Only card networks and issuing banks may get to tokenise data


Only card-issuing banks and card scheme operators, such as the National Payments Corporation of India, Visa and Mastercard, would be allowed to tokenise customer card data, Reserve Bank of India (RBI) is said to have indicated to the industry in a meeting Monday.

The central bank has clarified to the industry that none of the intermediaries, even licensed payment gateways and acquiring banks, would be allowed to store card data and offer tokenised files to merchants under the upcoming
payment aggregator and payment gateway regulatory regime kicking in from 2022, two sources aware of the matter told ET.

Under the new norms, every online merchant processing transactions for customers will only have access to a ‘tokenised’ key linked with the consumer’s cards instead of the entire card file. The meeting saw participation of members from industry pockets such as payments, banking and web-commerce, the sources added.

“The central bank has reiterated its stance that it only sees tokenisation as an alternative solution for merchants aiming to offer a one-click checkout facility to customers,” said a source present at the meeting.

“It has also been made clear that only card networks and issuing banks will be allowed to tokenise files corresponding to customer card details. Payment aggregators and merchants will have to devise systems to avail this tokenised link from their respective banks or networks,” the person added.

Tokenisation is an encryption technology that enables card operators to mask actual details of a debit or credit card by substituting with a secure, unique digital token linked to a customer device.


Delhivery, which announced the acquisition of smaller peer Spoton Logistics today, plans to file its IPO by October to raise as much as $1 billion.

Read Now

Only this proxy token can be stored by merchants and aggregators to process payments to offer one-click checkouts. Those merchants without access to tokenised links will have to ask customers to fill in the entire details of their card including the 16-digit number every time they make a payment.

The central bank’s insistence on strict card storage norms is on the back of several
recent high-profile cyber attacks such as those on JusPay, Mobikwik, Big Basket, Air India and Upstox.

RBI is said to be firm on its stand on customer security where it doesn’t want entities that are not under its direct supervision to be storing card details of customers on servers.

While payment aggregators will be allowed to store card details for processing of redressals and chargebacks, the new rules will stipulate a fixed time under which this data will have to be deleted.

ET reported last week that industry forums, including the Payments Council of India (PCI), have
suggested alternative solutions beyond encryption through tokenisation – such as secure reference on files – to minimise customer inconvenience to the central bank.

RBI didn’t respond to ET’s mailed queries.

Source link

Denial of responsibility! Planetconcerns is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave a comment