Reserve Bank of India Tuesday released guidelines on tokenisation for various card transactions, including from debit and credit cards.
Tokenisation, which aims at improving safety and security of the payment system, refers to replacement of actual card details with an unique alternate code called the 'token', which shall be unique for a combination of card, token requestor and identified device.
Instead of using actual card details, this token is used to perform card transactions in contactless mode at point of sale(POS) terminals, quick response(QR) code payments.
RBI has given permission to offer tokenised card transactions services to all channels such as near field communication (NFC), magnetic secure transmission (MST) based contactless transactions, in-app payments, QR code-based payments or token storage mechanisms, including cloud, secure element and trusted execution environment.
At present, tokenised card transaction facility would be offered through mobile phones or tablets only and will be extended to other devices later based on experience, the central bank said.
Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only, the release said.
The request for tokenisation and de-tokenisation should be logged by the card network and available for retrieval.
A customer would not have to pay any charges for availing this service, it said.
"Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them," the release said.
RBI said before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system audit, at least annually, of all entities involved in providing card tokenisation services to customers.
The central bank also asked card issuers to ensure easy access to customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage.
Registration of a card on token requestors app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default/automatic selection of check box, radio button, the release said.
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.
Support quality journalism and subscribe to Business Standard.