The Reserve Bank of India (RBI) has taken a major step to tokenise debit, credit and prepaid transactions in order to make such service more secure.
Its guidelines on tokenisation of debit/credit card payments, released on January 8, will not only enhance online security but will give customers a new option to not share their original card number.
A cardholder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges shall be recovered from the customer for availing this service, the notification said.
All extant instructions of Reserve Bank on safety and security of card transactions, including a mandate for Additional Factor of Authentication (AFA)/PIN entry shall be applicable for tokenised card transactions also, it added.
What is tokenisation?
According to the top bank’s notification, tokenisation involves a process in which a unique token, issued by the bank, masks sensitive card details.
Thereafter, in lieu of actual card details, this token is used to perform card transactions in contactless mode at Point Of Sale(POS) terminals, Quick Response(QR) code payments, etc, it said.
The permisson to tokenise cards is a huge step towards enhancing security of debit and credit cards, which have been exposed to serious online cyber crimes.
RBI’s permission will apply to all channels of transactions including Near Field Communication or Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments and token storage mechanisms.
However, the facility shall be offered only through mobile phones and tablets initially. Extension to other devices will be examined later based on the experience.
As a customer, nothing changes in the way you conduct transactions using a credit or debit card: All you have to do is swipe credit or debit card. However, in the new process, no merchant can store your original debit or credit card number.
Instead of your 16-digit payment account number (card number), a randomly generated token ID issued by your bank, can be used.
The security-packed tokens, once issued, does not permit anyone else expect you can find out the original token number.
The 16-digit token will keep changing with every single transaction, making it impossible for any vendor or third-party to know your actual debit or credit card number.
Customers shopping online will only provide the generated token number in lieu of the actual card number.
RBI, however, has made it clear that Additional Factor of Authentication (AFA)/ PIN entry shall be applicable for tokenised card transactions too.
The top bank has clearly stated that no charges should be recovered from the customer for availing this service.
While RBI has issued guidelines on tokenisatioin, card services can only be initiated by authorised card payment networks. Since a third-party has to provide the tokenisation services, the card payment networks have been asked to employ a mechanism for periodic system audit at frequent intervals.
This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations, said the top bank.