Media Release Expectations for Tokenisation of Payment Cards and Storage of PANs
The Bank has released a final set of expectations for the Tokenisation of Payment Cards and Storage of Primary Account Numbers (PANs), aimed at improving security, efficiency and competition for online card payments. The key expectations the Bank has set are:
- All relevant industry participants should support token portability and token synchronisation by the end of June 2025. To link multiple tokens and aid token synchronicity, a unique account identifier, such as the Payment Account Reference (PAR), should be widely shared and used throughout the Australian payments ecosystem.
- Merchants and payment service providers that do not meet minimum security requirements relating to the storage of sensitive debit, credit and charge card information must not store customers PANs after the end of June 2025. This deadline is conditional on token portability and token synchronisation being supported by relevant industry participants by the end of June 2025. The minimum security requirements should be at least compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
- The rollout of the eftpos core eCommerce tokenisation service is to be completed by the end of March 2024, with further releases to support token portability and synchronisation to follow. When a dual network debit card is network tokenised, tokens should be requested and stored for both the domestic and international networks, where supported by both networks.
AusPayNet has agreed to coordinate the industrys work to meet the Banks expectations and draft more specific tokenisation standards if required.
Background
The Bank released an Issues Paper in June 2023 which discussed the importance of the tokenisation of card details in the online environment for improving the security of payments. However, the paper also noted that merchants and payment service providers continue to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation. Stakeholders had also argued that there were some areas where standardisation may be necessary to ensure that the full benefits of tokenisation are realised without impeding competition. Accordingly, following a round of consultation with industry stakeholders, the Bank published a set of draft expectations in a Conclusions Paper in September 2023, aimed at addressing these issues. The Bank subsequently received feedback on these draft expectations, as well as the appropriate scope of cards to be covered by the expectations.
Enquiries
External Communications
Communications Department
Reserve Bank of Australia
SYDNEY
Phone: +61 2 9551 8111
Email:
rbainfo@rba.gov.au