Frequently Asked Question
Is Payment Account Reference (PAR) as defined by EMVCo considered PCI Account Data?
PAR cannot be used to initiate transactions and no authorization, capture, clearing or settlement message can be initiated with PAR alone. The guidelines for PAR also indicate that a PAR value must be generated in such a way as to ensure that it cannot be reverse engineered to obtain a PAN or other PCI Account Data. The data structure of PAR is also intentionally designed to ensure that PAR cannot be confused for PAN, Payment Token or other PCI Account Data.
Based on the underlying EMVCo description of PAR and its intended functions including the underlying guidelines for PAR generation, PAR data is not considered to be PCI Account Data and on its own is not subject to the underlying requirements for protecting PCI Account Data as specified in PCI DSS. PCI DSS still applies anywhere PCI Account Data is stored, processed, or transmitted. If any system storing, processing, or transmitting PAR also stores, processes, or transmits Account Data (such as a PAN), or is connected to systems that store, process or transmit Account Data, those systems remain in scope for PCI DSS requirements.
Featured FAQ Articles
Most Recently Updated
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls?
What impact does the inclusion of UnionPay in PCI DSS documents have on an entity’s PCI DSS assessment?
Can a PFI Company perform subsequent PFI investigations for the same entity?