On 7 September 2021, the Reserve Bank of India (RBI) issued a directive (CoF directive) extending the existing device-based framework for tokenisation to card-on-file tokenisation (CoFT).
The CoF directive followed the RBI’s decision in a circular dated 25 August 2021 (the extension circular) to extend the scope of devices on which tokenisation of card transactions may be permitted to consumer devices, including laptops, desktops, wearables (such as wristwatches and bands) and internet of things (IoT) devices.
Tokenisation is the process by which the real card details of a customer are replaced with a unique identifier called a token. Such a token may be used by the customer instead of the underlying card details to make card payments. Conceptually, tokenisation is intended to create a framework that allows a cardholder to make card payments without disclosing sensitive card numbers and details to merchants and intermediaries, other than the card network, in the payment process. Tokenisation provides for a more secure ecosystem enabling merchants to process payments without storing card details, which has until now been the market practice.
The RBI initially discussed tokenisation as a framework in a circular dated 8 January, 2019 (tokenisation circular). Under the tokenisation circular, the RBI permitted authorised card payment networks to provide tokenisation services to any token requestor, or third-party app provider, for a wide range of cases, including contactless payments, QR-code based payments and in-app payments, subject to certain conditions. The tokenisation circular clearly demonstrated the RBI’s intention of masking card details from merchants, by stipulating that token requestors should not store permanent account numbers (PAN) or any other card details in the process. It limited the provision of tokenisation services only in the case of mobile phones and tablets, presumably in view of the perceived security risks in enabling such services on these devices. It also provided for a system of certification, based on international best practices and globally accepted standards, for token requestors, card issuers, acquirers, their service providers and any other entity involved in the payment chain, in respect of changes made by them to process tokenised card transactions. The responsibility for such certification rests with the card network.
Although tokenisation as a mechanism has been available to card payment networks since 2019 following the issue of the tokenisation circular, it has now become central to the survival of the card payments industry. On 17 March 2020, the RBI issued the Guidelines on Regulation of Payment Aggregators and Payment Gateways (the PA-PG guidelines). Under the PA-PG guidelines, the RBI put in place a full licensing regime for payment aggregators (PA) and set out baseline technology-related recommendations for payment gateways (PG). The PA-PG guidelines include a prohibition on merchants saving customer card credentials and other related data, and a prohibition on PAs storing customer card credentials within their database or a server accessed by the merchants.
The complete ban on storing card data by merchants created many questions in the industry on the feasibility of card payment transactions going forward. Requiring customers to enter complete card payment details for every card payment transaction would significantly affect the convenience and ease of use of cards as payment instruments.
The RBI subsequently issued clarifications to the PA-PG guidelines on 17 September 2020 clearly stating that (i) merchants are not allowed to store payment data, irrespective of whether they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS), and (ii) PAs cannot store customer card credentials within their databases or servers even where such servers and databases cannot be accessed by merchants. This effectively resulted in a complete ban on storage of card data even by licensed PA entities. Storage of payment data by merchants and PAs was only permitted for the limited purpose of transaction tracking in compliance with the applicable standards.
The RBI has directed all payment system providers and payment system participants to put in place workable solutions, such as tokenisation within the framework set out in the tokenisation circular and the extension circular to enable card-linked payment transactions. The smooth and efficient implementation of tokenisation systems will be critical for the card payments industry to ensure that cards continue to offer a convenient and easy to navigate customer experience for transactions, without compromising the security of sensitive financial data in the process.
The CoF directive provides for the following key additions to the existing framework on tokenisation:
To ensure the security of card data, the CoF directive stipulates that tokenisation and detokenisation shall be performed only by the authorised card network.
The CoF directive provides that with effect from 1 January 2022, no entity in the transaction chain other than the card issuer or the card network shall store the actual data. Any such data stored previously must be purged. For transaction tracking or reconciliation purposes, entities can store limited data, that is the last four digits of the actual card number and the card issuer’s name, in compliance with the applicable standards. The timeline for the prohibition on storage of card data by merchants, is in line with the timeline for implementation of the PA-PG guidelines. The responsibility for complete and ongoing compliance with these measures rests with the card networks.
The expansion of the tokenisation framework by way of the CoF directive is expected to provide for a more level playing field between card networks and UPI-based payment service providers in the payments space, by improving data security in card transactions, while providing the same degree of convenience to customers. The move is also anticipated to reduce the compliance burden for merchants, by reducing the number of components in their systems to which the requirements under the PCI-DSS apply.
Tokenisation, as a means to secure sensitive financial data, has been employed with varying degrees of success in numerous jurisdictions, with cases ranging from retail payment systems in Canada and Australia to mass transit systems in Singapore and the United Kingdom. The Indian market can leverage the experience of global payment service providers. However, there is a genuine concern around whether the implementation date of 1 January 2022 gives the market and relevant card network operators sufficient time to successfully implement a tokenisation framework. The RBI may wish to consider extending these timelines based on market feedback and the readiness on the ground.
This article was originally published in IBLJ on 18 November 2021 Written by: Shilpa Mankar Ahluwalia, Partner. Click here for original article
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: