to Use Cases v2.2.1 (January 2023, with ongoing updates).
- No major new version in 2025 – focus on bulletins and C-8 kernel integration.
Key Documents (Public Access on emvco.com):
- Technical Framework v2.3.1 – Core spec defining roles, token lifecycle, security.
- Guide to Use Cases v2.2.1 – Illustrative examples (e-commerce, mobile, IoT).
- FAQ v2.3.1 – General/technical questions.
- Bulletins – Updates (e.g., PAR enhancements, agentic payments).
Core Concepts of EMVCo Token Standards
Token Definition:- A payment token is a surrogate value (13–19 digits, Luhn-valid) replacing the PAN.
- Domain-restricted – limited to specific merchant, device, channel, or transaction type.
- Token BIN ranges – dedicated for tokens (flagged in BIN tables).
Token Lifecycle:
- Provisioning – Token request + issuer approval.
- Activation – Token usable.
- Suspension/Resumption – Temporary hold.
- Deletion – Permanent removal.
Roles in the Framework:
| Role | Description | Examples |
|---|---|---|
| Token Requestor (TR) | Initiates token request (wallet, merchant, gateway) | Apple Pay, merchant app |
| Token Service Provider (TSP) | Generates/manages tokens | Visa Token Service, Mastercard MDES, UnionPay |
| Token Vault | Secure mapping token ↔ PAN | Network or issuer vault |
| Registration Authority | Manages TR registration | EMVCo or networks |
Token Types:
- Payment Token – Standard replacement.
- Cryptogram Token – With dynamic cryptogram for high-value.
- Domain-Restricted – Merchant/device specific.
Token Assurance Level (TAL):
- Confidence in token-PAN binding (based on ID&V method).
- Higher TAL = fewer restrictions.
Security & Compliance Features (2025)
- Detokenization – Only by authorized TSP (never exposed to merchant).
- Domain Control – Token restricted (e.g., only Apple Pay).
- Cryptogram – Dynamic for high-value (like ARQC).
- PCI DSS Scope Reduction – Merchants store tokens → lower compliance.
- Interoperability – Works with EMV 3DS, SRC, contactless kernels.
Agentic Payments Support (2025 Update):
- EMVCo exploring how tokenization supports AI agents (agentic commerce).
Bottom Line – December 2025
EMVCo token standards (v2.3.1 framework) provide a global, interoperable tokenization framework – replacing PAN with restricted tokens for security.It's the foundation for network tokens (Visa/MC/Amex/Discover) and device tokens (Apple Pay/Google Pay).
For implementation: Use network TSP APIs or EMVCo guidelines.
Stay safe – tokenization is core to modern payment security.
Your choice.