The Reserve Bank of India (RBI) on Tuesday improved guidelines on card tokenization services to improve payment system security. In a statement, RBI said that the recommended device-based tokenization framework see circulars January 2019 and August 2021 has been extended to card-on-file (CoFT) tokenization services as well. In addition, card issuers have been authorized to offer card tokenization services as Token Service Providers (TSPs).
“Tokenization of card data must be done with the explicit consent of the customer, requiring Additional Authentication Factor (AFA),” said RBI.
The statement said the above enhancements should enhance card data security while continuing convenience in card transactions.
The RBI said, citing the convenience and comfort factor for users when carrying out card transactions online, many entities involved in the card payment transaction chain can store actual card details, also known as card on file (CoF).
“In fact, some merchants force their customers to store card details. The availability of these details with a large number of merchants substantially increases the risk of card data theft. some merchants have been compromised / leaked. Any CoF data leak can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate fraud in India through social engineering techniques “, said the statement.
The RBI therefore stipulated in March 2020 that authorized payment aggregators and their integrated merchants should not store actual card data.
“This would minimize vulnerabilities in the system. At the request of the industry, the deadline was extended to the end of December 2021, as a one-time measure. RBI has been in regular consultation with the industry to facilitate the transition,” the release said. .
The RBI noted that the introduction of CoFT, while improving the security of customer data, will provide customers with the same degree of convenience as now.
“Contrary to some concerns expressed in certain sections of the media, there would be no need to enter card details for every transaction under the tokenization agreement. Reserve Bank’s efforts to deepen digital payments in India and make these payments secure and Efficients should continue,” added the statement.