Taking another step towards enhancing the safety and security of payment systems in the country, the Reserve Bank of India (RBI) has released guidelines on tokenisation for debit, credit, and prepaid card transactions.
Tokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at:
- Point of sale (POS) terminals
- Quick Response(QR) code payments
- Near Field Communication (NFC)/Magnetic Secure Transmission (MST)-based contactless transactions
- In-app payments, or
- Token storage mechanisms (cloud, secure element, trusted execution environment, etc)
This directive has been issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007). It’s a global practice and complies with guidelines such as the Payment Card Industry Data Security Standard (PCI DSS), an international organisation. It will also help avoid the misuse of card details or network hacking.
Authorised card payment networks can now offer card tokenisation services to any token requestor (third-party app provider), subject to conditions enumerated in these guidelines with a mandate for an additional factor of authentication (AFA)/ PIN entry.
“A cardholder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges shall be recovered from the customer for availing this service. Also, the ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks,” the RBI said in an official statement.
For now, this facility will be offered through mobile phones/tablets only. Its extension to other devices will be examined later, based on the experience gained.
Visa’s Group Country Manager, India and South Asia TR Ramachandran said, “Tokenisation is the foundational aspect of taking payment security and safety to the next level by devaluing data and replacing payment credentials with tokens. We welcome this significant step by the RBI to encourage safe and secure digital payments for the country. World over, tokenisation has evolved into enabling payments through connected devices and risk-based authentication. We are confident of India soon embarking in this direction to truly propel digital payments for the masses.”
Additional Security Measures Taken
As stated by the RBI, before providing card tokenisation services, authorised card payment networks must put an audit mechanism in place to keep a check on the overall tokenisation process at frequent intervals.
“This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank,” added the RBI.
Earlier, in October 2015, reports had surfaced that the US-based Nuspay International (Nuspay) and E-billing Solutions (EBS) had entered into an agreement that would enable Indian customers to make secure purchases from more than 6,000 online merchants via the patent-pending Nuspay Virtual Account tokenised payment solution.
The RBI, on January 8, 2019, also released an official statement regarding the appointment of Nandan Nilekani, the former chairman of the Unique Identification Authority of India (UIDAI), as head of the newly formed five-member committee named the High-Level Committee for Deepening of Digital Payments. The committee will submit its report within a period of 90 days from the date of its first meeting.