RBI Extends Deadline for Implementation of Card Tokenization Till Sept 30, 2022
In this article, we discuss the new mandate by the Reserve Bank of India (RBI) regarding the usage mechanism of credit and debit cards by the individuals in India, applicable from October 1, 2022. As per the mandate, online commerce platforms will be required to delete card-on-file credentials. We also explain how card tokenization could be implemented to manage the new data storage compliance in India, and highlight scope for fintech businesses.
The Reserve Bank of India (RBI) issued a notification in September 2021 on the changes to the usage mechanism of credit and debit cards by the individuals in India. These new changes will be applicable from October 1, 2022. Previously, this mandate was from January 1, 2022, however, it has since been extended twice, first till June 30 and subsequently by another three months till September 30, 2022. This extension follows the feedback provided by stakeholders to the RBI, citing issues related to implementation of the framework in respect of guest checkout transactions.
Through various subsequent notifications post September 2021, the RBI has revised its guidelines on online data storage, affecting digital payments compliance for card issuers and online merchants.
The RBI has encouraged the fintech industry to utilize this time extension for:
- Facilitating all stakeholders to be ready for handling tokenized transactions
- Processing transactions based on tokens
- Implementing an alternate mechanism
- Handling all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks
- Creating public awareness about the process of creating tokens and using them to undertake transactions
Why is the RBI asking online commerce platforms to delete card-on-file credentials and how will individuals and businesses be affected?
The RBI is asking online commerce platforms to delete card-on-file credentials. This will affect all online merchants like Amazon and Flipkart; payment aggregators like Google Pay and Paytm; and streaming giants like Netflix and Hotstar, among others. The RBI requires them to delete customer card (debit/credit card) credentials (also known as Card-on-File /CoF), like the 16-digit card number and expiry date available at their end, to make the online shopping or transaction experience more secure for individuals.
According to the RBI’s guidelines, “no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data. Any such data stored previously shall be purged.” However, the RBI has clarified that for transaction tracking and/or reconciliation purposes, entities can store limited data – the last four digits of the actual card number and the card issuer’s name – in compliance with the applicable financial regulatory standards.
The new digital payments compliance comes in effect in India in 2022. Is there a solution to simplify transactions in a secure manner?
October 1, 2022 onwards, individuals making digital payments in India have to enter all their details manually each time. However, to ensure consumer ease while transacting online and to avoid the hassle of entering the details every time – the RBI has offered merchants and companies the option to tokenize transactions. This tokenization only applies to domestic online purchases.
According to the rules introduced by the RBI, merchants and payment aggregators can use encrypted tokens to carry out transactions. This system of Card Tokenization was first announced in 2019 and was limited to electronic devices like mobile phones and tablets. However, in August 2021, the RBI extended this facility to other devices, such as laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.
What is card tokenization?
Tokenization refers to the replacement of actual card details with a unique alternate code called the “token” – a combination of card, token requestor, and the identified (authorized) device.
In this process, the card details will be converted into a unique token that is specific to the individual’s card and only to one merchant at a time. This token masks the true details of the individual’s card, thereby eliminating scope for misuse. It can be saved on the online portal’s server.
How can tokenization assist with card-on-file compliance and ensure easy and secure digital payment transactions for customers?
For the purpose of CoF tokenization, the token must be unique for a combination of card, token requestor, and merchant. Here, the term “merchant” refers to the end-merchant. In the case of an e-commerce marketplace entity, the merchant refers to the said e-commerce entity. Further, the token requestor and merchant may or may not be the same entity.
What are the latest RBI guidelines on card-on-file / CoF tokenization?
According to the RBI circular, the earlier device-based tokenization framework, which is applicable to devices like mobiles, laptops, tablets, IoT devices etc. is now extended to CoF tokenization as well.
- The debit/credit card issuers will be permitted to offer card tokenization services as Token Service Providers (TSPs).
- These TSPs will be permitted to offer the facility of tokenization for only those cards issued by or affiliated to them.
- The TSPs will have the sole authority to tokenize and detokenize the card data.
- It is important to note that tokenization of card data shall be done with explicit customer consent and requiring Additional Factor of Authentication (AFA) validation by the card issuer.
