INSUBCONTINENT EXCLUSIVE:
safety of card transactions, Reserve Bank of India (RBI) on Tuesday extended use of tokenisation -- hiding of actual card details with a
unique token -- in wider payments ecosystem.To date, RBI had allowed card payment networks like Visa and MasterCard to use tokenisation
technology in card transactions
The technology is now allowed to be used by merchants holding card credentials like online retailers."It has now been decided to permit
authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider)," RBI said in a
For now, facility will be offered through mobile phones and tablets only.The permission extends to all use cases and channels like near
field communication (NFC), magnetic secure transmission (MST)-based contactless transactions, in-app payments and QR (quick response)
code-based payments, bank said."The Reserve Bank has today (Tuesday) released guidelines on tokenisation for debit/ credit/ prepaid card
transactions as a part of its continuous endeavour to enhance safety and security of payment systems in country," statement
said.Tokenisation involves a process in which a unique token masks sensitive card details and thus, in lieu of actual card details, this
token is used to perform card transactions
The token will be unique for a combination of card, token requestor and "identified device".While all other instructions related to card
transactions will be applicable for tokenised card transactions as well, RBI stated: "The ultimate responsibility for card tokenisation
services rendered rests with authorised card networks."Before providing card tokenisation services, card payment networks will have to put
in place a mechanism for periodic system (including security) audit at frequent intervals, at least once a year, of all entities involved in
providing card tokenisation services to customers."Tokenisation and de-tokenisation shall be performed only by authorised card network, and
recovery of original Primary Account Number (PAN) should be feasible for authorised card network only
Adequate safeguards shall be put in place to ensure that PAN cannot be found out from token and vice versa, by anyone except card network,"
RBI said.Registration of card on token requestor's app will be done only with explicit customer consent and customers will have option to
register/ de-register their card for a particular use cases like contactless and QR code-based."Card issuers shall ensure easy access to
customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage
Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and
associated keys," bank added.
