Reserve Bank of India issues guidelines on tokenization of card payments

RBI said it has now decided to permit authorised card payment networks to offer card tokenization services to any token requestor, for example, third-party app provider, subject to certain conditions. This permission extends to all use cases/channels [for example, NFC/Magnetic Secure Transmission based contactless transactions, in-app payments and QR code-based payments) or token storage mechanisms (cloud, secure element, trusted execution environment).

For present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later, based on experience. All instructions of RBI on safety and security of card transactions, including the mandate for additional factor of authentication (AFA)/PIN entry shall also be applicable for tokenized card transactions. The ultimate responsibility for the card tokenisation services rests with the authorised card networks. No charges should be recovered from customer for availing tokenization service.

Only the authorised card network is allowed to perform tokenization and de-tokenisation and recovery of original primary account number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN can’t be found out from the token and vice versa, by anyone except the card network.

Registration of card on token requestor’s app will be done only with explicit customer consent through AFA, and not by way of a forced/default/automatic selection of check box and radio button. Customers will have the option to register/de-register their card for a particular use case like contactless, QR code-based and in-app payments. Customers shall be given option to set and modify per transaction and daily transaction limits for tokenized card transactions.

For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app. Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.