RBI extends tokenisation services to online merchants
Continuing its efforts to improve the safety of card transactions, the Reserve Bank of India (RBI) on Tuesday extended the use of tokenisation -- hiding of actual card details with a unique token -- in the wider payments ecosystem.
To date, the RBI had allowed card payment networks like Visa and MasterCard to use the tokenisation technology in card transactions. The technology is now allowed to be used by merchants holding the card credentials like online retailers.
"It has now been decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider)," the RBI said in a statement. For now, the facility will be offered through mobile phones and tablets only.
The permission extends to all use cases and channels like near field communication (NFC), magnetic secure transmission (MST)-based contactless transactions, in-app payments and QR (quick response) code-based payments, the bank said.
"The Reserve Bank has today (Tuesday) released guidelines on tokenisation for debit/ credit/ prepaid card transactions as a part of its continuous endeavour to enhance the safety and security of the payment systems in the country," the statement said.
Tokenisation involves a process in which a unique token masks sensitive card details and thus, in lieu of actual card details, this token is used to perform card transactions. The token will be unique for a combination of card, token requestor and "identified device".
While all other instructions related to card transactions will be applicable for tokenised card transactions as well, the RBI stated: "The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks."
Before providing card tokenisation services, card payment networks will have to put in place a mechanism for periodic system (including security) audit at frequent intervals, at least once a year, of all entities involved in providing card tokenisation services to customers.
"Tokenisation and de-tokenisation shall be performed only by the authorised card network, and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network," the RBI said.
Registration of card on token requestor's app will be done only with explicit customer consent and the customers will have the option to register/ de-register their card for a particular use cases like contactless and QR code-based.
"Card issuers shall ensure easy access to customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys," the bank added.