Card Information

Definition of Card Information Under AUSTRAC’s Travel Rule

AUSTRAC states that where a transfer is a merchant payment, a refund of a merchant payment, or an ATM withdrawal of money, the ordering institution must include the card number in the transfer message, and intermediary and beneficiary institutions will generally receive that card number. AUSTRAC also notes the card number can include a tokenised reference that allows the issuer to trace the payment back to the payer’s card.

This definition is deliberately broad. It covers traditional 16-digit card numbers as well as tokenised substitutes generated through payment network tokenisation schemes, meaning institutions do not need to transmit the raw card number where a token carries the same traceability function.

Critically, this travel rule treatment applies in place of the standard payer and payee identity fields. The requirement to verify specific elements of payer information does not apply to a merchant payment or a refund of a merchant payment. However, if you are the card issuer, you must still collect and verify payer information as part of your initial customer due diligence (CDD) obligations at onboarding.

How Card Information Fits Into the Travel Rule Framework

The travel rule generally requires ordering institutions to pass payer and payee identity information through the value transfer chain so that all institutions can screen and monitor the transfer. Card-based payments work differently. In a merchant payment, it is the beneficiary institution (the merchant acquirer) that initiates the transfer and conveys the instruction to the ordering institution (the card issuer). This reversal of roles means the standard payer-to-payee information flow does not map neatly onto the transaction.

AUSTRAC’s solution is to substitute the standard identity fields with the card number or tokenised equivalent. The card number serves as the traceability anchor: any institution in the chain that needs to trace the origin of the payment back to the payer can do so through the card issuer using that reference.

This approach aligns with the Financial Action Task Force (FATF) Recommendation 16, which was updated in June 2025. AUSTRAC guidance reflects those updated international standards.

When Card Information Is Required: The Three Transfer Types

Understanding exactly which transfers trigger the card information requirement rather than the standard identity information requirement is essential for correct classification.

1. Merchant Payments

A transfer is a merchant payment where all of the following conditions are met:

• The beneficiary institution initiates the transfer and conveys the instructions to the ordering institution.
• The beneficiary institution makes the money available to the payee (regardless of whether the beneficiary institution has yet received the money from the ordering institution).
• The ordering institution transfers money to the beneficiary institution.

An example is a customer using a debit card for retail purchases. The customer’s card interacts with the merchant terminal provided by the merchant acquirer bank. The merchant acquirer (beneficiary institution) initiates the transfer by conveying the payer’s instruction to the card issuer (ordering institution). The card issuer sends a transfer message back to the merchant acquirer authorising the transfer. In this flow, the transfer message carries the card number rather than the standard travel rule identity fields.

2. Refunds of Merchant Payments

Where a merchant reverses or refunds a card payment, AUSTRAC applies the same card-information approach. The card number (or tokenised reference) is passed through the chain in place of the payer and payee identity fields, ensuring traceability is maintained throughout the refund flow.

3. ATM Withdrawals

A transfer involving an ATM withdrawal of money must also include the card number in the transfer message. This covers situations where a cardholder withdraws cash from an ATM operated by a different institution from their card issuer.

Obligations Across the Value Transfer Chain

The card information obligation applies differently depending on your role.

Ordering institutions must include the card number (or tokenised reference) in the transfer message for any merchant payment, refund of a merchant payment, or ATM withdrawal. This is the originating obligation. Under Rules section 8-6, this requirement is mandatory.

Intermediary institutions will generally receive the card number when processing one of these three transfer types. They are not required to replace the card number with standard payer and payee identity fields. They must also take reasonable steps to monitor for transfer messages that are missing required information, taking a risk-based approach as set out in their AML/CTF policies and procedures. Where a transfer message is missing required information, the intermediary must either refuse to send the transfer message to the next business or take other risk-based actions described in their AML/CTF policies to reduce risk.

Beneficiary institutions that provide merchant payment services must ensure that the ordering institution and any intermediary institutions have passed on the card number. They must also have policies that allow them to provide relevant information to other institutions in the value transfer chain within three business days. Systems, procedures and controls supporting travel rule obligations are required, and records of individual transactions related to value transfer services must be retained.

