Topics In Demand
Notification
New

No notification found.

RBI modifies guidelines on tokenisation of card transactions
RBI modifies guidelines on tokenisation of card transactions

September 10, 2021

93

0

The Reserve Bank of India (RBI) after reviewing the tokenisation framework, on September 7th, 2021 issued a directive with certain enhancements to its  extant framework on card tokenisation services. Prior to this on August 25th, the RBI had extended the scope of permitted devices for card tokenisation transactions to all consumer devices enabling compliance for the industry with the Guidelines on Regulation of Payment Aggregators and Payment Gateways (PA/PG Guidelines).

NASSCOM had made a representation to the RBI highlighting the greater need of handholding of the industry by the RBI to implement the framework by the due timeline of December, 2021, allow card-on-file tokenisation (CoF) and to reconsider the complete prohibition of card on file data storage. In line with NASSCOM’s recommendations, the applicability of the framework is being extended to CoF.  Once implemented, the actual card number would be replaced by with a payment token (randomly generated numbers) to bolster security of the payment system.  Other key features of the directive include:

  1. Storing of card data: No entity in the card transactions / payment chain, other than the card issuer and / or card network shall store the actual card data, after January 1, 2022.  Such entities are allowed to store last four digits of actual card number, and name of card issuer.
  2. Responsibility of card networks: It is the responsibility of card networks to ensure that all entities involved are compliant with the provisions of the framework.
  3. Obligations on the TSPs: Card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). These TSPs shall be required to offer tokenisation facility only for the cards issued by them or affiliated to them. These TSPs shall have the ability to tokenise and de-tokenise card data.
  4. Customer Consent: To tokenise card data, it is mandatory to obtain customer’s explicit consent requiring Additional Factor of Authentication (AFA) validated by card issuer.

In addition to the obligations laid down by the directive, the provisions of RBI circulars dated August 25, 2021 and January 08, 2019 will also be applicable on CoF tokenisation.

To know more about the guidelines, write to apurva@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.