WHITEPAPER

RBI Guidelines for

Tokenization
For Card Transac�ons
 WHITEPAPER

TOKENIZATION
Tokenization is
replacement of actual
critical card details with an
alternate code called the
“token”. This token is
always unique for a
combination of card, token
requestor (i.e. the
application provider) and
the device.
What Does This Directive
Offer to Your End
Customers/Card Holders?
Reserve Bank of India has issued a directive under Section 10 (2) read with
Section 18 of Payment and Settlement Systems Act, 2007 to permit
authorized payment networks to offer tokenization services to any token
requestor in payment card transactions, subject to conditions enumerated
in the directive. The directive will further improve the security of card data
in payment card transactions.
The token requestors will be third party application providers and initially
the offering of this facility will only be limited to mobile phones and/or
tablets to serve following payment channels:
• Contactless transactions over Near Field Communication (NFC) / Magnetic
Secure Transmission (MST)
• QR code-based transactions
• In app payment transactions
• Point of Sale Terminals

RBI has given the end

customer an option to HOW DOES TOKENIZATION WORK
register or deregister for
tokenization service for a
specific payment channel
after giving explicit consent
and organizations should not
force the option or let a
customer choose the option by
default.
An additional factor of
authentication should be used
during the card registration
process. This means that in
addition to a second factor
authentication during
registration of the card, the
card network will also have to
do an additional factor of
authentication during the
transaction.
RBI has given an option to end MANDATORY CONDITIONS FOR CARD ISSUERS, CARD
customer to set and modify per NETWORKS AND TOKEN REQUESTORS AS PER THE
transaction and daily DIRECTIVE:
transaction limits for tokenized
card transactions. The tokenization and de-tokenization are only performed by authorized
card networks which means that token requestors do not store card
number and other card details in their environment. The card details are
only stored with authorized card network with adequate security controls in
place and additional safeguards must be in place to ensure that card
number cannot be found out from the token and vice versa, by anyone
except the card network. Token requestor must ensure that tokens and
associated keys are stored securely.

The confidentiality and integrity of the token generation process should be

handled effectively. All the tokenization and de-tokenization request must
be logged by card network and should be made available for retrieval, if
required.

Card network must deploy controls to ensure the authenticity of “device”

which is originating a transaction request and card network must deploy a
continuous monitoring process to detect any malfunction, anomaly,
suspicious behaviour or the presence of unauthorized activity within the
tokenization process and set up a process to alert all the relevant
stakeholders.
 WHITEPAPER

Card network must provide a resolution process to customers for tokenized card transactions.
Before providing card tokenization services, authorized card payment networks must deploy a mechanism for periodic
system and security audit, at least annually, of all entities involved in providing card tokenization services to end
customers. This audit shall be undertaken by Indian Computer Emergency Response Team (CERT-In) empanelled auditors.
A copy of this audit report must be submitted to the Reserve Bank of India.
Card issuers as per their risk assessment may decide whether to allow cards issued by them to be registered by a token
requestor.
Card issuers must set up a process for customers for reporting loss of “device” or any other such event which may expose
tokens to unauthorized usage. Card network, along with card issuers and token requestors, must immediately de-activate
such tokens and associated keys.

CERTIFICATION REQUIREMENTS FOR CARD ISSUERS / ACQUIRERS, TOKEN REQUESTORS

AND THEIR APPLICATION AS PER THE DIRECTIVE:
The directive mandates that the card network must get the third-party token requestor certified for:
• Token requestor’s systems, including hardware deployed for this purpose
• Security of token requestor’s application
• Features for ensuring authorized access to token requestor’s application on the identified device
• Other functions performed by the token requestor such as customer on-boarding, token provisioning and storage, data
storage, transaction processing, etc.
Card networks must get the card issuers/acquirers, their service providers certified in respect of changes done for
processing tokenised card transactions by them.
All certification/security testing by the card network must be in line with international best practices and globally
accepted standards. Industry accepted standards such as PCI DSS, ISO 27001 and OWASP TOP 10 can help organizations
to build appropriate security measures to participate in tokenization processing.

HOW CAN WE HELP?

Network Intelligence offers an array of services in cybersecurity domain which can help organizations to secure their
systems, applications and tokenization processing process thereby making them compliant to RBI guidelines.
Network Intelligence has credentials such as CERT-IN empanelled auditor and PCI QSA to perform the mandatory system
and security audit of the organizations to assess their end to end tokenization process.
Network Intelligence has proven experience in application and network security assessment and has consultants with
OSCP and CREST credentials to assess your mobile applications and IT infrastructure by performing penetration testing
against industry accepted standards.

To know more about our services reach us at info@niiconsulting.com or

visit www.niiconsulting.com