GRI

Expectations for Tokenisation of Payment Cards and Storage of PANs

News Financial services English Guidance
Date: 21st Dec, 2023 Source: Reserve Bank of Australia Country: Australia Original Source

Brief

Summary:

The Bank has released its final set of expectations for the tokenisation of payment cards and storage of Primary Account Numbers (PANs). The key objectives aim to improve security, efficiency, and competition in online card payments. The expectations include:

Industry participants to support token portability and synchronization by June 2025
 Widespread adoption of the Payment Account Reference (PAR) identifier
Merchants and payment providers to meet minimum security standards for PAN storage by June 2025, with a minimum of PCI-DSS compliance
 Completion of the eftpos core eCommerce tokenisation service by March 2024, followed by further releases for portability and synchronization
* Tokenization of dual network debit cards for both domestic and international networks, where supported

The Bank's expectations aim to address concerns over the security of stored card details and ensure the full benefits of tokenization are realized while maintaining competition in the market.

The Bank has released a final set of expectations for the Tokenisation of Payment Cards and Storage of Primary Account Numbers (PANs), aimed at improving security, efficiency and competition for online card payments. The key expectations the Bank has set are:

  • All relevant industry participants should support token portability and token synchronisation by the end of June 2025. To link multiple tokens and aid token synchronicity, a unique account identifier, such as the Payment Account Reference (PAR), should be widely shared and used throughout the Australian payments ecosystem.
  • Merchants and payment service providers that do not meet minimum security requirements relating to the storage of sensitive debit, credit and charge card information must not store customers’ PANs after the end of June 2025. This deadline is conditional on token portability and token synchronisation being supported by relevant industry participants by the end of June 2025. The minimum security requirements should be at least compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
  • The rollout of the eftpos core eCommerce tokenisation service is to be completed by the end of March 2024, with further releases to support token portability and synchronisation to follow. When a dual network debit card is network tokenised, tokens should be requested and stored for both the domestic and international networks, where supported by both networks.

AusPayNet has agreed to coordinate the industry’s work to meet the Bank’s expectations and draft more specific tokenisation standards if required.

Background

The Bank released an Issues Paper in June 2023 which discussed the importance of the tokenisation of card details in the online environment for improving the security of payments. However, the paper also noted that merchants and payment service providers continue to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation. Stakeholders had also argued that there were some areas where standardisation may be necessary to ensure that the full benefits of tokenisation are realised without impeding competition. Accordingly, following a round of consultation with industry stakeholders, the Bank published a set of draft expectations in a Conclusions Paper in September 2023, aimed at addressing these issues. The Bank subsequently received feedback on these draft expectations, as well as the appropriate scope of cards to be covered by the expectations.

Highlights content goes here...

Summary:

The Australian Bank has released a final set of expectations for the tokenisation of payment cards and the storage of Primary Account Numbers (PANs), aimed at improving security, efficiency, and competition for online card payments. The key expectations set by the Bank are as follows:

All relevant industry participants are expected to support token portability and token synchronisation by the end of June 2025.
 A unique account identifier, such as the Payment Account Reference (PAR), should be widely shared and used throughout the Australian payments ecosystem to facilitate token synchronicity.
Merchants and payment service providers that do not meet minimum security requirements relating to the storage of sensitive debit, credit, and charge card information must not store customers’ PANs after the end of June 2025. This deadline is conditional on token portability and token synchronisation being supported by relevant industry participants by the end of June 2025.
 The minimum security requirements should be at least compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
The rollout of the eftpos core eCommerce tokenisation service is to be completed by the end of March 2024, with further releases to support token portability and synchronisation to follow.
 When a dual network debit card is network tokenised, tokens should be requested and stored for both the domestic and international networks, where supported by both networks.

The Bank has also agreed to coordinate the industry’s work to meet these expectations and draft more specific tokenisation standards if required. The Bank’s expectations are aimed at addressing the issue of merchants and payment service providers continuing to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation.

Background:
In June 2023, the Bank released an Issues Paper discussing the importance of tokenisation of card details in the online environment for improving the security of payments. However, the paper noted that merchants and payment service providers continue to retain sensitive card details, sometimes with minimal security, which undermines the security benefits of tokenisation. Stakeholders also argued that standardisation may be necessary to ensure that the full benefits of tokenisation are realised without impeding competition. Consequently, the Bank published a set of draft expectations in a Conclusions Paper in September 2023 and subsequently received feedback on these draft expectations, as well as the appropriate scope of cards to be covered by the expectations.

Reserve Bank of Australia

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Reviewed supervisors overall applied the EBA’s recommendations on tax integrity and dividend arbitrage trading schemes, the EBA Report finds
Date: 6th Feb, 2025 Source: European Banking Authority (EBA) Country: European Union
News Tax & Compliance Guidance
CH403260 – Calculating penalties: special reduction: when to consider Special Reduction
Date: 6th Feb, 2025 Source: Her Majesty’s Revenue and Customs (HMRC) Country: United Kingdom
News Tax & Compliance Guidance
VAT Partial Exemption Guidance
Date: 6th Feb, 2025 Source: Her Majesty’s Revenue and Customs (HMRC) Country: United Kingdom
News Tax & Compliance Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales