RBI tweaks guidelines on tokenisation of card transactions

The Reserve Bank of India has enhanced the guidelines on tokenisation of card transactions.

The central bank said the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well.

It added that card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA).

The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them. It added, the ability to tokenise and de-tokenise card data shall be with the same TSP.

The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, the RBI said.

The RBI on August 25 had extended the scope of permitted devices on tokenisation. Previously, the facility of tokenisation being offered by card networks to token requestor was limited to mobile phones and tablets of interested card holders.

Later, on reviewing the framework and feedback from stakeholders, the central bank included consumer devices laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. to extend the scope of tokenisation.

Moneycontrol had reported on August 30 on how banks, payment ecosystem players gear up for adoption of tokenisation.

The push for tokenisation comes on the context of securing card details of consumers. Previously, entities involved in the process of card payment transactions would store card details (Also known as card-on-file) on their server including e-commerce merchants. According to RBI, availability of such details with a large number of merchants substantially increases the risk of card data being stolen.

Further any leakage of CoF data could have serious repercussions as many global jurisdictions do not have additional factor authentication for card transactions. In March 2020, the RBI brought in PAPG Guidelines and asked merchants, payment aggregators and payment gateways to not store data on their server as this would minimise vulnerable points in the system.

The deadline was extended by the central bank to end-December 2021 upon the request from industry.

The central bank said the CoFT will offer customer same degree of convenience while improving customer data security.

There would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue, the central bank said.