Regulations

Are the customer card details safe after tokenisation?

Ans. Actual card data, token and other relevant details are stored in a secure mode by the token service provider (card payment network or card issuer). Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.

Who can perform tokenisation and de-tokenisation?

Ans. Tokenisation and de-tokenisation can be performed by the authorised card network or by the card issuer. The list of card networks authorised by RBI to operate in India is available on the RBI website at the link https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=12043.

How does the process of registration for a tokenisation request work?

Ans. The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.

Whom shall the customer contact in case of any issues with his / her tokenised card? Where and how can he / she report loss of device?

Ans. All complaints should be made to the card issuers. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage.

Additional Factor of Authentication (AFA) during e-mandate registration, modification and revocation, as well as for the first transaction extended to recurring payments on UPI

Context: The RBI felt that consumers should have greater agency and visibility into their e-mandates, and thus introduced AFA requirements for each charge in high-ticket billing cycles and stipulated pre-debit notification requirements for all e-mandates. 

The new e-mandate management framework requires that a separate payment flow be instituted for e-mandates above INR 2,000, whereunder the customer manually authenticates each payment in the recurring billing cycle. For payments below INR 2,000, the framework requires customers to be given a pre-notification along with an option to cancel the billing cycle before each payment. 

This circular is applicable for transactions performed using all types of cards – debit, credit and Prepaid Payment Instruments (PPIs), including wallets.

Additional Factor of Authentication (AFA) limit extended from INR 2,000 to INR 5,000.

Processing of recurring transactions (domestic or cross-border) using cards / PPIs / UPI under arrangements / practices not compliant with the aforesaid instructions shall not be continued beyond March 31, 2021.

1.1.1. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

1.1.2. PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Authorisation: The criteria of authorisation has been arrived at based on the role of the intermediary in handling of funds.

PAs are subject to capital requirements, requirements to mandatorily set up escrow accounts, grievance redressal mechanisms and risk management frameworks. The baseline technology-related recommendations for adoption are mandatory for PAs and recommendatory for PGs.

RBI issued clarifications on themes such as applicability, governance, KYC and merchant on-baording, operation of settlement and escrow accounts etc.

Living document listing out PAs with in-principle authorisation, and PAs whose applications were returned / withdrawn / refused.

On a review of the issues involved and after detailed discussions thereon with all stakeholders, as also keeping in view that sufficient time has elapsed since the requirements were specified, the following are advised –

a) There shall be no change in the effective date of implementation of the requirements – all entities, except card issuers and card networks, shall purge the CoF data before October 1, 2022.

b) For ease of transition to an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”), the following are being permitted as an interim measure –

Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, can save the CoF data for a maximum period of T+4 days (“T” being the transaction date) or till the settlement date, whichever is earlier. This data shall be used only for settlement of such transactions, and must be purged thereafter.

For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023.

Second extention of the timeline for purging CoFT data by Merchants and PA/PGs — till September 30, 2022

On a review of the issues involved and after detailed discussions with all stakeholders, RBI observed that: 

(i) considerable progress has been made in terms of token creation. 

(ii) Transaction processing based on tokens has also commenced, though it is yet to gain traction across all categories of merchants. 

(iii) An alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far.

First extention of the timeline for purging CoFT data by Merchants and PA/PGs — till June 30, 2022 — to allow more time to the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity. 

In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks.

Context: In its 2019 vision document, the RBI highlighted the need for improved security in card-not-present (CNP) transactions through secure tokenisation solutions, whereunder card details are masked in the form of unique tokens. 

Thereafter, a slew of highly-publicised instances of card data leaks from merchants’ servers prompted the RBI to issue directions on the way sensitive card information of customers could be stored. The RBI’s intended objective was to reduce the number of instances where sensitive card information was stored to reduce security vulnerabilities in the card payments ecosystem. 

1. Permit card issuers (apart from card networks) to offer card tokenisation services as Token Service Providers (TSPs). i.e., the entity which tokenises the actual card credentials and de-tokenises them whenever required. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant (the term ‘merchant’ refers to the end-merchant or an e-commerce marketplace entity). Further, token requestor and merchant may or may not be the same entity.
2. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
3. Card issuers to allow cardholders to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.

Keeping in view the requests of some stakeholders and to prevent any inconvenience to customers, it has been decided, as a one-time measure, to extend the timeline for ensuring full compliance to the framework till September 30, 2021. During the extended timeline, no new mandate for recurring online transactions shall be registered by stakeholders, unless such mandates are compliant with the framework.