RBI Encourages ‘Tokenisation’ For More Secure Card Payments
American Express, MasterCard, and Visa credit cards are displayed for a photograph in New York, U.S. (Photographer: Daniel Acker/Bloomberg)

RBI Encourages ‘Tokenisation’ For More Secure Card Payments

The Reserve Bank of India has permitted card payment companies to offer their customers a ‘tokenised’ service to facilitate card transactions in a secured manner. Once implemented, customers will be able to create a unique alternative code or ‘token’ that will mask their actual card details to conduct financial transactions.

While ‘tokenisation’ was already permitted in some cases, the regulator’s latest circular attempts to broaden its use in the interest of making digital payments more secure.

Card payment companies will be able to contract third party application developers to provide the ‘tokenisation’ services, through mobile phones or tablets (only on these devices for now) to customers. But all parties involved in the “payment transaction chain” will have to be registered with the central bank.

How will it work?

Customers tend store their card details on a number of websites to facilitate transactions.

For instance, you may have your credit/debit card details stored with a food delivery app on your mobile phone. Given that this information is permanently stored on the app and with the company’s server, it is susceptible to data theft or hacking.

To reduce that risk, you can opt for tokenisation. The process involves creating a unique ‘token’, which is a combination of the card, the token requester (for example the food delivery app) and of the ‘identified’ device (such as your mobile phone).

The customer can then continue to make numerous transactions on the app, without revealing or storing their card details with the app or the service provider as these details are encrypted within the token.

With tokenisation the card details are masked through a randomly generated number, which only the card operator can de-crypt. What this means is that customers do not need to provide their card details again and again for every transaction, instead they will use a unique proxy number.
Vivek Belgavi, Partner and FinTech Leader, PwC India

While card companies have provided the service in the past, the latest notification from the central bank allows them to expand the service across payment channels.

The tokenisation service will be available for all channels including Near Field Communication/Magnetic Secure Transmission based contactless transactions, in-app payments and QR code-based payments, for example.

The idea is to prevent card details from constantly being replicated over the cellular network, therefore reducing the chances of a hack or data compromise either on the customers’ end or with the service provide.

The Safeguards

The RBI, in its notification, has provided multiple safeguards for customers beyond a basic consent mechanism.

Customers will be able to set or modify transaction limits for a tokenised card transactions and they will be able to register/de-register their card for particular use cases.

The central bank says that card payment companies will have to ensure that all parties that may be part of the “tokenised transaction chain” comply with existing RBI guidelines regarding the safety and security of card transactions. This means that token payment services will have to ensure that every transaction includes either the Additional Factor of Authentication or Personal Identification Number entry by customers. The card payment company will also have to register the ‘token requestor’ or third party app with the RBI and ensure that the latter’s systems comply with existing security guidelines.

Card payment companies will be responsible for the security and efficacy of the entire token transaction system, said the RBI.

“Globally as well, especially for online transactions, tokenisation is a best practice as it builds an additional level of security against fraud, especially when such sensitive data is in transit. Tokenisation is not a substitute for a PIN, it is a substitute for storing or replicating card details,” said Belgavi.

Card issuers, or banks, also need to create an easy mechanism by which customers can report the loss of their identified device or any authorised usage of the tokens created, said the RBI. In addition, card payment companies must put in place an appropriate dispute resolution process for these tokenised transactions.

Further, prior to launching these services the card payment companies will have to put in place mechanisms for routine (at least annual) security audits of all the entities involved in the transaction chain.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.