New Delhi: In a move aimed at enhancing the safety and security of the payment systems in the country, the Reserve Bank of India (RBI) on Tuesday issued guidelines on the use of tokenisation – a way to mask sensitive card data with unique symbols or elements.
The tokenisation for debit/credit/prepaid card transactions will be used to perform the transactions in contactless mode at point of sale (PoS) terminals, for quick response (QR) code payments, etc.
For now, this facility will be offered only through mobile phones and tablets and its extension to other devices will be examined by the regulator later, based on experience gained, RBI said.
As per the guidelines, tokenisation and de-tokenisation will be performed only by the authorised card network and recovery of original Primary Account Number (PAN) would be feasible for the authorised card network.
In order to ensure security of data, RBI said adequate safeguards will be put in place such that PAN cannot be found out from the token and vice versa, by anyone except the card network. Any actual card data, token and other relevant details will be stored in a secure mode, and token requestors will not be allowed to store PAN or any other card detail.
These guidelines permit authorised card payment networks to offer card tokenisation services to any token requestor (third party app provider), subject to conditions.
A card holder can avail these services by registering the card on the token requestor’s app after giving explicit consent. The RBI has clarified that no charges will be recovered from the customer for availing the service.
All existing instructions of the RBI on safety and security of card transactions, including mandate for Additional Factor of Authentication (AFA) / PIN entry, will continue to be applicable for tokenised card transactions also.