Guardrails for the Payment Ecosystem

With the aim of ensuring seamless payments on digital platforms, the Reserve Bank of India (RBI) has enhanced the scope of card tokenisation. According to an official statement published on September 7, 2021, the existing ‘device-based tokenisation’ framework will be extended to include ‘card-on-file tokenisation’, with authorised card issuers acting as token service providers. In other words, payment information can now be stored for recurring use in the form of tokens without compromising the security of card data. 

Background

Envisaged as a mechanism for protecting sensitive cardholder data, ‘tokenisation’ is the replacement of actual card details with an anonymised set of characters. It was originally introduced in 2001 by ‘TrustCommerce’ – a company providing electronic payment processing and security services.

As can be recalled, the U.S.-based firm had developed a digital tokenisation system that allowed consumers to use a randomised number instead of the primary account information to process payments on merchant websites. This ensured that the system was not susceptible to data breaches by malicious actors.

Later, the tokenisation mechanism was extended to card data by other payment gateway companies like Shift4 Corporation. It was eventually released to the public during an industry Security Summit in Nevada in 2005.

Analysis

Today, tokenisation is embraced as an effective solution that ensures the safety and security of financial data. An advanced algorithm is employed to generate a token reference number that corresponds to the actual card value. The alphanumeric cipher is then used in point of sale (PoS) terminals, payment gateways or quick response (QR) code payment systems while conducting online transactions. Other than the cardholder, no entity can reverse-engineer the token to find the actual card number, rendering it difficult for hackers to intercept payment details.

With an exponential increase in cybercrimes, the Indian Central Bank has been pushing for stringent tokenisation rules. In 2019, it had issued guidelines permitting authorised card networks to offer tokenisation services to debit, credit and prepaid cardholders. Following this, in March 2020, the RBI tightened its security rules by stipulating that authorised payment aggregators and the merchants onboarded by them could not store actual card data. When read together, these two provisions sought to safeguard customer data against frequent data breach cases in tech companies.

The tokenisation facility was initially restricted to payment devices like mobile phones and tablets. This was later extended to laptops, desktops, wearables (wrist watches, bands etc.) and the Internet of Things (IoT). Despite this enhanced scope, however, a device-based framework was viewed to be too restrictive by e-commerce players, as merchants and payment aggregators could not provide platform-agnostic tokenisation services. Moreover, the inability to store card details could potentially affect the payment experience of users, as they would have to type in their card information for every recurring transaction.

Taking all these factors into account, the RBI has now reviewed its tokenisation framework. As per the September 2021 circular, entities in the card transaction/payment chain are still required to purge the card data that was previously stored by them. However, ‘card-on-file tokenisation’ has been permitted, whereby merchant outlets, payment aggregators and payment gateway providers can save limited data like the card number or UPI handle for recurring transactions.

For instance, the circular allows the relevant entities to retain the last four digits of the actual card number as well as the card issuer’s name, in compliance with applicable standards. At the same time, tokenisation will ensure that the merchant's database contains randomised alpha-numeric values, as opposed to the original card details. This mechanism strikes a balance between ‘ease of payments’ and ‘protection of consumer data’.

Assessment

• With an unprecedented surge in e-commerce transactions and digital payments, multiple jurisdictions are contemplating a highly regulated tokenisation landscape. Any solution that guarantees the safety of financial data without inconveniencing customers will prove to be sustainable in the long run.
• Given that card-on-file tokenisation supports recurring use cases, industry associations, payments gateways and e-commerce players are likely to prefer it over device-based tokenisation. At the end of the day, however, the success of this mechanism will be predicated on an integrated ecosystem that facilitates interoperability between different service providers.