The Reserve Bank of India has released guidelines on tokenisation for debit / credit / prepaid card transactions as a part of its continuous endeavour to enhance the safety and security of the payment systems in the country.
Tokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at Point Of Sale(POS) terminals, Quick Response(QR) code payments, etc.
„These guidelines permit authorised card payment networks to offer card tokenisation services to any token requestor (third party app provider), subject to conditions enumerated in these guidelines.”, according to the press release.
A card holder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges shall be recovered from the customer for availing this service.
All extant instructions of Reserve Bank on safety and security of card transactions, including mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.
This permission extends to all use cases/channels [for example, Near Field Communication/Magnetic Secure Transmission based contactless transactions, in-app payments and QR code-based payments) or token storage mechanisms (cloud, secure element, trusted execution environment).
For present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later, based on experience, RBI said.
The ultimate responsibility for the card tokenisation services rests with the authorised card networks. Only the authorised card network shall perform tokenisation and de-tokenisation and recovery of original primary account number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN can’t be found out from the token and vice versa, by anyone except the card network. Integrity of token generation process has to be ensured at all times.
Registration of card on token requestor’s app shall be done only with explicit customer consent through AFA, and not by way of a forced/default/automatic selection of check box and radio button. Customers shall have option to register/de-register their card for a particular use case like contactless, QR code-based and in-app payments.
Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions. Suitable velocity checks (how many such transactions will be allowed in a day/week/month) may be put in place by card issuers/card network as considered appropriate, for tokenised card transactions.
For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below:
