The Reserve Bank of India on Tuesday (8 January) notified the guidelines on tokenisation for debit/credit/prepaid card transactions in a bid to enhance the safety and security of payment systems in the country.
“Continuing the efforts to improve safety and security of card transactions, Reserve Bank of India had permitted card networks for tokenisation in card transactions for a specific use case,” an RBI statement noted.
Tokenisation helps to mask sensitive card details by generating unique tokens which are then used to perform card transactions in contactless mode at Point Of Sale (POS) terminals, Quick Response (QR) code payments, etc.
These tokens, which are strings of algorithmically generated numbers, themselves do not hold the card details but only point to where the details are stored. Thus, during cyber attacks and thefts, fraudsters would only gain access to these tokens which do not yield any real value.
Tokenisation is also believed to be a more secure and cost-effective mechanism to protecting customer card information when compared to end-to-end encryption. Tokens are not mathematically reversible with a decryption key and PAN data is never displayed.
The RBI guidelines also require cardholder’s express consent to initiate tokenisation. “A card holder may avail of these services by registering the card on the token requestor’s app after giving explicit consent. No charges shall be recovered from the customer for availing this service.”
Interoperability between digital wallets
In October 2018, RBI announced norms for interoperability between pre-paid payment instruments (PPIs) or mobile wallets, enabling the seamless transfer of funds between them.