RBI guidelines on tokenisation of card transactions: What you must know
The NDA government's digitisation move has facilitated card transaction and most people are shying away from cash payment. Looking at this scenario, Reserve Bank of India wants to improve safety and security of the payment system and has issued guidelines on tokenisation for various card transactions, including from debit and credit cards. Tokenisation will lead to replacement of actual card details with an unique alternate code called the 'token'. This will be unique for a combination of card, token requestor and identified device. Here are other changes that the apex bank has mooted, let us try to understand:
Under the new RBI guidelines, instead of using actual card details, this token will be used to perform card transactions in contactless mode at point of sale(POS) terminals, quick response (QR) code payments. Permission has been given to offer tokenised card transactions to all channels including near field communication (NFC), magnetic secure transmission (MST) based contactless transactions, in-app payments, and QR code-based payments, besides token storage mechanisms that will include cloud, secure element and trusted execution environment. Image source: Reuters
According to the RBI, this facility would be offered through mobile phones or tablets only and will then be extended to other devices. Only the authorised card network will be authorised to perform tokenisation and de-tokenisation, while recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Image source: Reuters
The RBI stated that request for tokenisation and de-tokenisation should be logged by the card network and available for retrieval. To avail this service, a customer would not have to pay any charges. RBI further said, "Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them." Image source: Reuters
Prior to providing tokenisation services, authorised card payment networks will have to put a mechanism for periodic system audit, at least annually, of all entities involved in providing tokenisation services. Image source: Reuters
The RBI has also asked card issuers to ensure easy access to customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage. Image source: Reuters
Registration of a card on token requestors app will be done only after getting customer consent through Additional Factor of Authentication (AFA), and not by way of a forced /default/ automatic selection of check box, or through radio button, according to the RBI guideline. Image source: Reuters