Tokenisation must from January; RBI tweaks guidelines

Mumbai: The Reserve Bank of India on Tuesday in a circular refused to extend its deadline for card tokenisation beyond the agreed January 1, 2022 and said that any card data stored previously should be purged.

The central bank said that “With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged,” said that the RBI.

For transaction tracking and / or reconciliation purposes, entities can store limited data–last four digits of actual card number and card issuer’s name, in compliance with the applicable standards.

Tokenization is nothing but an alias for an anonymised set of characters against the original payment credential, like a credit card– where a token reference is used instead of actual card number with matching expiry date. This token number is irreversible, created using an advanced algorithm that has the intelligence to map the actual card value corresponding to the token number which is impossible to crack since the original number mapped to the pseudo number exists only with the tokenisation provider.

The guidelines extend the tokenisation guidelines to every device that connects with the internet, including mobile phones, tablets, laptops, desktops, wrist watches, bands, Internet of Things devices as well as payment aggregators.