.svg)
The Reserve Bank of Australia (RBA) is seeking feedback on new proposals that would lay the groundwork for the standardising of debit card tokenisation for online transactions.
In its latest issues paper, published last week, the RBA introduced two proposals designed to promote competition and efficiency in the country’s debit card market.
The first, covered by VIXIO here, is a proposal that would prohibit card issuers from selecting a default network on dual-network debit cards, therefore making it easier for merchants to enjoy the benefits of least-cost routing.
The second addresses the need to improve security through the tokenisation of dual-network debit cards, which are co-badged with eftpos, the low-cost domestic scheme, and one international scheme.
Currently, around 90 percent of debit cards issued in Australia are dual-network.
The RBA has been a supporter of tokenisation for dual-network debit cards since late 2021, when it published its Conclusions Paper following the Review of Retail Payments Regulation.
At the time, least-cost routing was being rolled out for online transactions and the RBA saw this as a “catalyst” for discussions on how tokenisation might follow.
The RBA’s support for tokenisation dovetails with its support for least-cost routing, although it has so far been disappointed with the progress of least-cost routing, both for device-present and online transactions.
For device-present transactions, least-cost routing has been enabled for little more than 50 percent of merchants.
Eftpos has yet to launch its e-commerce tokenisation service, meaning that online-only merchants are still unable to tokenise customers’ eftpos card details.
When the eftpos e-commerce tokenisation launches, which is scheduled to take place by March 2024, it will mean merchants can tokenise both halves of their customers’ dual-network debit cards.
For the time being, for merchants who sell online and offline, there is a workaround that allows them to tokenise a customer’s eftpos card details if they also use an eftpos point of sale (POS) terminal in store.
Windcave, for example, is one payment gateway that allows merchants to tokenise an eftpos debit card that has been used by a customer in store, and then rebill the same card using an e-commerce API.
Visa and Mastercard have invested significantly in tokenisation, and with eftpos lagging behind in this security technology, it offers a potential competitive advantage to the international networks.
All PANs must go
Without tokenisation, the RBA is concerned for the safety of card details stored online as primary account numbers (PANs).
In 2021-22, according to AusPayNet, fraudsters spent more than A$270m ($181m) via card-not-present transactions using stolen card details.
But with tokenisation, a customer’s card details can be restricted to a particular merchant and/or device, and less personal information is stored by the merchant or network.
Tokenisation also allows card details to be updated automatically, so that, for example, transactions are not declined when a customer’s card expires and is replaced with a new one.
At present, there is little consistency as to whose card details are tokenised in Australia and how, but the RBA has said that its long-term goal is for all dual-network debit cards to be tokenised.
And once this goal has been met, all industry stakeholders will be required to delete the PANs they have on file.
Proposed roads to tokenisation
Last month, the RBA Payments System Board discussed the findings of a report by an AusPayNet working group on tokenisation.
Following the meeting, the RBA said it intends to set some “minimum outcome” expectations rather than “prescribed arrangements”, with the aim of “substantially lessening” the use of databases of card numbers by the end of 2024.
As such, the RBA is seeking stakeholder feedback on possible solutions to achieving industry standardisation, including what expectations the RBA could set and timelines for their completion.
In the AusPayNet working group report, the three key issues highlighted as impediments to standardisation were token portability, token synchronisation and token visibility.
Token portability ensures that merchants can switch between PSPs after tokenising customers’ card details, i.e. merchants can “port” their tokens without having to face high costs or data re-entry requirements.
Token synchronisation ensures that tokenised card details are automatically updated, and token visibility ensures that card issuers and potentially cardholders can see which merchants have tokenised their cards.
Through the AusPayNet working group, stakeholders agreed that standardisation across these three areas is necessary, but did not agree on their relative importance or how they should be standardised.
With a submissions deadline of July 12, the RBA has asked stakeholders to comment on the costs and benefits of standardised tokenisation, and comment on feasible timelines for technical implementation.
For example, assuming that the rollout of the eftpos ecommerce tokenisation service is completed by March 2024, the RBA said it could ask all industry participants to support token portability by the end of 2024.
By the same deadline, the RBA could require all merchants, gateways and acquirers tokenise their customers’ dual-network debit card details, and delete all PANs stored on their systems.
If the RBA opts for this timeline, it would expect that token synchronisation and token portability are also complete by the end of 2024.
