Bank should be clear in communication about card tokenisation

Home Guides & cases Case notes 82088

Bank should be clear in communication about card tokenisation

Categories:

Service problems, Fraud & scams, Cards,

Summary:

In March 2023, Darrel lost his debit and credit cards. He contacted the bank to cancel the cards and order replacements. He subsequently discovered someone had made more than 100 unauthorised transactions on his replacement cards before he received and activated them. After making this discovery, Darrel rang the bank, and it promised to look into the matter. The bank did not put a hold on the replacement cards until he went to a branch of the bank two days later after noticing that unauthorised transactions were continuing to be made on his cards.

Published:

November 2025

The bank cancelled the replacement cards and explained that it automatically copied the links, or “tokens”, on the previous cards to the replacement cards, and the fraudster had somehow managed to activate one of these tokens through the card provider to make the unauthorised transactions. The bank said it copied existing tokens so customers in his situation did not have to update their card details with all the merchants and service providers they had used. It reimbursed Darrel for all the unauthorised transactions, which totalled $3,000, and cancelled all existing tokens on his cards.

Darrel complained to us that the bank had failed to keep his banking secure, and said it should change its systems so it automatically removed existing tokens when customers cancelled a card.

Our investigation

We found the fraudster had been able to activate an existing token authorising payments to a particular merchant, and that the fraudster had not needed Darrel’s replacement card to do this. We could not establish how the fraudster had activated the token with the merchant in the first place, particularly since Darren said he had never bought anything from the merchant. We suspected the previous card’s details had been compromised, allowing the token to be generated in the first place. We could establish, however, that the compromise had not occurred within the bank’s systems, and so we could not accept Darrel’s argument that the bank had failed to keep his banking secure.

However, we recommended the bank make it clear on its website and elsewhere that it copied over existing tokens from old to new cards when customers cancelled their cards and asked for replacements, and also that it make clear that such customers could ask the bank to remove any or all of these links on their new cards. The bank agreed to review its communication on this point.

We found the bank reimbursed Darrel within a reasonable time, and that he did not suffer any financial loss as a result of the bank’s actions. However, the bank did fail to put a hold on his cards when he first contacted it, and he suffered some stress in seeing further unauthorised transactions occurring on his cards and he also suffered some inconvenience in having to follow up with the bank about its failure to act on his request. We recommended the bank pay Darrel $250 to recognise this inconvenience.