RBI Releases Guidelines on Tokenization for Card Transactions
Reserve Bank of India has issued a directive under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 to permit authorized payment networks to offer tokenization services to any token requestor in payment card transactions, subject to conditions enumerated in the directive. The directive will further improve the security of card data in payment card transactions.
The token requestors will be third-party application providers and initially, the offering of this facility will only be limited to mobile phones and/or tablets to serve following payment channels:
- Contactless transactions over Near Field Communication (NFC) / Magnetic Secure Transmission (MST)
- QR code-based transactions
- In-app payment transactions
- Point of Sale Terminals
What is “Tokenization”?
Tokenization is the replacement of actual critical card details with an alternate code called the “token”. This token is always unique for a combination of card, token requestor (i.e. the application provider) and the device.
How does Tokenization work?
What Does This Directive Offer to Your End Customers/Card Holders?
RBI has given the end customer an option to register or deregister for tokenization service for a specific payment channel after giving explicit consent and organizations should not force the option or let a customer choose the option by default.
An additional factor of authentication should be used during the card registration process. This means that in addition to a second-factor authentication during registration of the card, the card network will also have to do an additional factor of authentication during the transaction.
RBI has given the option to end customer to set and modify per transaction and daily transaction limits for tokenized card transactions.
Mandatory Conditions for Card Issuers, Card Networks and Token Requestors as per the Directive:
The tokenization and de-tokenization are only performed by authorized card networks which means that token requestors do not store card number and other card details in their environment. The card details are only stored with authorized card network with adequate security controls in place and additional safeguards must be in place to ensure that card number cannot be found out from the token and vice versa, by anyone except the card network. The token requestor must ensure that tokens and associated keys are stored securely.
The confidentiality and integrity of the token generation process should be handled effectively. All the tokenization and de-tokenization request must be logged by card network and should be made available for retrieval if required.
Card network must deploy controls to ensure the authenticity of “device” which is originating a transaction request and card network must deploy a continuous monitoring process to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorized activity within the tokenization process and set up a process to alert all the relevant stakeholders.
Card network must provide a resolution process to customers for tokenized card transactions.
Before providing card tokenization services, authorized card payment networks must deploy a mechanism for a periodic system and security audit, at least annually, of all entities involved in providing card tokenization services to end customers. This audit shall be undertaken by the Indian Computer Emergency Response Team (CERT-In) empanelled auditors. A copy of this audit report must be submitted to the Reserve Bank of India.
Card issuers as per their risk assessment may decide whether to allow cards issued by them to be registered by a token requestor.
Card issuers must set up a process for customers for reporting a loss of “device” or any other such event which may expose tokens to unauthorized usage. Card network, along with card issuers and token requestors, must immediately de-activate such tokens and associated keys.
Certification Requirements for Card Issuers / Acquirers, Token Requestors and Their Application As Per The Directive:
The directive mandates that the card network must get the third-party token requestor certified for:
- Token requestor’s systems, including hardware deployed for this purpose
- Security of token requestor’s application
- Features for ensuring authorized access to token requestor’s application on the identified device
- Other functions performed by the token requestor such as customer onboarding, token provisioning and storage, data storage, transaction processing, etc.
Card networks must get the card issuers/acquirers, their service providers certified in respect of changes done for processing tokenised card transactions by them.
All certification/security testing by the card network must be in line with international best practices and globally accepted standards. Industry accepted standards such as PCI DSS, ISO 27001 and OWASP TOP 10 can help organizations to build appropriate security measures to participate in tokenization processing.
How Can We Help?
Network Intelligence offers an array of services in the cybersecurity domain which can help organizations to secure their systems, applications and tokenization processing process thereby making them compliant to RBI guidelines.
Network Intelligence has credentials such as CERT-IN empanelled auditor and PCI QSA to perform the mandatory system and security audit of the organizations to assess their end to end tokenization process.
Network Intelligence has proven experience in application and network security assessment and has consultants with OSCP and CREST credentials to assess your mobile applications and IT infrastructure by performing penetration testing against industry accepted standards.
Contact us at [email protected] for more information.
Also, you can view our latest report on ‘Annual Cybersecurity Trends & Predictions 2019’ here – https://www.niiconsulting.com/annual-cybersecurity-report-2019.php