Background

The RBI initially discussed tokenisation as a framework in a circular dated 8 January, 2019 (tokenisation circular). Under the tokenisation circular, the RBI permitted authorised card payment networks to provide tokenisation services to any token requestor, or third-party app provider, for a wide range of cases, including contactless payments, QR-code based payments and in-app payments, subject to certain conditions. The tokenisation circular clearly demonstrated the RBI’s intention of masking card details from merchants, by stipulating that token requestors should not store permanent account numbers (PAN) or any other card details in the process. It limited the provision of tokenisation services only in the case of mobile phones and tablets, presumably in view of the perceived security risks in enabling such services on these devices. It also provided for a system of certification, based on international best practices and globally accepted standards, for token requestors, card issuers, acquirers, their service providers and any other entity involved in the payment chain, in respect of changes made by them to process tokenised card transactions. The responsibility for such certification rests with the card network.

Although tokenisation as a mechanism has been available to card payment networks since 2019 following the issue of the tokenisation circular, it has now become central to the survival of the card payments industry. On 17 March 2020, the RBI issued the Guidelines on Regulation of Payment Aggregators and Payment Gateways (the PA-PG guidelines). Under the PA-PG guidelines, the RBI put in place a full licensing regime for payment aggregators (PA) and set out baseline technology-related recommendations for payment gateways (PG). The PA-PG guidelines include a prohibition on merchants saving customer card credentials and other related data, and a prohibition on PAs storing customer card credentials within their database or a server accessed by the merchants.

The complete ban on storing card data by merchants created many questions in the industry on the feasibility of card payment transactions going forward. Requiring customers to enter complete card payment details for every card payment transaction would significantly affect the convenience and ease of use of cards as payment instruments.

The RBI subsequently issued clarifications to the PA-PG guidelines on 17 September 2020 clearly stating that (i) merchants are not allowed to store payment data, irrespective of whether they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS), and (ii) PAs cannot store customer card credentials within their databases or servers even where such servers and databases cannot be accessed by merchants. This effectively resulted in a complete ban on storage of card data even by licensed PA entities. Storage of payment data by merchants and PAs was only permitted for the limited purpose of transaction tracking in compliance with the applicable standards.

The RBI has directed all payment system providers and payment system participants to put in place workable solutions, such as tokenisation within the framework set out in the tokenisation circular and the extension circular to enable card-linked payment transactions. The smooth and efficient implementation of tokenisation systems will be critical for the card payments industry to ensure that cards continue to offer a convenient and easy to navigate customer experience for transactions, without compromising the security of sensitive financial data in the process.

Key provisions of the CoF directive

The CoF directive provides for the following key additions to the existing framework on tokenisation:

• The device-based tokenisation framework has been extended to CoFT. For the purpose of CoFT, the token shall be a unique combination of card, token requestor and merchant;
• In addition to card networks, card issuers are also permitted to offer tokenisation services as token service providers (TSP), only for the cards issued by or affiliated with them;
• Tokenisation of card data shall be done with explicit customer consent, requiring an additional factor of authentication (AFA) validated by the card issuer. If the card payment for a purchase transaction at a merchant is being performed at the same time as the registration for CoFT, the AFA validation may be combined;
• The ability to tokenise and detokenise card data lies with the same TSP;
• The merchant shall give an option to the cardholder to deregister the token. Further, a token requestor having a direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has chosen through it by the cardholder, and provide an option to deregister any such token;
• Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder to link it with the merchants with whom the card had earlier been registered.
• TSPs shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.

To ensure the security of card data, the CoF directive stipulates that tokenisation and detokenisation shall be performed only by the authorised card network.

Timeline for compliance

The CoF directive provides that with effect from 1 January 2022, no entity in the transaction chain other than the card issuer or the card network shall store the actual data. Any such data stored previously must be purged. For transaction tracking or reconciliation purposes, entities can store limited data, that is the last four digits of the actual card number and the card issuer’s name, in compliance with the applicable standards. The timeline for the prohibition on storage of card data by merchants, is in line with the timeline for implementation of the PA-PG guidelines. The responsibility for complete and ongoing compliance with these measures rests with the card networks.

The way forward

The expansion of the tokenisation framework by way of the CoF directive is expected to provide for a more level playing field between card networks and UPI-based payment service providers in the payments space, by improving data security in card transactions, while providing the same degree of convenience to customers. The move is also anticipated to reduce the compliance burden for merchants, by reducing the number of components in their systems to which the requirements under the PCI-DSS apply.

Tokenisation, as a means to secure sensitive financial data, has been employed with varying degrees of success in numerous jurisdictions, with cases ranging from retail payment systems in Canada and Australia to mass transit systems in Singapore and the United Kingdom. The Indian market can leverage the experience of global payment service providers. However, there is a genuine concern around whether the implementation date of 1 January 2022 gives the market and relevant card network operators sufficient time to successfully implement a tokenisation framework. The RBI may wish to consider extending these timelines based on market feedback and the readiness on the ground.

This article was originally published in IBLJ on 18 November 2021 Written by: Shilpa Mankar Ahluwalia, Partner. Click here for original article

Read Less-