Tokenisation

Improving security, efficiency and competition for online card payments

In the RBA’s ‘The Australian Debit Card Market: Default Settings and Tokenisation Issues Paper’ published in June 2023, the RBA confirmed its commitment to the implementation of Least Cost Routing (LCR) and its expectation that tokenisation be implemented across the payments ecosystem, but in a way that does not impede the adoption of LCR or competition in the acquiring market more generally.

The Issues Paper highlighted the importance of tokenisation1 in combatting fraud and providing broader benefits to consumers and merchants. The former by reducing the use and storage of sensitive card data in the ecosystem and the latter due to network tokens’ ability to remain valid after a card expires or is replaced, removing customer inconvenience of needing to update their cards. Merchants benefit from avoided transaction declines when customers have not updated their details following card expiry or replacement.

Following the RBA’s consultation on its Issues Paper, the RBA released a final set of expectations for the Tokenisation of Payment Cards and Storage of Primary Account Numbers (PANs), in December 2023. These expectations aimed at improving security, efficiency and competition for online card payments. AusPayNet was asked to coordinate the industry’s work to meet these expectations and draft more specific tokenisation standards if required.

In response, AusPayNet conducted a consultation with stakeholders representing the end-to-end tokenisation value chain (i.e. large merchants, issuers, acquirers, schemes, gateways, token service providers (‘TSPs’) and other relevant payment service providers (‘PSPs’)) and convened an industry working group.  The summary findings of this consultation, communicated to the RBA, can be found by clicking the Industry Position on the RBA’s Tokenisation Expectations button below.

Industry Position on the RBA’s Tokenisation Expectations

 

1 Tokenisation is the process of substituting sensitive card information, such as the cardholder's 16-digit primary account number (PAN) and expiry date, with a non-sensitive equivalent, referred to as the ‘token’. The token has no extrinsic or exploitable meaning and can only be reversed to the original data (de-tokenised) by the tokenisation system that created the token.