The Reserve Bank of India (RBI) on Tuesday permitted authorised card payment networks to offer card tokenisation services to any token requestor, or third-party app providers, subject to certain conditions. This permission extends to all use cases/channels (e.g., Near Field Communication (NFC)/Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.) or token storage mechanisms (cloud, secure element, trusted execution environment, etc.), the central bank said in a notification on its website. For the present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later based on experience gained.
All existing instructions of the RBI on safety and security of card transactions, including the mandate for an additional factor of authentication (AFA) and PIN entry shall be applicable for tokenised card transactions as well. The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks, which will not be allowed to recover any charges from customers for availing this service.
Before providing card tokenisation services, authorised card payment networks will be required to put in place a mechanism for periodic system audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of the Indian Computer Emergency Response Team (CERT-In) and all related instructions of the RBI concerning system audits shall also be adhered to.
A copy of this audit report will have to be sent to the RBI, with comments of auditors on deviations, if any, from the conditions specified by the central bank, along with the compliance thereto. Further, details on the number of cards that are registered for the service and transaction data shall be submitted at monthly intervals to the central bank s Department of Payment and Settlement Systems.
One of the conditions for offering tokenisation is that card networks must put in place adequate safeguards to ensure that the cardholder s PAN cannot be found out from the token and vice versa by anyone except the card network. Another mandate that registration of a card on the token requestor s app shall be done only with explicit customer consent through AFA, and not by way of a forced, default or automatic selection of checkboxes, radio buttons or similar devices.
Card networks will also need to set up a dispute-resolution process and a mechanism to ensure that the transaction request has originated from an identified device .