New guidelines for users of debit and credit cards: Only with the explicit approval of the customer is it possible to register for a tokenisation request using an additional factor of authentication (AFA).
The Reserve Bank of India (RBI) has mandated that by September 30 of this year, all credit and debit card information used for online, in-app, and point-of-sale transactions must be replaced with distinct tokens. Beginning in July, the deadline was extended by three months.
What you need to know about the new regulations for users of debit and credit cards that go into effect in October is provided below:
What is card tokenisation?
The RBI defines tokenisation as the process of replacing actual card information with a different code known as the “token.”
What advantages does tokenisation offer?
Since the real card details are not given to the merchant when completing the transaction, tokenized card transactions are thought to be safer.
How is tokenisation carried out?
By starting a request on the app that the token requestor has provided, the cardholder can have their card tokenised. The token requestor will send the request to the card network, which will provide a token matching the combination of the card, the token requestor, and the device with the approval of the card issuer.
What fees does the consumer have to pay in order to use this service?
The customer is not required to pay anything to use this service.
Who has the ability to tokenise?
Only authorised card networks are permitted to do tokenisation, and the RBI website contains a list of those networks.
What fees does the customer have to pay in order to use this service?
The customer is not required to pay any fees in order to use this service.
What use cases (instances/scenarios) have tokenisation permissions been granted for?
For all use cases and channels, tokenisation has been made possible through mobile devices and/or tablets (e.g., contactless card transactions, payments through QR codes, apps etc.)
Is the customer required to have their card tokenised?
No, a consumer has the option to allow tokenisation of their card or not. Those who don’t want to create a token can carry on with their transaction as usual by manually entering their card information.
After tokenisation, are the customer’s credit card details secure?
The authorised card networks store actual card information, token information, and other pertinent information in a safe fashion. Primary Account Number (PAN), also known as a card number, or any other card information, cannot be stored by a token requestor. The certification of the token requestor’s safety and security in accordance with internationally recognised best practises and standards is also required of card networks.
How does the registration process for a tokenisation request operate?
No forced, default, or automatic selection of a check box, radio button, etc. is used to register for a tokenisation request; instead, specific client consent is required through Additional Factor of Authentication (AFA). Additionally, the customer will have the option of choosing the use case and establishing boundaries.
Does the amount of cards that a consumer can request to be tokenised have a cap?
Any number of cards may be requested to be tokenised by a consumer. The customer is free to utilise any of the cards registered with the token request or app to complete a transaction.
Who should the consumer contact if their tokenised card is having problems? Where and how may they file a loss of device report?
The card issuers should be contacted with any complaints. Customers must have easy access to card issuers in order to report the loss of a “identified device” or any other incident that could expose tokens to unauthorized use.
Can a card issuer refuse to tokenise a certain card?
Card issuers may choose whether to permit cards issued by them to be registered by a token requestor based on factors such as risk perception and other factors.
Prasanta Patnaik