Taking another step towards enhancing the safety and security of payment systems in the country, the Reserve Bank of India (RBI) has released guidelines on tokenisation for debit, credit, and prepaid card transactions.\r\n\r\nTokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at:\r\n\r\n \tPoint of sale (POS) terminals\r\n \tQuick Response(QR) code payments\r\n \tNear Field Communication (NFC)\/Magnetic Secure Transmission (MST)-based contactless transactions\r\n \tIn-app payments, or\r\n \tToken storage mechanisms (cloud, secure element, trusted execution environment, etc)\r\n\r\n \r\n\r\n\r\n\r\n \r\n\r\nThis directive has been issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007). It's a global practice and complies with guidelines such as the Payment Card Industry Data Security Standard (PCI DSS), an international organisation. It will also help avoid the misuse of card details or network hacking.\r\nTokenisation Benefits\r\nAuthorised card payment networks can now offer card tokenisation services to any token requestor (third-party app provider), subject to conditions enumerated in these guidelines with a mandate for an additional factor of authentication (AFA)\/ PIN entry.\r\n\r\n\u201cA cardholder may avail of these services by registering the card on the token requestor\u2019s app after giving explicit consent. No charges shall be recovered from the customer for availing this service. Also, the ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks,\u201d the RBI said in an official statement.\r\n\r\nFor now, this facility will be offered through mobile phones\/tablets only. Its extension to other devices will be examined later, based on the experience gained.\r\n\r\nVisa\u2019s Group Country Manager, India and South Asia TR Ramachandran said, \u201cTokenisation is the foundational aspect of taking payment security and safety to the next level by devaluing data and replacing payment credentials with tokens. We welcome this significant step by the RBI to encourage safe and secure digital payments for the country. \u00a0World over, tokenisation has evolved into enabling payments through connected devices and risk-based authentication. We are confident of India soon embarking in this direction to truly propel digital payments for the masses.\u201d\r\nAdditional Security Measures Taken\r\nAs stated by the RBI, before providing card tokenisation services, authorised card payment networks must put an audit mechanism in place to keep a check on the overall tokenisation process at frequent intervals.\r\n\r\n\u201cThis system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank,\u201d added the RBI.\r\n\r\nEarlier, in October 2015, reports had surfaced that the US-based Nuspay International (Nuspay) and E-billing Solutions (EBS) had entered into an agreement that would enable Indian customers to make secure purchases from more than 6,000 online merchants via the patent-pending Nuspay Virtual Account tokenised payment solution.\r\n\r\nThe RBI, on January 8, 2019, also released an official statement regarding the appointment of Nandan Nilekani, the former chairman of the Unique Identification Authority of India (UIDAI), as head of the newly formed five-member committee named the High-Level Committee for Deepening of Digital Payments. The committee will submit its report within a period of 90 days from the date of its first meeting.