January 08, 2019
The Chief Executive Officer / President
Madam / Dear Sir,
Tokenisation – Card transactions
Continuing the efforts to improve safety and security of card transactions, Reserve Bank of India had permitted card networks for tokenisation in card transactions for a specific use case.
2. It has now been decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to the conditions listed in Annex 1. This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.
3. All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.
4. All other instructions related to card transactions shall be applicable for tokenised card transactions as well. The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks.
5. No charges should be recovered from the customer for availing this service.
6. Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations, if any, from the conditions listed in Annex 1, along with the compliance thereto. Further, a report on the details provided in Annex 2 shall be submitted at monthly intervals to the Chief General Manager, Reserve Bank of India, Department of Payment and Settlement Systems, Central Office, Mumbai and by email.
7. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
Encl.: As above
(DPSS.CO.PD.No.1463/02.14.003/2018-19 dated January 08, 2019)
Card tokenisation services
Tokenisation refers to replacement of actual card details with an unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and device (referred hereafter as “identified device”).
Tokenisation – de-tokenisation service
i. Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. Integrity of token generation process shall be ensured at all times.
ii. Tokenisation and de-tokenisation requests should be logged by the card network and available for retrieval, if required.
iii. Actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail.
Certification of systems of card issuers / acquirers, token requestors and their app, etc.
iv. Card network shall get the token requestor certified for (a) token requestor’s systems, including hardware deployed for this purpose, (b) security of token requestor’s application, (c) features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
v. Card networks shall get the card issuers / acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them.
vi. All certification / security testing by the card network shall conform to international best practices / globally accepted standards.
Registration by customer
vii. Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.
viii. AFA validation during card registration, as well as, for authenticating any transaction, shall be as per extant Reserve Bank instructions for authentication of card transactions.
ix. Customers shall have option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
x. Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions.
xi. Suitable velocity checks (i.e., how many such transactions will be allowed in a day / week / month) may be put in place by card issuers / card network as considered appropriate, for tokenised card transactions.
xii. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Secure storage of tokens
xiii. Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.
Customer service and dispute resolution
xiv. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys.
xv. Dispute resolution process shall be put in place by card network for tokenised card transactions.
Safety and security of transactions
xvi. Card network shall put in place a mechanism to ensure that the transaction request has originated from an “identified device”.
xvii. Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorized activity within the tokenisation process, and implement a process to alert all stakeholders.
xviii. Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
Reporting format for tokenisation service by authorised card networks
Name of authorised card network: …………………………………..
Report for the month: ……………………….
Note: Above data shall be as at end of month
*Transaction data to be provided for each use case enabled by the card network
Source: RBI Notifications