Need Tally
for Clients?

Contact Us! Here

  Tally Auditor

License (Renewal)
  Tally Gold

License Renewal

  Tally Silver

License Renewal
  Tally Silver

New Licence
  Tally Gold

New Licence
 
Open DEMAT Account with in 24 Hrs and start investing now!
« Latest Circulars »
Open DEMAT Account in 24 hrs
 Auction of State Government Securities Feb 23, 2024
 RBI imposes monetary penalty on The Adinath Co-Operative Bank Limited, Dist. Surat, Gujarat
 The Relevance of SEACEN in a Turbulent World (Closing remarks by Michael Debabrata Patra, Deputy Governor, Reserve Bank of India - February 15, 2024 - at the 59th SEACEN Governors' Conference
  Business restrictions imposed on Paytm Payments Bank Limited vide Press Releases dated January 31 and February 16, 2024
 Extension of validity of Directions under Section 35A read with section 56 of the Banking Regulation Act, 1949 (As Applicable to Co-operative Societies) - HCBL Co-operative Bank Ltd., Lucknow (U.P.)
 Business restrictions imposed on Paytm Payments Bank Limited vide Press Releases dated January 31 and February 16, 2024
 Directions under Section 35 A read with section 56 of the Banking Regulation Act, 1949 Shimsha Sahakara Bank Niyamitha, Maddur, Mandya District Extension of Period
 Reserve Bank of India (Government Securities Lending) Directions, 2023
 Building resilient brand India amidst global uncertainty (Speech by Shri Swaminathan J, Deputy Governor, Reserve Bank of India - December 28, 2023 - at the 10th SBI Banking and Economic Conclave in Mumbai)
 Trade Credit for imports into India Submission of return on issuance of bank guarantees for Trade Credits on the Centralised Information Management System (CIMS)
 Minutes of the Monetary Policy Committee Meeting, December 6 to 8, 2023

Tokenisation Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services
September, 08th 2021

RBI/2021-22/96
CO.DPSS.POLC.No.S-516/02-14-003/2021-22

September 07, 2021

All Payment System Providers and Payment System Participants

Madam / Dear Sir,

Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services

We invite reference to our circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on “Tokenisation – Card transactions”, permitting authorised card networks to offer card tokenisation services subject to the conditions listed therein. Initially limited to mobile phones and tablets, this facility was subsequently extended to laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc., vide our circular CO.DPSS.POLC.No.S-469/02-14-003/2021-22 dated August 25, 2021 on “Tokenisation – Card Transactions : Extending the Scope of Permitted Devices”.

2. Reference is also invited to our circulars DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, advising that neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them shall store customer card credentials [also known as Card-on-File (CoF)].

3. On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –

  1. Extend the device-based tokenisation1 framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.

  2. Permit card issuers to offer card tokenisation services as Token Service Providers2 (TSPs).

  3. The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.

  4. The ability to tokenise3 and de-tokenise card data shall be with the same TSP.

  5. Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.

  6. Additional requirements relating to CoFT are listed in the Annex.

4. Further, in the interest of cIarity, the following points may be noted –

  1. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.

  2. For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.

  3. Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks.

5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Yours faithfully,

(P. Vasudevan)
Chief General Manager


Annex

(CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021)

Conditions to be fulfilled for offering CoFT services

1. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant4.

2. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined.

3. The merchant shall give an option to the cardholder to de-register the token. Further, a token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through it by the cardholder; and provide an option to de-register any such token.

4. A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.

5. Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom (s)he had earlier registered the card.

6. The TSP shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.

7. All other provisions of the RBI circulars dated January 8, 2019 and August 25, 2021 shall be applicable.

8. The TSPs shall monitor and ensure compliance in this regard.


1 The term “device-based tokenisation” wherever used in this circular refers to card tokenisation framework laid down vide RBI circulars dated January 8, 2019 and August 25, 2021.

2 Token Service Provider (TSP) refers to the entity which tokenises the actual card credentials and de-tokenises them whenever required. Earlier only card networks were allowed to act as TSPs.

3 In this circular, the word “token” wherever used includes token reference number, card reference number or any other similar term.

4 The word “merchant” wherever used in this circular refers to the end-merchant. However, in case of an e-commerce marketplace entity, merchant refers to the said e-commerce entity. Further, token requestor and merchant may or may not be the same entity.

Home | About Us | Terms and Conditions | Contact Us
Copyright 2024 CAinINDIA All Right Reserved.
Designed and Developed by Ritz Consulting