.svg)
The Reserve Bank of Australia (RBA) has confirmed that it expects the country’s payments industry to be ready to meet new standards on card tokenisation by the end of June 2025.
On December 21, the RBA published its “expectations” for the tokenisation of payment cards and storage of primary account numbers (PANs).
Tokenisation is when a cardholder’s PAN is converted into a unique token that carries less sensitive information and whose use can be restricted to a particular device or merchant.
The key expectation is that all relevant payments industry participants, including schemes, gateways and acquirers, should support “token portability” and “token synchronisation” by the end of June 2025.
If a solution does not already exist, each card scheme is expected to develop its own token migration service to port tokens from one gateway or payment service provider (PSP) to another.
These services should be “standardised and aligned” as much as possible across schemes, the RBA added, to minimise the operational burden on gateways.
Token-holding entities are asked to honour any “reasonable” data requests from third parties to support token migration, and only “reasonable” costs of processing a token migration are to be passed on to merchants.
eftpos almost ready for tokenisation
The RBA notes that eftpos, Australia’s low-cost domestic debit card scheme, is set to launch its eftpos eCommerce tokenisation service by the end of March 2024.
This will allow for both token portability and token synchronisation across dual-network debit cards.
In Australia, according to the RBA, 85 percent of debit cards in circulation are dual-network, meaning they can process transactions using either eftpos or one of the international schemes (Visa Debit or Debit Mastercard).
Issuers and token-holding entities should ensure that any status change or lifecycle event related to a token is duplicated to all other relevant tokens in real time (or near real time).
This requirement, which should also be met by the end of June 2025, should include a notification to each card scheme each time token information is updated.
At present, as reported by Vixio, online-only merchants are still unable to tokenise customers’ eftpos card details.
For merchants who sell online and offline, there is a workaround that allows them to tokenise a customer’s eftpos card details if they also use an eftpos point of sale (POS) terminal in-store.
While Visa and Mastercard have invested significantly in tokenisation, eftpos has lagged behind in this security technology, but the launch of eftpos eCommerce in March this year will be key to the RBA’s plans.
Meeting the deadline and contingency plans
Nonetheless, sources are sceptical that the expectations can be met within 18 months.
Brad Kelly, managing director of Australia’s Payment Services consultancy, said the RBA’s deadlines “never work” and are typically exceeded by one, two or several years, as has been the case with least-cost routing.
In the meantime, AusPayNet has agreed to coordinate the industry’s work on token migration and will draft more specific standards if necessary.
AusPayNet is a payments industry association that facilitates collaboration between industry participants to adopt regulation and system-wide standards.
If the RBA expectations are met by the end of June 2025, then merchants and PSPs that do not meet minimum security requirements must cease storing PANs by the same date.
However, if the RBA’s expectations are not met by the end of June 2025, the current status quo will continue, with further direction to be provided by AusPayNet.
All PANs must go
Without tokenisation, the RBA is concerned for the safety of card details that are stored online as PANs.
In 2021/22, according to AusPayNet, fraudsters spent more than A$270m ($181m) via card-not-present transactions using stolen card details.
But with tokenisation, a customer’s card details can be restricted to a particular merchant and/or device, and less personal information is stored by the merchant or network.
Tokenisation also allows card details to be updated automatically, so that, for example, transactions are not declined when a customer’s card expires and is replaced with a new one.
At present, there is little consistency in Australia as to whose card details are tokenised and how, but since 2021, the RBA has said that its long-term goal is for all dual-network debit cards to be tokenised.
Once this goal has been met, all industry stakeholders will be required to delete the PANs they have on file.
