BW CFO World Online Bureau
The scope of Tokenisation has been enhanced to ensure and maintain the security of the card data by the RBI.
To ensure security of card data, the Reserve Bank of India (RBI) has enhanced the scope of tokenisation and permitted card issuers to act as Token Service Providers (TSP). Under tokenisation services, a unique alternate code is generated to facilitate transactions through cards. The RBI broadened the device-based tokenisation to Card-On-File Tokenisation (CoFT) services, a move that will stop the merchants from storing actual card data. Card-on-file refers to card information stored by payment gateway and merchants to process future transactions.
“The tokenisation of card data shall be done with external customer consent requiring Additional Factor of Authentication (AFA),” the RBI said in a statement while extending device-based tokenisation framework to CoFT services. It further added that the decision will bring back the safety and security of card data while continuing the convenience in card transactions.
The RBI while keeping in mind the convenience and comfort factor for users undertaking card transactions online noted that many entities involved in the card payment transaction chain store the actual card details. Access of such details to many merchants substantially increases the risk of card data being stolen. There have been incidents where card data stored by some merchants have been compromised/ leaked. Any leakage of CoFT data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Further, the RBI said adding that stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
The RBI in March 2020 had stipulated that authorised payment aggregators and the merchants onboarded by them should not store actual card data so as to minimise vulnerable points in the system. On a request from the industry, it extended the deadline to the end of december 2021 as a one,-time measure. The tokenisation of card data, however, shall be done with explicit customer consent requiring AFA.
“Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement,” RBI said. The efforts of the RBI to deepen digital payments in India and make such payments safe and efficient shall continue.
The Reserve Bank of India last month had extended the scope of ‘tokenisation’ card payment services to several consumer devices including laptops, desktops, wearables like wrist watches, bands and Internet of Things (IoT), in addition to mobile phones and tablets.