July 05 2020
Customers cannot be charged for availing tokenisation service: RBI
09 January 2019

Allows card payment networks to offer the facility to third-party app providers

The Reserve of India (RBI) has allowed all card payment networks to offer tokenisation service. However, the central bank has made it clear that no charges should be recovered from the customer for availing this service.

Tokenisation involves a process in which a unique token masks sensitive card details. The token is then used to perform card transactions in contact-less mode at Point Of Sale (POS) terminals, Quick Response (QR) code payments, etc.

The RBI has allowed card payment networks to offer card tokenisation services to any token requestor, that is, a third party app provider. A card holder can avail of these services by registering the card on the token requestor’s app and after giving ‘explicit consent’.

“All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for additional factor of authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also,” the RBI said in a release.

“This permission extends to all use cases/channels [e.g., Near-Field Communication (NFC) / Magnetic Secure Transmission (MST)-based contact-less transactions, in-app payments, QR code-based payments etc.] or token storage mechanisms (cloud, secure element, trusted execution environment etc.). For the present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later based on the experience gained,” the RBI said.

For additional factor of authentication, PIN entry shall be applicable for tokenised card transactions also.

Safety measures

“Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa by anyone except the card network,” the RBI said.

“Moreover, actual card data, token and other relevant details shall be stored in a secure mode and the token requestors are not allowed to store PAN or any other card detail,” the release added. The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks, the RBI said.



Related Stories