RBI permits the card networks for tokenisation in card transactions for a specific use case

Jan 09, 2019 | by Avantis RegTech Legal Research Team


Reserve Bank of India (RBI) on January 08, 2019 has permitted card networks for tokenisation in card transactions for a specific use case in order to improve safety and security of card transactions.

It has now been decided by RBI to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to the conditions listed in Annex 1 (page 3). This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only.

All extant instructions of RBI on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also. All other instructions related to card transactions shall be applicable for tokenised card transactions as well.

No charges should be recovered from the customer for availing this service.

Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of RBI in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations, if any, from the conditions listed in Annex 1, along with the compliance thereto. Further, a report on the details provided in Annex 2 (page 6) shall be submitted at monthly intervals to the Chief General Manager, RBI, Department of Payment and Settlement Systems, Central Office, Mumbai and by email.

[DPSS.CO.PD No.1463/02.14.003/2018-19(RBI/2018-19/103)]

URL: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT103FB1ACF7FF52B4F77BF82BDE43375F3AE.PDF


Bookmark

Related Updates



Alternate Text

Get updates on the go on RuleZbook Mobile App.