As part of the banking regulators efforts to improve the safety and security of the payment systems in the country, the RBI has now allowable authorized card payment networks – covering credit, debit as well as prepaid cards – to offer tokenization services to their consumers.
"This permission extends to all use cases/channels or token storage mechanisms (cloud, secure element, trusted execution environment, etc.)," read the RBI strategy on tokenization for debit, credit and prepaid card transactions. "For the present, this facility shall be offered through mobile phones/tablets only. Its addition to other devices will be examined later based on knowledge gained."
Tokenisation a course that masks actual card details using a unique alternate code called the "token", which is unique for an amalgamation of a card, token requestor – for instance m-commerce apps – and devices like smartphones. Thereafter, in lieu of actual card details, this token is used to achieve card transactions in contactless mode at Point Of Sale (POS) terminals, Quick Response (QR) code payments, in-app payments and the like, thereby defensive cardholders from fraud and data theft.
For whom this service is beneficial?
Most of us have downloaded multiple apps on our phone, from food delivery apps to e-commerce and travel apps. And for easier, quicker transactions in the future, many customers opt for the 'save card details' option offered by most such apps. With your sensitive card details now stored at multiple companies' servers, your vulnerability to data theft goes up significantly. Opting for tokenization, which masks actual card details, hence, reduces this risk. "Customers shall be given the option to set and modify per transaction and daily transaction limits for tokenized card transactions," said the RBI.
What are the checks imposed to safeguard this system?
The apex bank has made it clear that a customer's open consent through Additional Factor of Authentication (AFA) is needed for the registration of any card on a token requestor's app. This permission cannot come about through a compulsory or automatic selection of checkbox or radio button.
"Tokenisation and de-tokenization shall be performed only by the authorized card network and recuperation of original Primary Account Number (PAN) should be practicable for the authorized card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network," read the guidelines, adding, "Actual card data, token and other applicable details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail."
The RBI has also directed card networks to get token requestors certified for the security of their systems, including hardware, as well as features for ensuring authorized access to their apps on the identified devices and other functions that they have to perform such as customer onboarding, token provisioning and storage, transaction dispensation and data storage. All documentation has to conform to intercontinental best practices.
The RBI has also directed authorized card payment networks to implement an instrument for periodic system checks and security audits at recurrent intervals – at least annually – of all entity involved in providing such services to customers. This system audit shall be undertaken by impaneled auditors of Indian Computer Emergency Response Team (CERT-In) and a copy of the report has to be hand to the apex bank.
What about grievance Redressal?
The RBI guidelines on tokenization specify that card issuers will have to ensure easy access to customers for coverage loss of "identified device" or any other such event which may expose tokens to unauthorized usage. "Card network, along with card issuers and token requestors, shall put in place a system to straightaway de-activate such tokens and connected keys," the regulator added.
"No charges should be recovered from the customer for availing this service," said the RBI.
