The Australian Debit Card Market: Default Settings and Tokenisation – Conclusions Paper
September 2023
Appendix A
Expectations for tokenisation of payment cards and storage of PANs
The Bank expects:
- The rollout of the eftpos eCommerce tokenisation service to be completed by the end of March 2024. To facilitate planning, relevant industry participants should be provided with monthly updates on the service and its functionality ahead of the rollout.
- When a DNDC is tokenised, tokens should be requested and stored for both the domestic and international networks, where supported by both networks.
- Merchants and payment service providers that do not meet minimum security requirements – which should be at least compliance with PCI-DSS – must not store customers PANs after the end of June 2025.
Portability of debit and credit card tokens
- All relevant industry participants – including schemes, gateways, and acquirers – should
support portability for both scheme and proprietary tokens by the end of June 2025 to reduce the
friction for merchants that wish to switch payment service providers.
- The eftpos, Mastercard and Visa card schemes should each develop token migration services if a solution does not already exist, to enable portability for merchants from one gateway or payment service provider to another. These services should be standardised and aligned as much as possible across schemes to minimise the operational burden on gateways; the solutions should not require gateways to retain PANs.
- Gateways should ensure that their proprietary tokens do not impede merchants switching payment service providers.
- Token-holding entities should provide any reasonable data to any authorised third-party required to support token migration, and token migration should be executed in a timely manner.
- Only the reasonable costs of processing a token migration should be passed on to merchants.
Synchronisation for DNDC tokens
- Issuers and token-holding entities should ensure that any status change or life-cycle event related to one token is, where relevant, duplicated to all other relevant tokens in real time (or near real time), including notification to each relevant card scheme, to ensure that all such changes propagate through the full ecosystem. This applies regardless of where a status change or life-cycle event originates, be that merchant, scheme, issuer or cardholder.
- To link multiple tokens and aid token synchronicity, a unique Payment Account Reference (PAR) for each account, or equivalent solution, should be widely shared and used throughout the Australian payments ecosystem.