RBI guidelines on Tokenisation – Card Transactions

The Reserve Bank has released guidelines on tokenisation for debit/credit/ prepaid card transactions as a part of its continuous endeavour to enhance the safety and security of the payment systems in the country. Tokenisation involves a process in which a unique token masks sensitive card details. Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at Point Of Sale(POS) terminals, Quick Response(QR) code payments, etc.

These guidelines permit authorised card payment networks to offer card tokenisation services to any token requestor (third party app provider), subject to conditions enumerated in these guidelines. A cardholder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges shall be recovered from the customer for availing this service.

RBI/2018-19/103
DPSS.CO.PD No.1463/02.14.003/2018-19

January 08, 2019

The Chief Executive Officer / President
All authorised card payment networks

Madam / Dear Sir,

Tokenisation – Card transactions

Continuing the efforts to improve safety and security of card transactions, Reserve Bank of IndiaIndia Bharat Varsha (Jambu Dvipa) is the name of this land mass. The people of this land are Sanatan Dharmin and they always defeated invaders. Indra (10000 yrs) was the oldest deified King of this land. Manu's jurisprudence enlitened this land. Vedas have been the civilizational literature of this land. Guiding principles of this land are : सत्यं वद । धर्मं चर । स्वाध्यायान्मा प्रमदः । Read more had permitted card networks for tokenisation in card transactions for a specific use case.

1. It has now been decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to the conditions listed in Annex 1. This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.

2. All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.

3. All other instructions related to card transactions shall be applicable for tokenised card transactions as well. The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks.

4. No charges should be recovered from the customer for availing this service.

5. Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations, if any, from the conditions listed in Annex 1, along with the compliance thereto. Further, a report on the details provided in Annex 2 shall be submitted at monthly intervals to the Chief General Manager, Reserve Bank of India, Department of Payment and Settlement Systems, Central Office, Mumbai and by email.

6. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Yours faithfully,

(P Vasudevan)
Chief General Manager

Encl.: As above

Annex 1

(DPSS.CO.PD.No.1463/02.14.003/2018-19 dated January 08, 2019)

Card tokenisation services

Tokenisation refers to replacement of actual card details with an unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and device (referred hereafter as “identified device”).

Conditions

Tokenisation – de-tokenisation service

i. Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. Integrity of token generation process shall be ensured at all times.

ii. Tokenisation and de-tokenisation requests should be logged by the card network and available for retrieval, if required.

iii. Actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail.

Certification of systems of card issuers/acquirers, token requestors and their app, etc.

iv. Card network shall get the token requestor certified for (a) token requestor’s systems, including hardware deployed for this purpose, (b) security of token requestor’s application, (c) features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.

v. Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them.

vi. All certification / security testing by the card network shall conform to international best practices / globally accepted standards.

Registration by customer

vii. Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of checkbox, radio button, etc.

viii. AFA validation during card registration, as well as, for authenticating any transaction, shall be as per extant Reserve Bank instructions for authentication of card transactions.

ix. Customers shall have option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.

x. Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions.

xi. Suitable velocity checks (i.e., how many such transactions will be allowed in a day /week/month) may be put in place by card issuers/card network as considered appropriate, for tokenised card transactions.

xii. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.

Secure storage of tokens

xiii. Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.

Customer service and dispute resolution

xiv. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys.

xv. Dispute resolution process shall be put in place by card network for tokenised card transactions.

Safety and security of transactions

xvi. Card network shall put in place a mechanism to ensure that the transaction request has originated from an “identified device”.

xvii. Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorized activity within the tokenisation process, and implement a process to alert all stakeholders.

xviii. Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.

Annex 2

Reporting format for tokenisation service by authorised card networks 
(DPSS.CO.PD.No.1463/02.14.003/2018-19 dated January 08, 2019)
(to be furnished by 10th of each month)

Name of authorised card network: …………………………………..

Report for the month: ……………………….

Note: Above data shall be as at end of month

*Transaction data to be provided for each use case enabled by the card network