India Releases Guidelines for Tokenization

The Reserve Bank of India, the central banking institution of the country, has released guidelines for what it calls the “tokenization” of debit and credit card transactions, according to reports.

Tokenization will replace card details with a code, called a “token,” which will be specifically for the card, the token requestor and the device being used to pay.

Instead of the card’s details, the token will act as the card at point of sale (POS) terminals and quick response (QR) code payment systems. The goal of the process is to improve the safety and security of payments.

The bank has offered permission for the process using all types of payment services and methods, including near-field communication (NFC), magnetic secure transmission (MST), in-app payment methods and cloud services.

The service would initially be used through smartphones and tablets, but other devices might be added later, the bank said. To ensure the process is safe and secure, RBI says that tokenization and de-tokenization should only be done by an authorized card network, and the request should be logged and ready for retrieval if needed. A customer shouldn’t have to pay to use the service, the bank added.

“Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenized card transactions by them,” the bank said.

RBI said that for banks and card payment networks, there needs to be a way to do a periodic system audit, at least once a year, of all parties involved in the process of providing the service to customers.

Also, RBI wants companies that issue the cards to make sure customers can easily report a loss of an “identified device,” which might lead to unauthorized use of someone’s information or money.

Companies should not force the option or let a customer choose the option by default, the bank said, but the registration of the card as a token should be explicit through an additional factor of authentication.