RBI tweaks guidelines for card-tokenisation services

Mumbai | Updated on September 07, 2021

‘Tokenisation of card data shall be done with explicit customer consent’

The Reserve Bank of India, on Tuesday, announced enhancements to the current framework on card-tokenisation services.

The device-based tokenisation framework advised through circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well.

Further, card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs), said the RBI.

“The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA),” it added.

Review undertaken

The enhancements have been done based on a review of the tokenisation framework and to enable cardholders benefit from the security of tokenised card transactions and also the convenience of card on file or customer card credentials, said the RBI.

The facility of tokenisation will be offered by TSPs only for the cards issued by or affiliated to them. Further, the ability to tokenise and de-tokenise card data, will be with the same TSP.

“The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions,” the RBI further said.

It also said that the introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now.

Contrary to some concerns, there will be no requirement to input card details for every transaction under the tokenisation arrangement, it further said, adding that efforts of the RBI to deepen digital payments in India and make such payments safe and efficient shall continue.

The RBI had, in March 2020, stipulated that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system. On request from the industry, the deadline was extended to December-end as a one-time measure.

The RBI has been in regular consultation with the industry to facilitate the transition, it said. The central bank had,on August 25, also extended the scope of tokenisation to laptops, desktops, wearables (wrist watches, bands, etc), Internet of Things (IoT) devices from the initial mobile phones and tablets.

Published on September 07, 2021

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor

You May Also Like