The Australian Debit Card Market: Default Settings and Tokenisation – Conclusions Paper
September 2023
3. Tokenisation of Card Payments

Issues

Tokenisation of card payments involves replacing sensitive information – the cardholder’s primary account number (PAN) – with a unique token that contains less critical information than the PAN and can be restricted for use on a particular device and/or at a specific merchant. The Issues Paper noted that despite tokenisation becoming more widespread, many merchants and their providers continue to retain sensitive card details to facilitate repeated or recurring transactions, which undermines the security benefits of tokenisation. According to AusPayNet data, in 2022 fraudsters made more than $275 million in card-not-present transactions at Australian merchants using stolen Australian debit and credit card details. In addition to these losses (which are often borne by the merchant), cardholders, merchants and financial institutions incur significant costs investigating and resolving fraud cases.

The Issues Paper also noted that an AusPayNet working group had identified some areas where standardisation is necessary to ensure that the tokenisation of DNDCs for online transactions is implemented in a way that realises the benefits of tokenisation without undermining competition and efficiency. Some of the issues identified were also relevant to the tokenisation of payment cards more generally (not just DNDCs). The working group concluded that some standardisation would be required to enable:

  1. token portability so that once customers’ PANs have been tokenised and deleted, merchants will still be able to switch their provider while retaining their customers’ current tokens. Without portability, if a merchant switched provider, they would need to ask their existing customer base to re-enter their debit or credit card details for future transactions. This would be highly unattractive to many merchants, as it would likely result in declined transactions and customer attrition, and could effectively lock affected merchants into staying with their current provider.
  2. token synchronisation so that when issuers update details for a DNDC (such as a new expiry date), all network tokens are updated simultaneously to avoid the possibility that some online debit card transactions fail due to only one network token being updated.
  3. token visibility so issuers can see which merchants have stored tokens for their debit and credit cards, and potentially provide their cardholders with value-added services to help them manage their recurring payments.

Policy options presented in the Issues Paper

The Issues Paper sought stakeholder views on expectations the Bank could set for the industry to address the issues identified by the AusPayNet working group, and to substantially reduce the amount of sensitive card details being held across the industry. In particular, views were sought on the relative importance of: addressing the token portability, token synchronisation and token visibility issues; potential solutions and their costs and benefits; and feasible implementation timelines. The paper also noted that the Bank had a strong desire to see a significant reduction in all types of card details being stored across the ecosystem (given the associated fraud risk) and sought views on the benefits and costs of the Bank’s expectations applying to all Australian-issued cards, including credit cards, single network debit cards and prepaid cards (as appropriate). The Issues Paper included an example of possible expectations the Bank could set.

Stakeholder views

Nearly all stakeholders expressed support for the Bank’s consultation on tokenisation and agreed that it was a good time to consider whether some standardisation of tokenisation approaches was required. Most stakeholders considered token portability and synchronisation to be the most important issues to be addressed in a coordinated way. While a few stakeholders also considered token visibility to be important, others considered it to be less critical to address.

Many stakeholders noted that token portability was important because it will help to support competition between merchants’ providers. Some stakeholders were of the view that significant investment in technical enhancements would be required to enable token portability. Most stakeholders were of the view that the card schemes were best placed to develop token portability solutions under an industry framework. Stakeholders suggested a few different models for how this could work including: (i) a network-agnostic token that is compatible across all networks; (ii) requiring schemes to offer token migration services (e.g. via an API); and/or (iii) requiring schemes to share data to support token migration.

Stakeholders noted that token synchronisation was important for the reliability of transactions and suggested that data sharing among payments system participants was needed. This would involve the development of real-time communication protocols between participants so that issuers and token-holding entities could notify other relevant parties of status changes related to a token.

Most stakeholders acknowledged the benefits of token visibility in providing greater transparency to issuers and cardholders, which could give customers greater control over their recurring card payments. However, token visibility was generally seen as functionality that was ‘nice to have’, and its absence did not have significant implications for security, competition or reliability. Further, some stakeholders raised concerns about token visibility; for example, these new services could, in principle, allow consumers to cancel a token at a merchant before providing the merchant with notice (despite notice being contractually required by some merchants).

Some stakeholders were not opposed to the industry continuing to shift towards network tokenisation – that is, tokenisation by the card scheme rather than a merchant or its provider. However, some stakeholders raised concerns about the impact on some providers and merchants should they no longer be able to store and use PANs, as well as possible adverse effects on competition and efficiency should the gatekeeper status of the card schemes be entrenched and enhanced.[5]

Most stakeholders were supportive of the Bank setting some high-level expectations for the industry, with AusPayNet playing a central role in coordinating the industry’s work to meet the Bank’s expectations. A few stakeholders saw less of a need for standardisation, and argued it was important that Australian practices continued to align closely to international standards. Stakeholder views were mixed around whether the end of 2024 was feasible for achieving token portability and making substantial progress in removing PANs. Some stakeholders were concerned about their systems’ deep reliance on PANs and suggested that there could be a staged timeline for the reduction of PAN storage to provide a smooth transition towards full tokenisation. Considering these issues, some stakeholders viewed a mid-to-late 2025 timeline as more feasible.

The Board’s assessment and conclusions

There was broad support among stakeholders for the industry to explore introducing more standardisation for tokenisation of DNDCs for online transactions. Accordingly, the Board decided that following some further consultation, the Bank will endeavour to publish high-level expectations for the industry by the end of 2023. Given that some of the issues, particularly token portability, are relevant for payment cards more generally, the Bank’s expectations should be met for debit and credit cards, as appropriate (with the precise scope yet to be defined, as discussed below).

The Bank’s draft expectations are set out in Appendix A. There are some key differences and additions to the example expectations published in the Issues Paper. In particular, the Bank is proposing that:

  • the industry not be expected to move to network tokens
  • merchants and their providers be allowed to retain PANs provided they meet minimum security standards, which may be more stringent than the Payment Card Industry Data Security Standard (PCI-DSS)[6]
  • the card schemes build the necessary infrastructure to support network token portability, to the extent it doesn’t already exist
  • no expectations be set regarding token visibility
  • the industry meet the expectations by mid-2025 (rather than the end of 2024).

The Bank has asked AusPayNet to coordinate the industry’s work to meet the Bank’s expectations and draft more specific tokenisation standards if required. The Bank will work with AusPayNet and industry to put in place governance arrangements for this work to ensure that all stakeholders’ views are considered in formulating the industry response.

The Bank would welcome feedback on two matters:

  1. The draft expectations included in Appendix A.
  2. The appropriate scope of cards to be covered by the expectations, particularly the extent to which they should apply to prepaid and charge cards.

Stakeholders who wish to provide feedback should contact the Bank by email at pysubmissions@rba.gov.au by 13 October. The Bank will then contact these stakeholders to discuss next steps.

Endnotes

Network tokenisation involves the card scheme tokenising the PAN and storing the PAN in a token vault. As such, both the merchant and the gateway do not store the PAN, instead using the token provided by the card scheme. In contrast, merchant (or proprietary/gateway) tokenisation is where a customer’s PAN is typically tokenised by the merchant’s payment gateway. When processing the tokenised payment, the merchant’s gateway extracts the PAN from its own token vault before sending it to the card scheme. In some cases, tokenisation is performed by the (typically very large) merchant itself, rather than the gateway. [5]

The PCI-DSS is a set of minimum technical and operational requirements designed to protect cardholder data and is set by the PCI Security Standards Council. The PCI-DSS applies to all entities that store, process and/or transmit cardholder data, including issuers, merchants and merchants’ providers. [6]