Amidst the rise in cases of financial data leaks in India, the Reserve Bank of India’s (“RBI“) efforts towards the adoption of a framework of tokenisation of cards in India have been appreciated by the industry.1 An important update to this framework was notified on September 7, 2021, which enhances the scope of these card tokenisation services. To understand the framework that governs tokenisation services, it is pertinent to discuss what the process of tokenisation entails.
Tokenisation refers to the replacement of actual card details with an alternate code called the token, which is unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device.2 The tokens generated through this process are then used for online transactions, in place of the the card details. Thus, in the event that any data of a merchant company is breached or compromised, the actual card details of a customer remain protected since they are not shared with such company. Even if these tokens are leaked during such data breach, due to the nature of random generation of these tokens, it is not possible to reverse engineer or decrypt them.3 The RBI has directed card networks to ensure that adequate safeguards are put in place, so that the Primary Account Number cannot be found out from the token and vice versa. Actual card data, token and other relevant details are to be stored in a secure mode.4
To tokenise card details, the card holder must initiate a request on the application provided by the token requestor, which is then forwarded to the card network and upon obtaining the consent of the card issuer, a token that corresponds to the combination of the card, the token requestor and device is created. This service is not chargeable to customers and it is an optional service. It is pertinent to note that tokens are not only linked to the card details and the token requestor, but also to consumer devices.
On January 8, 2019, the RBI issued a circular to permit authorised card payment networks (such as Visa, Mastercard, Rupay and etc.) to offer card tokenisation services to any token requestor subject to certain conditions as specified in the circular. This was extended to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). However, the facility was limited to certain trusted devices such as mobile phones and tablets.5 Subsequently, considering the uptake in volume of tokenised card transactions, the RBI extended the facility to consumer devices such as laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices and etc. in August, 2021.6 The RBI also issued a directive in March, 2021 that banned the storage of customer card credentials, also known as Card-on-File (“CoF“), by authorised Payment Aggregators and the merchants on-boarded by them on their database or server.7 Since many entities involved in the card payment transaction chain store CoF and some merchants also force customers to store card details, these measures were undertaken to minimise the vulnerable points in the banking system.
In the latest development, vide circular dated September 7, 2021, the RBI has clarified that no entity in the card transaction/payment chain other than the card issuers and/or card networks shall be permitted to store actual card data with effect from January 1, 2022. Therefore, it is relevant for entities other than card issuers and networks to note that previously stored card data would need to be purged. The only exception to this mandate is the storage of limited data, i.e. the last four digits of the actual card number and the card issuer’s name for transaction tracking and/or reconcilliation purposes.
Furthermore, the tokenisation framework has been extended to Card-on-File Tokenisation (“CoFT“) services.8 The token for this purpose shall be unique for a combination of card, token requestor and merchant. Card issuers have been permitted to offer card tokensation services as Token Service Providers (“TSP“). This facility by the TSPs can only be offered for the cards issued by/affiliated to them. In the erstwhile framework, only the card networks were allowed to act as TSPs. Now, card issuers have also been allowed to provide tokenisation services to tokenise and de-tokenise card data. The circular states that tokenisation of card data will require the explicit consent of customers with Additional Factor of Authentication (“AFA“) validation by the card issuer. AFA may be combined if card payment for a purchase transaction at a merchant is being performed along with the registration of CoFT. Consent of the cardholder is also required when a card is renewed or replaced and the card issuer wants to link such card with the merchants with whom the earlier card was registered.
The RBI has provided certain conditions in the circular that facilitate ease of de-registration of tokens. Card issuers are required to provide customers with the facility (through mobile applications, internet banking, at branches or Interactive Voice Response) to view the list of merchants in respect of whom the CoFT has been opted, and to de-register such token. Merchants are also required to provide card holders with an option to de-register the token.9 The RBI has emphasised that introduction of tokenisation services will not have any bearing on the convenience that the customers currently enjoy while transacting.
Keeping in line with the latest RBI circular, Visa launched the first CoFT service for merchants in India on October 6, 2021 which is available on e-commerce platforms such as Grofers, bigbasket and MakeMyTrip. Followed by the National Payments Corporation of India which has launched its tokenisation system for RuPay cards on October 20, 2021.10
Since the law on data protection in India still remains in a nascent stage, the RBI’s tokenisation measures for data security are essential to safeguard sensitive data of consumers. However, for a smooth functioning tokenisation infrastructure, multiple players in the banking system would need to collaborate with one another, which may pose certain challenges.