Comments
To improve safety and security of card transactions, the Reserve Bank of India (RBI) has decided to permit authorised card payment networks to offer card-tokenisation services to any token requestor (such as a third-party app provider), subject to conditions.
What is tokenisation?
Tokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in a ‘contactless’ mode at Point of Sale (POS) terminals, and Quick Response (QR) code payments, among others.
In its guidelines on tokenisation for debit / credit / prepaid card transactions, the RBI said tokenisation and de-tokenisation can be performed only by the authorised card network (such as RuPay, MasterCard, Visa, American Express and Diners Club), and recovery of original Primary Account Number (PAN) should be feasible for the network only.
At present, the facility will only be offered via mobile phones and tablets. Extension to other devices will be examined later based on the experience gained, the central bank said.
Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice-versa by anyone except the card network.
Tokenisation and de-tokenisation requests must be logged by the card network and available for retrieval, if required. Actual card data, token, and other relevant details have to be stored in a secure mode. Token requestors cannot store PAN or other card details.
A card holder may use these services by registering the card on the token requestor’s app only with explicit customer consent through AFA (additional factor authentication), and not by way of a forced / default / automatic selection of check box or radio button. No charges can be recovered from the customer for availing the service.
All extant instructions of the RBI on safety and security of card transactions, including mandate for Additional Factor of Authentication (AFA) / PIN entry, will also be applicable for tokenised card transactions.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.