Reserve Bank of India (RBI) has released guidelines on tokenisation for debit/credit/prepaid card transactions as a part of its endeavour to enhance the safety and security of the payment systems in the country. Tokenisation involves a process in which a unique token masks sensitive card details. In place of actual card details, this token is used to perform card transactions in contactless mode at Point Of Sale (POS) terminals, Quick Response (QR) code payments, and so on. With tokenisation, your online payments and transactions using cards become more secure than they are at present.
With RBI’s guidelines in place, authorised card payment networks can now offer card tokenisation services to any token requestor (third party app provider), subject to conditions. A card holder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. Importantly, no charges are to be recovered from the customer for availing this service. This means you get better protection at no extra cost.
Do remember that all existing instructions of Reserve Bank on safety and security of card transactions, including mandate for Additional Factor of Authentication (AFA) / PIN entry remain applicable for tokenised card transactions also. Read on to know more.
What is tokenization?
Tokenization is the process of protecting sensitive data by replacing it with an algorithmically generated number called a token. Tokenization is used to prevent card fraud. In card tokenization, the customer’s primary account number (the debit card or bank account number) is replaced with a series of randomly-generated numbers. These tokens can then be passed through the Internet or the various wireless networks needed to process the payment. The token ensures everything happens without actual bank details being exposed. The actual bank account number is held safe in a secure token vault.
The RBI has now decided to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider). This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.).
Do remember for the present, this tokenisation facility will be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.
From a customer point of view, the ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks. Read about the RBI norms here.
How Indian customers gain
With RBI norms in place, now there is more security for your cards as RBI has directed card networks to mask details using ‘tokens’.
The banking regulator has strict guidelines for tokenisation. These are aimed at minimising data leaks.
The RBI has said that tokenisation and de-tokenisation has to be performed only by the authorised card network and the recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only.
The RBI has directed networks to ensure that adequate safeguards are put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. Thus, the integrity of the token generation process should be ensured at all times.
Actual card data, token and other relevant details would have to be stored by networks in a secure mode. Importantly, token requestors shall not store PAN or any other card detail.
The RBI has also put in place certification standards for systems of card issuers / acquirers, token requestors and their app, etc.
How is it better than existing systems
There are some problems in existing systems that do not make card payments fool-proof especially if the networks are weak. Let’s understand the issue more closely.
Payment platforms often ask you to save card information so that in future you will not need to do input them again. But, saving this information can have consequences. Firstly, if the account information is seen or accessed by a hacker, they have access to your card details. While they may not be easily able to conduct transactions without PIN or password, still nobody would want their card details known by outsiders.
Chip cards have come with good protection, but the point of use for chips cards make it limited in use. While chip cards protect against fraud that occurs when someone pays at a physical store, tokenization is primarily designed to fight online or digital breaches.
Tokenisation Vs Encryption
As you know so far, tokenization replaces sensitive cardholder detail with a stand-in token. This helps secure the customer’s account details in cards and e-commerce transactions.
Many of you may have heard about ‘end to end encryption’. So, is tokenisation better? In the end to end encryption methods, cardholder data at the origin is encrypted, and then decrypted it at the end destination. Some examples of end-to-end encryption are VPNs, Apple’s imessage feature, and other messaging apps like WhatsApp.
Both tokenization and encryption are used to reduce the number of systems that have access to customers’ card information. But, tokenization is fast emerging as a more cost-effective and secure solution to protecting customer card information. Unlike data that is encrypted, tokens are not mathematically reversible with a decryption key and Primary Account Number data is never displayed.