What are the conditions for card tokenization /detokenization?
Tokenization – de-tokenization service
- Tokenization and de-tokenization shall be performed only by the authorized card network and recovery of original Primary Account Number (PAN) should be feasible for the authorized card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa by anyone except the card network. The integrity of the token generation process shall be ensured at all times.
- Tokenization and de-tokenization requests should be logged by the card network and available for retrieval, if required.
- Actual card data, token, and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail.
Certification of systems of card issuers/acquirers, token requestors and their app, etc.
The card network shall get the token requestor certified for:
- Token requestor’s systems, including hardware deployed for this purpose.
- Security of token requestor’s application.
- Features for ensuring authorized access to token requestor’s app on the identified device.
- Other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenized card transactions by them.
All certification/security testing by the card network shall conform to international best practices/globally accepted standards.
Registration by customer
- Registration of the card on the token requestor’s app shall be done only with explicit customer consent through AFA, and not by way of a forced/default/automatic selection of check box, radio button, etc.
- AFA validation during card registration as well as for authenticating any transaction shall be as per existing RBI instructions for authentication of card transactions.
- Customers shall have option to register/de-register their card for a particular use case, that is, contactless, QR code based, in-app payments, etc.
- Customers shall be given the option to set and modify per transaction and daily transaction limits for tokenized card transactions.
- Suitable velocity checks (that is, how many such transactions will be allowed in a day/week/month) may be put in place by card issuers/card network as considered appropriate, for tokenized card transactions.
- For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Secure storage of tokens
- Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.
Customer service and dispute resolution
- Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event that may expose tokens to unauthorized usage. Card networks, along with card issuers and token requestors, shall put in place a system to immediately deactivate such tokens and associated keys.
- Dispute resolution process shall be put in place by card networks for tokenized card transactions.
Safety and security of transactions
- Card networks shall put in place a mechanism to ensure that the transaction request has originated from an “identified device”.
- Card networks shall ensure monitoring to detect any malfunction, anomaly, suspicious behavior, or the presence of unauthorized activity within the tokenization process and implement a process to alert all stakeholders.
- Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
How are stakeholders responding to this new mandate of CoF data deletion?
Citing “large scale disruption” and “mayhem” in the online payments space, merchants, banks, card providers, payment gateways, and other stakeholders gave complained about not being provided enough time to make the required backend and cyber security infrastructure changes. Consequently, all stakeholders have expressed concern about losing customer base. The Economic Times speculated this to be about “5 million customers – the most frequent online spenders in India and the biggest – who have stored their card details with service providers will likely be impacted the most”. Consequently the RBI extended the implementation deadline from January 1, 2022 to June 30, 2022.
It is expected that with mandatory deletion of all CoF data, customers could either switch to UPI-based payments or go back to cash-on-delivery. Another anticipation is with respect to disruption in equated monthly instalments (EMIs) that customers pay through stored cards for purchases as well as buy-now-pay-later (BNPL) options. Moreover, the process of refund initiated at the end of online merchant could become more troublesome.
It is reported that “global and local companies represented by trade bodies such as NASSCOM and the Alliance of Digital India Foundation (ADIF) will seek a phased implementation of the new mandate and a minimum timeframe of two years for the transition.”
How can card tokenization prove to be an opportunity for fintech?
Meanwhile, seizing the opportunity, fintech giant Pine Labs has launched a tokenization solution called Plural Tokenizer, which will work across leading card networks. Products under the brand “Plural” will offer an integrated omnichannel payment experience for brands across offline and online platforms, offering multiple payment choices and BNPL integration to customers.
Further, Mastercard and Google too have rolled out tokenization that will enable Google Pay users to safely transact using their Mastercard credit and debit cards.
Payments and API banking solutions company, Cashfree Payments, is also working with Mastercard and Visa to develop its tokenization solution “Token Vault”.
This article was originally published on December 28, 2021. It was last updated August 5, 2022.
India Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in Delhi and Mumbai. Readers may write to firstname.lastname@example.org for more support on doing business in in India.
We also maintain offices or have alliance partners assisting foreign investors in Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Italy, Germany, and the United States, in addition to practices in Bangladesh and Russia.