RBI has issued guidelines on tokenisation for debit / credit / prepaid card transactions as a part of its s endeavour to enhance the safety and security of the payment systems in the country. Accordingly RBI will permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to certain conditions.
This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.
All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.
All other instructions related to card transactions will continue to be applicable. for tokenised card transactions as well.
The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks.
No charges should be recovered from the customer for availing this service.
Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers.
This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to.
A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations.
The move is welcome since it is expected to enhance the security from the consumer’s point of view.