You are here: Home » News-IANS » Business-Economy
Business Standard

RBI extends tokenisation services to online merchants

IANS  |  Mumbai 

Continuing its efforts to improve the safety of card transactions, the of India (RBI) on Tuesday extended the use of tokenisation -- hiding of actual card details with a unique token -- in the wider payments ecosystem.

To date, the RBI had allowed like Visa and to use the in card transactions. The technology is now allowed to be used by merchants holding the card credentials like

"It has now been decided to permit authorised to offer to any token requestor (i.e., third party app provider)," the RBI said in a statement. For now, the facility will be offered through and tablets only.

The permission extends to all use cases and channels like near field communication (NFC), magnetic secure transmission (MST)-based contactless transactions, in-app payments and QR (quick response) code-based payments, the said.

"The Reserve has today (Tuesday) released guidelines on tokenisation for debit/ credit/ prepaid card transactions as a part of its continuous endeavour to enhance the safety and security of the in the country," the statement said.

Tokenisation involves a process in which a unique token masks sensitive card details and thus, in lieu of actual card details, this token is used to perform card transactions. The token will be unique for a combination of card, token requestor and "identified device".

While all other instructions related to card transactions will be applicable for tokenised card transactions as well, the RBI stated: "The ultimate responsibility for the rendered rests with the "

Before providing card tokenisation services, will have to put in place a mechanism for periodic system (including security) audit at frequent intervals, at least once a year, of all entities involved in providing to customers.

"Tokenisation and de-tokenisation shall be performed only by the authorised card network, and recovery of original Primary Account Number (PAN) should be feasible for the authorised only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network," the RBI said.

Registration of card on token requestor's app will be done only with explicit customer consent and the customers will have the option to register/ de-register their card for a particular use cases like contactless and QR code-based.

"Card issuers shall ensure easy access to customers for reporting loss of 'identified device' or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys," the bank added.



(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

First Published: Tue, January 08 2019. 21:52 IST