Several Founders, Co-Founders, CXO Bankers, CXO Fintech professional & people who participated in the e-panel discussions:

  • Mr. Vinay Kalantri,  Founder & Managing Director of TMW Fintech Private Ltd
  • Ms. Priti Shah, Co-founder & CEO, Payswiff Solutions Pvt. Ltd
  • Mr. Vishwas Patel, Director Infibeam Avenues Limited, Founder CCAvenue Payment Gateway
  • Mr. Sony A, Head – Digital, South Indian Bank
  • Mr. Sunil Kulkarni, Joint Managing Director, Oxigen Services (India) Pvt Ltd
  • Mr. Rishi Prakash Mantri, Senior Vice President (Digital Payment – Solutions & Design, YES Bank
  • Mr. Vikas Pahwa, Vice President Transaction Banking, Citi
  • Mr. Jitendra Gupta, Founder Citrus Pay & MD Pay U, India
  • Mr. Shashank Kumar, Co-Founder at Razorpay
  • Mr. Probir Roy, Co-founder, Paymate
  • Mr. Parag Mehta Founder & CEO, Evolute Group
  • Mr. Alok Jha, Managing Director Cyberplat India
  • Mr. Ketan Doshi, Managing Director, Paypoint India Network Pvt Ltd
  • Mr. Harveer Singh, Former Head of Product Marketing, Empays Payment Systems.  Ltd
  • Mr. Vikas R Panditrao, Co-Founder, Forum of Industry Academic Knowledge Sharing (FIAKS)
  • Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum

RBI has finally released the tokenisation framework guidelines for the card networks. This raised the following questions in the FIAKS community

Question 1: There are no pre-conditions to become a token requester, anyone can be certified by a card association. Is that correct?

Question 2: Will this be an interoperable option? Or will customers have to register with multiple requesters to use this service with the whole ecosystem?

Questions 3: Does this mean all the private payment gateway (PG) players who have been doing tokenisation all these years will have to stop?

The discussions started with the members of the community sharing a few details that would help in understanding a few basics related to Tokenisation.

What do you mean by “Tokenisation”? It refers to the replacement of actual card details with a unique alternate code called the “token”, which shall be a unique combination of card, token requestor, and device.

Tokenisation – de-tokenisation services includes the following :

  1. These services shall be performed only by the authorized card network and recovery of the original Primary Account Number (PAN) should be feasible for the authorized card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. The integrity of the token generation process shall be ensured at all times.
  2. Tokenisation and de-tokenisation requests should be logged by the card network and available for retrieval if required.
  3. Actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail.

Following are included in the certification of systems of card issuers/acquirers, token requestors and their app 

  • Card networks shall get the token requestor certified for
    • token requestor’s systems, including hardware deployed for this purpose,
    • security of token requestor’s application,
    • features for ensuring authorized access to token requestor’s app on the identified device, and,
    • other functions performed by the token requestor, including customer onboarding, token provisioning, and storage, data storage, transaction processing, etc.
  • Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by them.
  • All certification/security testing by the card network shall conform to the international best practices/globally accepted standards.

The process of the registration of a card on the Token Requestor app

  • This shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced/default/automatic selection of checkbox, radio button, etc.
  • AFA validation during card registration, as well as, for authenticating any transaction, shall be as per extant Reserve Bank instructions for authentication of card transactions.
  • Customers shall have the option to register/de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
  • Customers shall be given the option to set and modify per transaction and daily transaction limits for tokenised card transactions.
  • Suitable velocity checks (i.e., how many such transactions will be allowed in a day/week/month) may be put in place by card issuers/card network as considered appropriate, for tokenised card transactions.
  • For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.

A community member said that Tokenisation and de-tokenisation shall be performed only by the authorized card network. Private players can’t store and hence our tokenisation via the checkout or vault, etc. is a big question mark. The notification clearly states “Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. A member feels that clarity is required here from what it reads. According to a FIAKS community member, this will allow entry of  Third parties like Google, Apple Pay and Amazon can now act as Token requestors in India.

Register and Read the entire discussions

Please register to unlock the full content!

Related Post

Why Can’t Aadhaar OTP Mention Merchant Name In SMS...
IPO’s Of Fintechs v/s Banks
How To Address Frauds Due To Phishing Messages?
The Issues Of Monies Stuck In Pending Status