The RBI has allowed technology to be used by merchants holding card credentials like e-tailersMumbai:Continuing its efforts to improve safety of card transactions, Reserve Bank of India (RBI) on Tuesday extended use of tokenisation -- hiding of actual card details with a unique token -- in wider payments ecosystem.To date, RBI had allowed card payment networks like Visa and MasterCard to use tokenisation technology in card transactions.
The technology is now allowed to be used by merchants holding card credentials like online retailers."It has now been decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider)," RBI said in a statement.
For now, facility will be offered through mobile phones and tablets only.The permission extends to all use cases and channels like near field communication (NFC), magnetic secure transmission (MST)-based contactless transactions, in-app payments and QR (quick response) code-based payments, bank said."The Reserve Bank has today (Tuesday) released guidelines on tokenisation for debit/ credit/ prepaid card transactions as a part of its continuous endeavour to enhance safety and security of payment systems in country," statement said.Tokenisation involves a process in which a unique token masks sensitive card details and thus, in lieu of actual card details, this token is used to perform card transactions.
The token will be unique for a combination of card, token requestor and "identified device".While all other instructions related to card transactions will be applicable for tokenised card transactions as well, RBI stated: "The ultimate responsibility for card tokenisation services rendered rests with authorised card networks."Before providing card tokenisation services, card payment networks will have to put in place a mechanism for periodic system (including security) audit at frequent intervals, at least once a year, of all entities involved in providing card tokenisation services to customers."Tokenisation and de-tokenisation shall be performed only by authorised card network, and recovery of original Primary Account Number (PAN) should be feasible for authorised card network only.
Adequate safeguards shall be put in place to ensure that PAN cannot be found out from token and vice versa, by anyone except card network," RBI said.Registration of card on token requestor's app will be done only with explicit customer consent and customers will have option to register/ de-register their card for a particular use cases like contactless and QR code-based."Card issuers shall ensure easy access to customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage.
Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys," bank added.