The Reserve Bank of India (RBI) on Tuesday improved its card tokenization service guidelines to improve the security of the payment system. In a press release, RBI announced that the device-based tokenization framework recommended in the vide circulars of January 2019 and August 2021 has also been expanded to include card-on-file tokenization services (CoFT). In addition, card issuers are permitted to offer card tokenization services as token service providers (TSPs).
“The tokenization of card data takes place with the express consent of the customer, which requires an additional authentication factor (AFA),” said RBI.
The press release states that the above improvements are expected to increase the security of card data while maintaining the convenience of card transactions.
Citing the convenience and convenience factor for users in performing online card transactions, RBI said that many of the companies involved in the card payment transaction chain are able to store actual card data, also known as card-on-file (CoF).
“In fact, some retailers force their customers to save card details. The availability of such data at a large number of merchants increases the risk of card data theft significantly. In the recent past there have been incidents where card data stored at some merchants has been compromised / leaked. Any leak of CoF data can have serious consequences as many jurisdictions do not require AFA for card transactions. Stolen card data can also be used to commit fraud in India through social engineering techniques, “the statement said.
The RBI therefore decided in March 2020 that authorized payment aggregators and the merchants they brought on board should not store any actual card data.
“This would minimize weak points in the system. At the request of the industry, the deadline was extended once to the end of December 2021. The RBI has consulted regularly with the industry in order to facilitate the transition ”, informed the release.
The RBI determined that the introduction of CoFT will offer customers the same convenience as before, while at the same time improving customer data security.
“Contrary to some concerns raised in certain sections of the media, there would be no need to enter card details for every transaction under the tokenization agreement. The Reserve Bank’s efforts to deepen digital payments in India and make such payments safe and efficient will continue, ”added the release.