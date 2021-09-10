The changes “are expected to reinforce the safety and security of card data while continuing the convenience in card transactions,” RBI said in a press note.
The Reserve Bank of India (RBI) on Tuesday, 7 September, announced that it will allow card-on-file tokenisation for e-commerce companies.
According to the new digital payments guidelines, RBI has permitted card networks/aggregators to offer card tokenisation services as Token Service Providers (TSPs).
The changes “are expected to reinforce the safety and security of card data while continuing the convenience in card transactions,” RBI said in a press note.
Tokenisation is the process of replacing credit or debit card details with a unique set of characters – or a ‘token’ – that enables payments to be processed without exposing any sensitive account details that could potentially breach security and privacy of the consumers.
Here's what happens when a customer uses his card and transacts on a tokenisation-based authentication server:
A credit/debit card is used at a POS machine or on an e-commerce market place
The credit card number is transferred to the tokenisation system
The tokenisation system generates 16 random characters, also called as 'token', to replace the original credit card number
The tokenisation system returns the newly generated 16 digit random characters to the e-commerce site to replace the customer’s credit card number in the system.
For instance, card number (example): 5931 9212 3933 3391, will be replaced to token number: 4321 2365 4545 2111.
It is worth noting that tokenisation has been around for a while as a way to separate data in ecosystems, and databases.
The central bank said the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well.
This means that card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs).
The tokenisation of card data shall be done with explicit customer consent, requiring Additional Factor of Authentication (AFA).
The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them.
Meanwhile, the ability to tokenise and de-tokenise card data shall be with the same TSP.
The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, the RBI said.
Earlier, the facility of tokenisation by card networks to token requestor was limited to only mobile phones and tablets of interested card holders. But the central bank included consumer devices laptops, desktops, wearables (wrist watches, bands, etc), Internet of Things (IoT) devices, etc, to extend the scope of tokenisation.
The central bank said that many entities involved in the card payment transaction chain store actual card details (also known as Card-on-File (CoF)) of its users.
In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.
In the recent past, there were incidents where card data stored by some merchants has been compromised/leaked.
Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
The Reserve Bank had, therefore, stipulated in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system.
It must be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now.
RBI has also made it clear that customers won't have to memorise all of their card details.
Interestingly, storing the card information in form of tokens may help the card payment aggregators/networks – as it reduces the merchant’s efforts to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.
This does not mean that tokenisation solutions completely eliminate the need to maintain and validate PCI DSS compliance, but it may simplify a merchant’s authentication efforts by reducing the number of system components for which PCI DSS requirements apply.
Tokenisation is very convenient for customers in the case of fraud or theft. This works because multiple tokens are issued for the same card payment on different platforms that use tokenisation.
This means that even if a website faces a data breach and the tokens are acquired by the cybercriminal/hacker. It will be extremely difficult to reverse engineer the actual card number, hence safeguarding your card information.
Tokenisation will also make recurring payments convenient and safe, by allowing payment providers to save cards using tokens.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Published: undefined