RBI's new move to make card payments safer: All you need to know about tokenisation

As part of the banking regulator's efforts to enhance the safety and security of the payment systems in the country, the RBI has now permitted authorised card payment networks - covering credit, debit as well as prepaid cards - to offer tokenisation services to their customers.

"This permission extends to all use cases/channels or token storage mechanisms (cloud, secure element, trusted execution environment, etc.)," read the RBI guidelines on tokenisation for debit, credit and prepaid card transactions. "For the present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later based on experience gained."

Here's all you need to know about these new guidelines released yesterday:

What is tokenisation?

Tokenisation a process that masks actual card details using a unique alternate code called the "token", which is unique for a combination of card, token requestor - for instance m-commerce apps - and devices like smartphones. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at Point Of Sale (POS) terminals, Quick Response (QR) code payments, in-app payments and the like, thereby protecting cardholders from fraud and data-theft.

Also Read: RBI appoints Nandan Nilekani as chairman of high-level committee on digital payments in India

Most of us have downloaded multiple apps on our phone, from food delivery apps to ecommerce and travel apps. And for easier, quicker transactions in future, many customers opt for the 'save card details' option offered by most such apps. With your sensitive card details now stored at multiple companies' servers, your susceptibility to data theft goes up significantly. Opting for tokenisation, which masks actual card details, hence, reduces this risk. "Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions," said the RBI.

What are the checks imposed to safeguard this system?

The apex bank has made it clear that a customer's explicit consent through Additional Factor of Authentication (AFA) is needed for the registration of any card on a token requestor's app. This consent cannot come about through a forced or automatic selection of check box or radio button.

"Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network," read the guidelines, adding, "Actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail."

The RBI has also directed card networks to get token requestors certified for security of their systems, including hardware, as well as features for ensuring authorised access to their apps on the identified devices and other functions that they have to perform such as customer on-boarding, token provisioning and storage, transaction processing and data storage. All certification has to conform to international best practices.

The RBI has also directed authorised card payment networks to implement a mechanism for periodic system checks and security audits at frequent intervals - at least annually - of all entities involved in providing such services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and a copy of the report has to be handed to the apex bank.

What about grievance redressal?

The RBI guidelines on tokenisation specify that card issuers will have to ensure easy access to customers for reporting loss of "identified device" or any other such event which may expose tokens to unauthorised usage. "Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys," the regulator added.

What will it cost?

"No charges should be recovered from the customer for availing this service," said the RBI.

Edited by Sushmita Agarwal

Read More: Reliance Industries stock rises on RBI nod for merger of subsidiaries

Jalan panel holds 1st meeting to examine reserve size of RBI; report likely in April

RBI says it is open to liquidity needs, ahead of shadow banker meeting