Reserve Bank of India
Date : Sep 07, 2021
Tokenisation of Card Transactions – Enhancements
The Reserve Bank of India (RBI) has today announced the following enhancements to the extant framework on card tokenisation services:
a. the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well, and
b. card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA).
The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions.
Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details [also known as Card-on-File (CoF)]. In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised / leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
Reserve Bank had, therefore, stipulated in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system. On a request from the industry, the deadline was extended to end-December 2021 (RBI circular CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021), as a one-time measure. RBI has been in regular consultation with the industry to facilitate the transition.
It may be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now. Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue.
(Yogesh Dayal)
Chief General Manager
Press Release: 2021-2022/823
********
Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services
RBI/2021-22/96
CO.DPSS.POLC.No.S-516/02-14-003/2021-22
September 07, 2021
All Payment System Providers and Payment System Participants
Madam / Dear Sir,
Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services
We invite reference to our circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on “Tokenisation – Card transactions”, permitting authorised card networks to offer card tokenisation services subject to the conditions listed therein. Initially limited to mobile phones and tablets, this facility was subsequently extended to laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc., vide our circular CO.DPSS.POLC.No.S-469/02-14-003/2021-22 dated August 25, 2021 on “Tokenisation – Card Transactions : Extending the Scope of Permitted Devices”.
2. Reference is also invited to our circulars DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, advising that neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them shall store customer card credentials [also known as Card-on-File (CoF)].
3. On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –
a. Extend the device-based tokenisation1 framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.
b. Permit card issuers to offer card tokenisation services as Token Service Providers2 (TSPs).
c. The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.
d. The ability to tokenise3 and de-tokenise card data shall be with the same TSP.
e. Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.
f. Additional requirements relating to CoFT are listed in the Annex.
4. Further, in the interest of cIarity, the following points may be noted –
a. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
b. For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.
c. Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks.
5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
Yours faithfully,
(P. Vasudevan)
Chief General Manager
Annex
(CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021)
Conditions to be fulfilled for offering CoFT services
1. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant4.
2. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined.
3. The merchant shall give an option to the cardholder to de-register the token. Further, a token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through it by the cardholder; and provide an option to de-register any such token.
4. A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.
5. Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom (s)he had earlier registered the card.
6. The TSP shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.
7. All other provisions of the RBI circulars dated January 8, 2019 and August 25, 2021 shall be applicable.
8. The TSPs shall monitor and ensure compliance in this regard.
Notes:
1 The term “device-based tokenisation” wherever used in this circular refers to card tokenisation framework laid down vide RBI circulars dated January 8, 2019 and August 25, 2021.
2 Token Service Provider (TSP) refers to the entity which tokenises the actual card credentials and de-tokenises them whenever required. Earlier only card networks were allowed to act as TSPs.
3 In this circular, the word “token” wherever used includes token reference number, card reference number or any other similar term.
4 The word “merchant” wherever used in this circular refers to the end-merchant. However, in case of an e-commerce marketplace entity, merchant refers to the said e-commerce entity. Further, token requestor and merchant may or may not be the same entity.
Source Link:
1. https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=52188
2. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0