RBI's Tokenisation Norms

Why in news?

The Reserve Bank of India’s card-on-file (CoF) tokenisation norms which will improve the safety and security of card transactions has come into effect recently.

What is Tokenisation?

• Tokenisation refers to the replacement of actual card details with a unique alternate code called the ‘token’.
• This token shall be unique for a combination of card, token requester and the device.
• Benefits - A tokenised card transaction is considered safer as actual card details such as three-digit CVV and expiry date are not shared with the merchant during transaction processing.
• Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks.
• Now, for any purchases done online or through mobile apps, merchants, payment aggregators and payment gateways will not be able to save crucial customer credit and debit card details.

How tokenisation be carried out?

• A Debit or Credit cardholder can get the card tokenised by initiating a request on the app provided by the token requestor.
• The token requestor will forward the request to the card network.
• The card network with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.

Who can perform tokenisation?

• Tokenisation can be performed only by the authorised card network and the list of authorised entities is available on the RBI website.
• Adequate safeguards have to be put in place to ensure that the recovery of original Primary Account Number (PAN) from token and vice versa, should be feasible only for the authorised card network.

What do customers gain from tokenisation?

• The customer need not pay any charges for availing of this service.
• The tokenisation has been allowed through mobile phones and/or tablets for all use cases/channels (e.g., contactless card transactions, payments through QR codes, apps etc.)
• Tokenisation is not mandatory for a customer and those who choose not to let his card tokenised can continue to transact as before by entering card details manually at the time of undertaking the transaction.

What are the allowed use cases for tokenisation?

• Tokenisation has been allowed through mobile phones and / or tablets for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)
• The feature of tokenisation is available on consumer devices like mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.

How safe is tokenisation?

• The token requestor cannot store Primary Account Number (PAN), or any other card details.
• Card networks are also mandated to get the token requester certified for safety and security that conform to international best practices/globally accepted standards.
• With tokenisation, a card and merchant specific token is generated, which can be used for all online transactions with that merchant.
• In case of any data breach or hacking attempt at the merchant’s end, the customer’s card details will be protected.
• Further, RBI has emphasised that the integrity of the token generation process has to be ensured at all times.

How did India decide to carry out tokenisation?

• The RBI prohibited merchants from storing customer card details on their servers and mandated the adoption of card-on-file (CoF) tokenisation as an alternative.
• After multiple extensions, given to the system for a comfortable switchover, the RBI finally implemented these norms.
• The central bank was constantly talking to all stakeholders to ensure that the transition to the tokenisation framework was smooth.
• Few participants who are not ready yet or unwilling to comply may take some more time but will eventually join the framework.

Close to 35 crore tokens have already been created. In September alone, 40 per cent of transactions, valuing around Rs 63 crore, were done using tokens.

What is the size of the industry?

• Till end July 2022, while the number of credit cards issued stood at around 8 crore, debit cards in the system were 92.81 crore.
• The number of debit and credit cards in the system can give some idea of the tokenisation industry.

• With the growing payment transactions through debit and credit cards, tokenisation is required wherever card details are stored for recurring payments.
• The tokenisation lends greater credibility to seamless and secure payments experience.

References

1. https://indianexpress.com/article/explained/explained-economics/tokenisation-for-credit-and-debit-card-transactions-what-is-it-and-how-does-it-help-you-8184678/
2. https://economictimes.indiatimes.com//tech/technology/tokenisation-rules-for-debit-credit-cards-kick-in-today-all-you-need-to-know/articleshow/94582158.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
3. https://m.rbi.org.in/scripts/FAQView.aspx?Id=129