More security for your cards as RBI directs card networks to mask details using 'tokens'

The RBI clarified that existing security instructions like Additional Factor of Authentication (AFA) or PIN entry will be applicable for tokenised card transactions.

Keeping safety and security of payment systems in mind, the Reserve Bank of India (RBI) has introduced tokenisation for debit, credit, as well as prepaid card transactions.

Tokenisation is a process that will replace the actual card details with unique alternate codes called a “token” and this will then be used for card transactions in contactless mode at Point of Sale (POS) terminals, Quick Response (QR) code payments, etc.

Under these new guidelines, authorised payment networks like VISA and Mastercard will offer tokenisation services to any token requestor (third party app provider).

So, who tokenises the card and how does one use it?

A cardholder can avail these services by registering a card on the token requestor’s app (i.e. any third-party app provider) after giving explicit consent. Customers will not be charged for availing this service.

But, the ultimate responsibility for the card tokenisation services rests with the authorised card networks. The RBI clarified that all existing security instructions like Additional Factor of Authentication (AFA) or PIN entry continue to be applicable for tokenised card transactions.

Along with this, customers will also be given the option to set and modify daily transaction limits for these transactions. Further, appropriate checks on how many such transactions will be allowed in a day, week or month may be put in place by either card issuers or card network.

For performing any transaction, the customer is free to use any of the cards registered with the token requestor app.

What kind of transactions can tokens be used for?

The RBI states that tokenised transactions can be used for almost all channels including transactions involving Near Field Communication (NFC), Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, among others.

Currently, this facility shall be offered through mobile phones and tablets only as an extension to other devices and will be examined later, based on experience gained. Customers can also register and de-register their card for a particular use case, including contactless, QR code based, in-app payments, etc.

Also read: RBI forms digital payments committee, appoints Nandan Nilekani as Chairman

RBI mandates for security

In its directive, the apex bank states that card networks shall have to get the token requestor certified for

• token requestor’s systems, including hardware deployed for this purpose
• security of token requestor’s application
• features for ensuring authorised access to token requestor’s app on the identified device
• other functions performed by the token requestor, including customer onboarding, token provisioning and storage, data storage, transaction processing, etc.

Card networks have been directed to certify card issuers as well as acquirers, their service providers and any other entity involved in the payment transaction chain, certified to be able to process tokenised card transactions.

In the second part involving the security of the transaction, card networks will have to put in place a mechanism to ensure that the transaction request has originated from an “identified device”.

Along with that, card networks also have to ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorised activity within the tokenisation process, while immediately alerting all stakeholders.

Finally, based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.

In terms of any dispute or loss of customer’s identified device, or any other event, card issuers, networks or token requestors will have to put a process in place to immediately deactivate such tokens and associated keys.

Also, card networks have to put dispute resolution processes in place for tokenised card transactions.

Further, actual card data, token and other relevant details shall be stored in a secure mode and token requestors (or third party apps) are not allowed to store PAN or any other card details.