1. Home
  2. Insights
  3. Tokenisation
  4. Industry Position on the RBA’s Tokenisation Expectations

Industry Position on the RBA’s Tokenisation Expectations

Improving security, efficiency and competition for online card payments

On 22 December 2023 the Reserve Bank’s (‘RBA’) published its expectations on tokenisation (‘Expectations’) and requested Australian Payments Network (‘AusPayNet’) to coordinate the industry’s response to meeting the Expectations and lead the development of any new technical standards that may be required.

For the purposes of coordinating the industry response, AusPayNet conducted a consultation process (‘Consultation’) that involved engagement with stakeholders representing the end-to-end tokenisation value chain (i.e. large merchants, issuers, acquirers, schemes, gateways, token service providers (‘TSPs’) and other relevant payment service providers (‘PSPs’)). The Consultation captured feedback from 35 entities through bilateral meetings, written responses (including surveys) and feedback provided via the Tokenisation Industry Working Group (‘TIWG’).

The industry positions in response to Expectations #2-6, as endorsed by the TIWG, are indicated in the table below. AusPayNet expects Australian Payments Plus (‘AP+’) to respond directly to the RBA on Expectation #1 (relating to the eftpos eCommerce core tokenisation service rollout).

 

Industry positions endorsed by the TIWG on Expectations #2-6

RBA Expectation #2: Dual-network debit card (‘DNDC') token requesting

Industry agreed position: The industry has not identified any technical limitations that would prevent it from achieving this Expectation.

Key considerations on the industry’s ability to meet the Expectation within the 2025 timeframe are:

  • The Expectation requires merchants to be provided the ability to obtain/use a token from both schemes for DNDCs. The merchant can then choose which scheme to process payments through and whether to tokenise via both networks (in accordance with Expectation #3), similar to the current least-cost-routing (‘LCR’) expectation that merchants must have the ability to route to either scheme but can choose which scheme to use.
  • Any merchants acting as a payment facilitator for other entities must meet the Expectation for this service.
  • Potential scheme eCommerce incompatibility may impact the business case for payment facilitators performing dual tokenisation.
  • Each entity’s own business priorities.
  • Dependencies on eftpos’ eCommerce delivery rollout and a logical sequence of adoption (gateways are likely to wait until a critical mass of issuers have been certified with eftpos).

Potential further action: The RBA may wish to consider providing further clarity in relation to the points raised in the industry’s agreed position.

 

RBA Expectation #3: Retention of primary account numbers (‘PANs') after June 2025

Industry agreed position: The industry does not identify any issues in meeting this Expectation. This is based on the following:

  • PCI DSS (as the global PAN storage standard currently mandated by the schemes) is deemed sufficient.
  • Any deviation by Australia from this global standard would be detrimental to the industry by potentially adding significant compliance burden with minimal value.

Potential further action: The RBA may wish to consider a staggered reduction of PANs in the ecosystem once the industry’s level of tokenisation maturity improves.

 

RBA Expectation #4: Portability of debit, credit and charge card tokens (but not pre-paid cards) by the end of June 2025

Industry agreed position: There is industry consensus on:

  • The problem statement that the current lack of standardisation in information ported between gateways can cause lock-in for merchants if the merchant does not hold the PAN.
  • There is merit in addressing this problem statement and improving token portability.
  • Further exploration should occur on whether a minimum set of technical standards for gateway token portability could address the identified issues (as part of the standards scoping process). Areas expected to be included are data to be ported, transfer method, authorisation and access, and timeliness of the porting process.

Exploration is ongoing as to whether a set of minimum token migration outcomes (to be applicable to all schemes operating in Australia) is required to assist the schemes to meet Expectations 4.i) and 4.iii). Outcomes-based requirements, rather than prescriptive requirements, are considered appropriate to support innovation and competition in the provision of token migration services by schemes.

Potential further action: AusPayNet will commence the scoping of a potential standard for gateway tokens.

AusPayNet will facilitate further discussions with the schemes to determine their capability (and any gaps) for key network token migration use cases.

 

RBA Expectation #5: Synchronisation of DNDC tokens

Industry agreed position: There is majority, but not unanimous, industry support for the following two principles to assist the industry in meeting this Expectation:

  • Any party that receives or initiates a lifecycle management (LCM) event passes it on to the next recipient in the tokenisation chain, in real-time or near real-time; and
  • If the entity is the fork (that has a connection to more than one card scheme), then the entity must pass it on to each card scheme.

The industry has indicated concerns with meeting the 2025 timeframe due to:

  • The low level of maturity in token synchronicity in the Australian payments ecosystem. Noting this maturity is expected to improve over time as the eftpos eCommerce solution is implemented and adopted.
  • Dependencies on the delivery timeframe for the eftpos eCommerce tokenisation service.
  • The challenge associated with ensuring communication is received synchronously across all relevant tokens, noting the lack of quality metrics existing on active and inactive tokens.

Potential further action: Following improvements in token synchronicity, the RBA may wish to consider addressing the current lack of quality metrics on active and inactive tokens.

 

RBA Expectation #6: PAR (‘Payment Account Reference’)

Industry agreed position: Most industry participants consider that a ubiquitous, unique, omnichannel identifier would be beneficial to enable each merchant to preserve its capability to associate all transactions, as was possible prior to tokenisation via the use of the underlying PAN.

The industry requested that a technical deep dive be performed on relevant use cases to support the potential business case for PAR due to:

  • A lack of scheme consensus on using PAR as the ubiquitous unique omnichannel identifier.
  • The current inconsistent use and storage of PAR in the industry (addressing this inconsistency is a dependency for expanding the access to PAR).
  • Implementation of a ubiquitous PAR requiring significant resources and time.

Potential further action: AusPayNet will facilitate a technical deep dive into the use cases of PAR.

 

Glossary

DNDC or Dual Network Debit Card: a card for which transactions may be routed through two distinct card schemes. In Australia, DNDCs are associated with eftpos, and one of the international schemes (Visa, Mastercard or UnionPay (for Bank of China cards only)).

Gateway Token (also known as a PCI Token, Proprietary Token or Merchant Token): a token issued against the original sensitive data for use by online payment ecosystem participants within their own internal environment, and not the entire payment ecosystem.

Network Token (also known as a Scheme Token or Payment Token): a token issued by the payment networks/schemes to replace the PAN and other sensitive details for use across the entire payment ecosystem. Network tokens are specific to domains (i.e. limited to one device, merchant, channel or transaction type) and prevent the need for a PAN to be transmitted or revealed to any party during a transaction. Network tokens are issued by PSPs registered with EMVCo and the use of Network tokens is covered by the EMVCo Technical Framework.

PAN or Primary Account Number: the 16–19-digit number associated with a payment account. These numbers are often referred to as either the funding PANs (‘FPAN’) (the physical number on the card itself) or the Token PAN/Device PAN (‘TPAN’/’DPAN’) for the equivalent numbers of the tokenised version of the FPAN. References to PANs in this report refer to the FPANs of DNDCs.

PAR or Payment Account Reference: an alphanumeric data point which acts as a proxy for the FPAN in any card or token-based transaction. The same PAR is expected to be present for any transaction generated from an FPAN or any tokenised form of that PAN and is used to associate transactions across different payment form factors.

TIWG or Tokenisation Industry Working Group: the industry working group established by AusPayNet to support AusPayNet’s coordination of an industry response to meeting the Expectations, including the development of standards that may be required.

Token: a unique identifier that replaces sensitive data with non-sensitive, randomised data that has no essential or exploitable value or meaning. The token can only be reversed to the original data (de-tokenised) by the tokenisation system that created the token.

 

 
  • Subscribe to our mailing list

Copyright © 2023 Australian Payments Network Limited. All rights reserved. Read full Terms of Use / Privacy Statement. Australian Payments Network ® and AusPayNet ® are registered trademarks of Australian Payments Network Limited.

Home