The Reserve Bank of India has decided to permit authorised card payment networks to offer card tokenisation services to any token requestor — third party app provider — for debit, credit or prepaid card transactions.
Tokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at point of sale (POS) terminals and quick response(QR) code payments.
“This is part of continuous endeavour to enhance the safety and security of the payment systems in the country,” the central bank said.
The RBI guidelines permit authorised card payment networks to offer card tokenisation services to any token requestor, subject to conditions.
“A card holder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges should be recovered from the customer for availing this service. All extant instructions of the RBI on safety and security of card transactions, including mandate for additional factor of authentication (AFA) and PIN entry will be applicable for tokenised card transactions also,” the RBI said in a statement.
“For the present, this facility will be offered through mobile phones and tablets only. Its extension to other devices will be examined later based on experience gained,” the statement added.
Before providing card tokenisation services, authorised card payment networks should put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers.