Expectations for Tokenisation of Payment Cards and Storage of PANs May 2024

The Bank has set expectations for the Tokenisation of Payment Cards and Storage of Primary Account Numbers (PANs), aimed at improving security, efficiency and competition for online card payments.

Expectations

1. The eftpos eCommerce core tokenisation service should be expanded to support token portability and token synchronisation (in line with expectations 4, 5 and 6).
2. When a merchant or payment service provider chooses network tokenisation for a dual network debit card (DNDC), tokens should be requested and stored for both the domestic and international networks, where supported by both networks, unless the merchant has made an explicit choice to tokenise for one scheme only. Payment service providers should develop the capability for their merchants to request and store tokens for both the domestic and international networks, where supported by both networks.
   1. This expectation applies to DNDCs that are stored and processed by a merchant for the first time (the ‘front-book’), and not to the existing ‘back-book’ of DNDCs already stored by merchants.
   2. If tokenisation of a second network is not possible due to a temporary technical issue, all parties involved in the token request are expected to take reasonable steps to tokenise the PAN for the second network once the technical issue has been resolved.
3. Merchants and payment service providers that do not meet minimum security requirements relating to the storage of sensitive debit, credit and charge card information must not store customers’ PANs. These minimum requirements are set out in the Payment Card Industry Data Security Standard (PCI-DSS).

Portability of debit, credit and charge card tokens

4. All relevant industry participants – including schemes, gateways, and acquirers – should support portability for both scheme and proprietary tokens by the end of June 2025 to reduce the friction for merchants that wish to switch payment service providers.
   1. The eftpos, Mastercard and Visa card schemes should each develop token migration services if a solution does not already exist, to enable portability for merchants from one gateway or payment service provider to another. These services should be standardised and aligned as much as possible across schemes to minimise the operational burden on gateways; the solutions should not require gateways to retain PANs.
   2. Gateways should ensure that their proprietary tokens do not impede merchants switching payment service providers.
   3. Token-holding entities should provide, in a secure way, any reasonable data to any ‘authorised’ third-party required to support token migration, and token migration should be executed in a timely manner.
   4. Only the reasonable costs of processing a token migration should be passed on to merchants.

Synchronisation for DNDC tokens

5. All parties in the tokenisation chain should each take the necessary steps to support the synchronisation of related tokens to reflect any status change or lifecycle event, in real time (or near real time), to ensure that all such changes propagate through the full ecosystem, including to each scheme token, as relevant. In particular:
   1. any party that receives or initiates a token lifecycle management event should pass it on to the next recipient in the tokenisation chain, in real time or near real time
   2. if the entity has a connection to more than one card scheme, the entity should pass any token lifecycle management event on to each card scheme.

   This applies regardless of where a status change or lifecycle event originates – be that merchant, scheme, issuer or cardholder. For the synchronisation of tokens from the same network, this expectation should be met by the end of June 2025. For the synchronisation of tokens from different networks, the Bank will re-assess an appropriate timeline for meeting this expectation in mid-2025.

6. To link multiple tokens and aid token synchronicity, a unique account identifier, such as the Payment Account Reference (PAR), should be widely shared and used throughout the Australian payments ecosystem.

Background on Expectations

The Bank released an Issues Paper in June 2023 which discussed the importance of the tokenisation of card details in the online environment for improving the security of payments. However, the paper also noted that merchants and payment service providers continue to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation. Stakeholders had also argued that there were some areas where standardisation may be necessary to ensure that the full benefits of tokenisation are realised without impeding competition. Accordingly, following a round of consultation with industry stakeholders, the Bank published a set of draft expectations in a Conclusions Paper in September 2023, aimed at addressing these issues. The Bank subsequently received feedback on these draft expectations, as well as the appropriate scope of cards to be covered by the expectations.

The Bank first published its expectations for tokenisation of card payments in December 2023. AusPayNet agreed to coordinate the industry’s work to meet the Bank’s expectations, and draft more specific tokenisation standards if required. In May 2024, the Board decided to clarify and adjust the expectations in response to AusPayNet’s report on the industry’s response to meeting the Bank’s expectations.