loader image

Tokenisation Compliances: Need of the hour

Implementation of Tokenisation norms w.e.f. 01 October 2022

The rise in unauthorised access of data and data breaches at an alarming rate has caught the attention of organisations and authorities. This has led to data security becoming a board level discussion within organisations. However, the idea was not to cause any operational or regulatory hurdles but to find the perfect balance between data security and user experience. To combat such issues, in 2019, the Reserve Bank of India (“RBI”) released a circular permitting card tokenisation by card networks for any token requestor.

The Circular titled Restriction on Storage of Actual Card Data [i.e., Card-on-File (CoF)] (“Tokenisation Circular”) will be notified w.e.f. 01 October 2022. The implementation of tokenisation will not only lead to cost and operational implications but will also trigger the need for cyber and data protection solutions. Each merchant is required to employ tokenisation and if not, each customer will need to insert card details for each transaction they make with such merchants.

The required preparation for all merchants to comply with the requirement seems to still be underway as tokenisation related infrastructure calls for sophistication and security. A detailed analysis of what is tokenisation and other related questions is given below.

What is tokenisation?

Tokenisation means masking or substituting sensitive data with unique identification number while retaining all the essential information about the data. This equivalent unique replacement data is called a token. Tokenisation is a global practice aimed at preventing disclosure of card details to any entity apart from the cardholder, card network or issuer. The concept of tokenisation was first introduced in 2005 by Shift4payments to protect cardholder data.

The implementation of tokenisation is carried out through Additional Factor of Authentication (“AFA”) by the cardholder. The algorithmically generated token protects sensitive information and prevents card frauds as it permits transactions without exposing personal information.

How does tokenisation work?

In a traditional transaction i.e., pre-tokenisation, the credit card number is sent to the payment processor and then stored in the merchant’s internal systems for later reuse.

In a tokenised transaction, as the customer provides their credit card number for any transaction, the same is sent to a token system or vault instead of the payment processor. The token system or vault replaces the customer’s sensitive information, i.e., the credit card number, with a custom, randomly created alphanumeric ID, i.e., a token. After a token has been generated, it is returned to the merchant’s POS terminal and the payment processor in a safe form to complete the transaction successfully.

With data tokenization, enterprises can safely transmit data across wireless networks. However, for effective implementation of data tokenization, enterprises must employ a payment gateway to store sensitive data securely. Credit card information is safely stored and generated by a payment gateway.

What is the need for tokenisation?

The RBI has been at the forefront of regulating various stakeholders in the fintech ecosystem by releasing working group reports with stakeholder consultation and inculcating a regulatory sandbox for companies. Given the chain of circulars being released by RBI since 2019, it can be understood that RBI’s intention with tokenisation is to protect card holder data. With the implementation of tokenisation, card merchants and other stakeholders involved can move sensitive personal data without the risk of payment fraud or unauthorised access to data.

What are the necessary compliances required for implementing tokenisation?

  1. Businesses that accept card payments need to be in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”), which adds credibility to ensure their customers.
  2. Card networks are required to get the token requestor certified for (a) token requestor’s systems, including hardware deployed for this purpose, (b) security of token requestor’s application, (c) features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
  3. Card networks are required to get the card issuers / acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them.
  4. Registration of card on token requestor’s app shall be done only with explicit customer consent through AFA, and not by way of a forced / default / automatic selection of check box, radio button, etc.
  5. Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.
  6. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys.
  7. Dispute resolution process shall be put in place by card network for tokenised card transactions.
  8. Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorized activity within the tokenisation process and implement a process to alert all stakeholders.

Data privacy requirements for tokenisation

RBI has prescribed specific data privacy requirements for all card merchants, card issuers and other stakeholders involved. It is required that before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (“CERT-In”) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to.

Since the law on data protection in India still remains to see the light of the day, the RBI’s tokenisation measures for data security is an essential move to safeguard sensitive data of consumers. Across the globe, the regulatory environment surrounding data privacy and protection is becoming stricter than ever. Despite India not having a data protection legislation, it is necessary for organisation to be mindful of the consequences of any data breach or compromise. Non-compliance with data protection laws could lead to high penalties, litigation, and brand damage.

 

AUTHORS: Shruti Dvivedi Sodhi (Partner) | Tushar Sinha (Associate)

[email-subscribers-form id="1"]
This page contains general information regarding Khaitan Legal Associates and is not intended as a solicitation or an advertisement of its services or any invitation or inducement of any sort. Nothing contained in this website constitutes legal advice or creation of a lawyer-client relationship. If you have any issues, you must seek legal advice. Khaitan Legal Associates is not liable for the consequences of any action taken by relying on the material/information provided on this website. For more information, please read our terms of use and our privacy policy.