Demonetization has led to a spurt in digit payments and with that, ever increasing cases of online frauds including but not limited to theft of card details, data breach, server hacking, fraudulent transfer of money, phishing, smishing,
Reserve Bank of India (RBI) as a part of its continuous
As per the guidelines issued by RBI, only authorized card payment networks can offer card tokenisation services to any token requestor (third party app provider). To avail this service the cardholder will have to register the card on the token requestor’s app after giving explicit consent. The service will be free to the customer availing it.
What is Card Tokenisation?
Tokenisation is a process wherein the actual card details are replaced with a unique alternate code called the “token”, which shall be unique for a combination of card, token requestor, and device (referred hereafter as “identified device”). Therefore, in place of actual card details, this token is used to perform card transactions in contactless mode at
In simple words, no merchant/merchant apps can store your original debit or credit card number. So even in case of breach, your original card details are safe with you.
How the tokenisation service will work?
Compliance on part of agencies involved
1.Only authorised card network can perform Tokenisation and de-tokenisation. Also, recovery of original Primary Account Number (PAN) should be feasible only for the authorised card network. Ample safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. Token generation process shall be robust and its integrity to be maintained at all times.
2. Log of tokenisation and de-tokenisation requests should be stored and be made available for retrieval by the card network if required.
3. Actual card data of end users, token and other relevant details shall be stored in a secure mode. Except for authorized card network no token requestors can store PAN or any other card detail.
4. The Authorised Card networks shall get the token requestor certified for the following:
- Existing systems, including hardware deployed for this purpose.
- Security of token requestor’s application.
- Facility for ensuring authorized access to token requestor’s app on the identified device (smartphone/tablet).
- Miscellaneous functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
5. Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.
6. The Authorised Card networks shall also get the card
7. International best practices / globally accepted standards shall be adopted for all
What it has in store for you/customer
1.You will have the option to register / de-register your card for a particular use case, i.e. contactless, QR code based, in-app payments, etc.
2. You/customer shall be free to use any of the cards for transactions registered with the token requestor app.
3. Limits can be set and modified for every transaction as well as daily transaction limits can be set for tokenised card transactions.
4. For ensuring safety suitable velocity checks (i.e., how many such transactions will be allowed in a day / week / month) may be put in place by card issuers/card network as deemed appropriate, for tokenised card transactions.
5. In case of loss of your mobile/identified device, which may expose tokens stored to unauthorized usage, you can easily report the loss and same shall be ensured by card issuer. All agencies including card network, card issuers and token requestors, shall implant a system to immediately de-activate such tokens and associated keys.
6. A formal dispute resolution process shall also be available to the customer which shall be put in place by card network for tokenised card transactions.
Authorized Card Networks responsibility for Safety and security of transactions
1.Card network must implement a robust mechanism to ensure that the transaction request has originated from an “identified device”.
2. Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious
3. Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
As of now, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later based on experience gained,” the RBI guidelines state.
More and more apps, including shopping apps, food delivery apps, cab booking apps, store your card details for ease of payment but in case of breach of their servers or the database, the customer data/card details are most susceptible to misuse. Hence, the new process of tokenisation will not only enhance the security of payment systems and but also minimize the risk in case of hacking or leak of a database of any service provider.
