What is the PCR?
Pseudonymous Customer Reference, or PCR, is a unique identifier used by Mobile Connect to reference a pairing between a specific end-user's account and a specific application/web service.
The format of the PCR (using v4 of the standard) is a GUID (Globally Unique Identifier) represented as 5 groups of 32 hexadecimal (base 16) digits, separated by hyphens. For example:
The PCR is generated by the operator Identity Gateway (IDGW) after a successful end-user's authentication and is contained in the ID Token returned in the Open ID Connect response. Although the PCR is generated by a specific IDGW, Mobile Connect states it must be globally unique and therefore recommends it is a static value. This is so that the PCR for a given user remains constant for a particular end-user and application/web service combination even if the user switches operators. Meaning a change of operator has no impact on the PCR being used by the application/web service.
Why use the PCR?
By using the PCR, there is no requirement to provide personal data about the user for access to an application/web service. The service provider (application/web service) is assured that an actual user has authenticated using Mobile Connect and applications can then request additional information about users with their permission. This allows users to be confident their personal information will only be shared with the applications they choose with their explicit consent.
The application/web service stores the PCR against the user account in their database.
Is the PCR secure?
The PCR is unique to each application/web service and user account combination. Other Mobile Connect enabled service providers will not be able to copy and use another application's PCR in their system to associate with the same user.
In the example below, the PCR created for mobile number 1 (MSISDN 1) on Application A will not be the same as the PCR created for the same mobile number (MSISDN 1) on Application B where applications A and B are with different service providers.
However, the operator IDGW will create the same PCR for a given end-user (MSISDN) if the ’sector_identifier_uri’* parameter is the same for a group of applications/web services. More specifically, a single service provider can have the same PCR for a user across all of their own applications/web services.
* 'sector_identifier_uri' is a mandatory parameter in the authorisation flow that contains all the URLs prescribed by the service provider (the application/web service owner) while creating the application or web service in the Developer Portal. The mandatory URL in the ’sector_identifier_uri’ parameter is a ‘Redirect URL’. It is aimed at ensuring all the responses from an IDGW are delivered to the correct service provider’s applications/web services.
In the example above, Applications A and B belong to the same service provider and have the same sector_identifier_uri parameter. Therefore they will have the same PCR for a specific mobile number (MSISDN). The same is true of web services C and D. They share the same sector_identifier_uri parameter and service provider as each other and so will also have the same PCR as each other.
In summary, the PCR is an important piece of information and should always be kept secret.