3. On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –
Extend the device-based tokenisation1 framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.
Permit card issuers to offer card tokenisation services as Token Service Providers2 (TSPs).
The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.
The ability to tokenise3 and de-tokenise card data shall be with the same TSP.
Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.
Additional requirements relating to CoFT are listed in the Annex.
4. Further, in the interest of cIarity, the following points may be noted –
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.
Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks.
5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
(P. Vasudevan) Chief General Manager
(CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021)
Conditions to be fulfilled for offering CoFT services
1. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant4.
2. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined.
3. The merchant shall give an option to the cardholder to de-register the token. Further, a token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through it by the cardholder; and provide an option to de-register any such token.
4. A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.
5. Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom (s)he had earlier registered the card.
6. The TSP shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.
2 Token Service Provider (TSP) refers to the entity which tokenises the actual card credentials and de-tokenises them whenever required. Earlier only card networks were allowed to act as TSPs.
3 In this circular, the word “token” wherever used includes token reference number, card reference number or any other similar term.
4 The word “merchant” wherever used in this circular refers to the end-merchant. However, in case of an e-commerce marketplace entity, merchant refers to the said e-commerce entity. Further, token requestor and merchant may or may not be the same entity.