Expectations for Tokenisation of Payment Cards and Storage of PANs

The Bank has set expectations for the Tokenisation of Payment Cards and Storage of Primary Account Numbers (PANs), aimed at improving security, efficiency and competition for online card payments.

Expectations

  1. The rollout of the eftpos eCommerce core tokenisation service is to be completed by the end of March 2024, with an expansion of capability to support token portability and token synchronisation to follow (in line with expectations 4, 5 and 6). To facilitate planning, relevant industry participants should be provided with monthly updates on the service and its functionality ahead of the rollout.
  2. When a merchant or payment service provider chooses network tokenisation for a dual network debit card (DNDC), tokens should be requested and stored for both the domestic and international networks, where supported by both networks.
  3. Merchants and payment service providers that do not meet minimum security requirements relating to the storage of sensitive debit, credit and charge card information must not store customers’ PANs after the end of June 2025. These minimum requirements should be at least compliance with the Payment Card Industry Data Security Standard (PCI-DSS). This deadline is conditional on token portability and token synchronisation being supported by relevant industry participants by the end of June 2025, as outlined in expectations 4, 5 and 6.

Portability of debit, credit and charge card tokens

  1. All relevant industry participants – including schemes, gateways, and acquirers – should support portability for both scheme and proprietary tokens by the end of June 2025 to reduce the friction for merchants that wish to switch payment service providers.
    1. The eftpos, Mastercard and Visa card schemes should each develop token migration services if a solution does not already exist, to enable portability for merchants from one gateway or payment service provider to another. These services should be standardised and aligned as much as possible across schemes to minimise the operational burden on gateways; the solutions should not require gateways to retain PANs.
    2. Gateways should ensure that their proprietary tokens do not impede merchants switching payment service providers.
    3. Token-holding entities should provide, in a secure way, any reasonable data to any ‘authorised’ third-party required to support token migration, and token migration should be executed in a timely manner.
    4. Only the reasonable costs of processing a token migration should be passed on to merchants.

Synchronisation for DNDC tokens

  1. Issuers and token-holding entities should ensure that any status change or lifecycle event related to one token is, where relevant, duplicated to all other relevant tokens in real-time (or near real time), including notification to each relevant card scheme, to ensure that all such changes propagate through the full ecosystem. This applies regardless of where a status change or lifecycle event originates – be that merchant, scheme, issuer or cardholder. This expectation should be met by the end of June 2025.
  2. To link multiple tokens and aid token synchronicity, a unique account identifier, such as the Payment Account Reference (PAR), should be widely shared and used throughout the Australian payments ecosystem.

Background on Expectations

The Bank released an Issues Paper in June 2023 which discussed the importance of the tokenisation of card details in the online environment for improving the security of payments. However, the paper also noted that merchants and payment service providers continue to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation. Stakeholders had also argued that there were some areas where standardisation may be necessary to ensure that the full benefits of tokenisation are realised without impeding competition. Accordingly, following a round of consultation with industry stakeholders, the Bank published a set of draft expectations in a Conclusions Paper in September 2023, aimed at addressing these issues. The Bank subsequently received feedback on these draft expectations, as well as the appropriate scope of cards to be covered by the expectations. AusPayNet has agreed to coordinate the industry’s work to meet the Bank’s final expectations set out above, and draft more specific tokenisation standards if required.