RBI issues card payments tokenisation guidelines
Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
New Delhi: To improve the safety and security of card transactions, Reserve Bank of India (RBI) on Tuesday issued guidelines on tokenisation of card payments.
Tokenisation refers to replacement of actual card details with a unique alternate code called ‘token’, which would be unique for a combination of card, token requestor and device.
The central bank said it has now decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (for example, third party app provider), subject to certain conditions.
This permission extends to all use cases/channels [for example, Near Field Communication/Magnetic Secure Transmission based contactless transactions, in-app payments and QR code-based payments) or token storage mechanisms (cloud, secure element, trusted execution environment).
For present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later, based on experience, RBI said. All instructions of RBI on safety and security of card transactions, including the mandate for additional factor of authentication (AFA)/PIN entry shall also be applicable for tokenised card transactions. The ultimate responsibility for the card tokenisation services rests with the authorised card networks. No charges should be recovered from customer for availing tokenisation service, RBI said.
Only the authorised card network shall perform tokenisation and de-tokenisation and recovery of original primary account number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN can’t be found out from the token and vice versa, by anyone except the card network. Integrity of token generation process has to be ensured at all times.
Registration of card on token requestor’s app shall be done only with explicit customer consent through AFA, and not by way of a forced/default/automatic selection of check box and radio button. Customers shall have option to register/de-register their card for a particular use case like contactless, QR code-based and in-app payments. Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions. Suitable velocity checks (how many such transactions will be allowed in a day/week/month) may be put in place by card issuers/card network as considered appropriate, for tokenised card transactions.
For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.