The Reserve Bank of India (RBI) on Tuesday tightened guidelines on card tokenization services to improve the safety and security of the payment system.
In a statement, RBI said the device-based tokenization framework advised by the empty flyers of January 2019 and August 2021 has also been extended to Card-on-Fite (CoFT) tokenization services.
In addition, card issuers have been allowed to offer card tokenization services as token service providers (TSPs).
“Tokenization of card data must be done with the explicit consent of the customer requiring an additional authentication factor (AFA),” RBI said.
The release says the above improvements are expected to enhance the safety and security of card data while continuing the convenience of card transactions.
RBI said that, citing the factor of convenience and convenience for users in online card transactions, many entities involved in the chain of card payment transactions store the actual card details. [also known as Cand-on-File (CoF)].
“In fact, some merchants force their customers to store card details. Having these details available to a large number of merchants greatly increases the risk of card data theft. In the recent past, there have been incidents where the card data stored by some merchants has been compromised / leaked. Any CoF data leak can have serious repercussions as many jurisdictions do not require AFA for card transactions. Stolen card data can also be used to perpetrate fraud in India through social engineering techniques, ”the statement said.
The Reserve Bank therefore stipulated in March 2020 that authorized payment aggregators and the merchants they embark on should not store actual card data.
“This would reduce the vulnerabilities of the system. At the request of the industry, the deadline has been extended to the end of December 2021, as a one-time measure. RBI has regularly consulted with the industry to facilitate the transition,” said The version.
RBI noted that the introduction of CoFT, while improving the security of customer data, will provide customers with the same level of convenience as today.
“Contrary to some concerns expressed in some sections of the media, it would not be mandatory to enter card details for every transaction as part of the tokenization deal. The Reserve Bank’s efforts to deepen digital payments by India and making these payments safe and efficient will continue, ”the statement added.