RBI vide its notification no. RBI/2018-19/103 dated 8 January 2019 has permitted authorised card payment networks to offer card tokenisation services to any token requestor i.e. a third party application subject to certain conditions.
Conditions to be fulfilled
- Tokenisation and de-tokenisation services shall only be performed by authorised card networks and the recovery of Primary Account Number (PAN) should be feasible for the authorised card networks only. Safeguards should be put in place to ensure that PAN details cannot be found from the token and vice versa.
- The requests for tokenisation and de-tokenisation shall be logged by the card network and available for retrieval.
- The actual card data, token, and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card details.
- Card networks shall get the token requestor certified for (a) token requestor’s systems, including hardware deployed for this purpose, (b) security of token requestor’s application, (c) features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
- The card networks shall get the different entities involved in the payment transaction chain certified with respect to the changes done for processing the tokenised card transaction.
- All the certification and the security testing by the card networks shall conform to the international best practices or globally accepted standards.
- Additional conditions have been prescribed for the registration of card details by a customer such as: (a) the registration of card on the token requestor’s app shall only be done via taking the explicit customer consent though additional factor of authentication (“AFA”) and not by way of a forced/default/automatic selection of check box, radio button etc. (b) The AFA validation during card registration as well for authenticating any transactions shall be as per the RBI’s instructions, (c) Customers will have the option to register or deregister their card for a particular purpose i.e. contactless, QR code based, in-app payments, etc. (d) Customers will have the option to set and modify per transaction and daily transaction limit for such transactions. (e) Velocity checks may be put in place by card issuers/card networks (f) The customer shall be free to use any card registered with the token requestor app for performing a transaction.
- Secure storage of token and associated keys should be ensured by the token requestor on successful registration of card.
- Customer support services such as reporting the loss of an identified device or any other event which may expose the token to unauthorised usage shall be put in place by the card network along with providing for a dispute resolution process.
The permission has been granted for all channels such as near field communication (NFC), in-app payments, QR code based payments etc. or token storage mechanisms such as cloud, secure element, etc. At present the facility shall be offered through mobile phones or tablets only.
RBI issued instructions on safety and security of card transactions including the mandate for an AFA/ PIN which shall be applicable for tokenised transactions along with other instructions issued by RBI from time to time.
RBI dictates that no charges should be recovered from the customers for availing tokenisation services.
Periodic system audits shall be conducted at least once a year by the authorised card payment networks. This system audit shall be undertaken by the auditors of India Computer Emergency Response Team (CERT-IN) and all the instructions with regard to system audit shall also be complied with. A copy of the audit report shall be furnished to the RBI with comments of auditors with regard to any deviations. Further, a report with certain details needs to be submitted on a monthly basis to the Chief General Manager, Reserve Bank of India.
- Tokenisation refers to replacement of actual card details with an(sic) unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and device (referred hereafter as “identified device”)