Examples of Card Information in Practice

• Example 1 – Debit card retail purchase: A customer pays a retailer using a debit card. The merchant acquirer (beneficiary institution) initiates the transaction. The card issuer (ordering institution) sends a transfer message back that carries the card number or a tokenised reference, rather than the customer’s name and address. The merchant acquirer receives and retains that card reference.
• Example 2 – ATM cash withdrawal: A cardholder withdraws cash from an ATM run by a different financial institution. The travel rule requirement focuses on including the card number in the transfer message between the ATM operator and the card issuer. Standard payer identity fields are not required in the message, but the card number enables the card issuer to trace the transaction if needed.
• Example 3 – Merchant refund: A customer returns goods and the merchant processes a card refund. The beneficiary institution initiates the refund flow and the ordering institution must include the original card number or tokenised reference in the transfer message, maintaining the same traceability as the original purchase.

Legal and Regulatory References

• AML/CTF Act 2006 (Cth), sections 65(2), 66(2), 66(3), 66A(10), 107, 111 and 116.
• AML/CTF Rules, sections 5–17, 5–18(2), 8–4, 8–6 and 8–8(8).
• AUSTRAC travel rule guidance for ordering institutions, intermediary institutions, and beneficiary institutions.
• AUSTRAC guidance on when the travel rule does not apply (merchant payment conditions).
• FATF Recommendation 16 (updated June 2025) and AUSTRAC’s transition guidance to new global travel rule standards.

Best Practices for Managing Card Information Compliance

1. Classify card flows correctly:

Ensure staff know when a transfer is a merchant payment, refund, or ATM withdrawal under AUSTRAC’s conditions. The classification test involves checking who initiates the transfer and who makes funds available to the payee. A poorly documented ML/TF risk assessment often leaves this classification undefined, creating systemic risk across all card transactions.

2. Retain traceable identifiers:

Store the card number or tokenised reference in a way that supports reconstruction and enquiry handling across the chain. Institutions must be able to retrieve and provide this information to other institutions in the value transfer chain within three business days if requested.

3. Do not confuse the card information rule with a full travel rule exemption:

AUSTRAC describes the adjusted travel rule treatment for merchant payments and refunds, but that does not remove your other AML and CTF obligations. Transaction monitoring, suspicious matter reporting, record-keeping, and AML regulatory reporting requirements all continue to apply in full.

4. Embed classification logic in your AML/CTF policies:

Your AML/CTF program should explicitly define how your business identifies merchant payments, refunds, and ATM withdrawals. If these definitions are missing from your policies, staff cannot apply the correct treatment consistently, and your business cannot demonstrate compliance to AUSTRAC on enquiry.

5. Monitor for missing card information

Beneficiary and intermediary institutions must take reasonable steps to monitor for transfer messages missing the required card number. A risk-based monitoring approach whether post-event or real-time where feasible should be defined in your AML/CTF policies and should reflect the nature, size and complexity of your business.

6. Link tokenisation records to underlying card data

If your systems use tokenised references, ensure there is a clear and documented process connecting each token back to the underlying card and account. Losing that link undermines the entire traceability purpose of the card information requirement.

Common Challenges

Misclassifying transfers and applying the wrong travel rule treatment. Teams that have not received targeted AML training on travel rule classifications frequently apply standard identity information rules to merchant payments, or assume the card information rule applies more broadly than it does.

Losing the link between tokenised references and internal records. Where tokenisation is handled by a third-party payment processor, institutions sometimes lack direct access to the mapping table between tokens and card numbers. This undermines traceability and should be addressed in vendor contracts and system design.

Treating the card information rule as a full compliance exemption. The adjusted travel rule treatment removes the obligation to collect and transmit specific payer and payee identity fields in the transfer message. It does not remove obligations around customer identification at onboarding, transaction monitoring, or record-keeping.

Failing to meet the three business day response obligation. Beneficiary institutions providing merchant payment services must have policies enabling them to provide relevant information to other institutions in the value transfer chain within three business days. Many businesses discover this obligation only when they receive an enquiry.

Inadequate documentation in AML/CTF policies. An AML health check frequently reveals that policies do not address card-based payment flows specifically, leaving staff without guidance and the business without a documented compliance position.

How Tranche 2 Consultants Can Help

Tranche 2 Consultants maps your payment flows against AUSTRAC’s travel rule conditions, confirms which transactions meet the merchant payment classification, and identifies where your current AML/CTF policies have gaps. We work with your operations and compliance teams to build a practical record-keeping and assurance approach that holds up to scrutiny.

Concluding Remarks

Card information is the traceability anchor for certain card-based transfers under the travel rule. The compliance priority is correct classification and robust record keeping.

Institutions operating card payment services, processing merchant acquirer flows, or providing ATM services need to ensure their AML/CTF policies explicitly address these transfer types, their systems can pass and retain card numbers or tokenised references, and their staff understand where the card information rule ends and other AML obligations begin.