The Move to Tokenization SpreadsRBI Clears the Way for Broader Use to Help Fight Fraud
The Reserve Bank of India intends to do away with the one-time password authentication process for online transactions. In a step in that direction, for the first time, it is allowing widespread tokenization of debit, credit and prepaid card transactions to enhance the safety of digital payments.
See Also: 2021: A Cybersecurity Odyssey
RBI has released guidelines on tokenization and has instructed authorized card payment networks to offer card tokenization services to any token requestor/third-party app provider.
The need to better manage the sensitive data of consumers and manage stringent compliance efforts has led more enterprises of all sizes to adopt tokenization for critical information protection, the RBI notes. Tokenization already is in widespread use in the United States and other nations.
How It Works
To use tokenization, a card holder must register the card on the token requestor's app after giving explicit consent. Consumers will not pay a fee for tokenization as an alternative to one-time passwords, says Jose J. Kattoor, chief general manager, RBI.
"Tokenization will replace card details with a code, called a 'token,' which will be specifically for the card, the token requestor and the device being used to pay," explains P. Vasudevan, RBI's chief general manager. "Instead of the card's details, the token will act as the card at point of sale [POS] terminals and quick response [QR] code payment systems. The goal of the process is to improve the safety and security of payments."
RBI is allowing tokenization using all types of payment services and methods, including near-field communication, magnetic secure transmission in-app payment methods and cloud services. But it initially will be available only via mobile phones and tablets. Extension to other devices will be examined later based on experience gained, RBI says.
The use of tokenization is optional for consumers, RBI stresses, and requires registration of the payment card.
RBI hopes to eventually do away with the use of SMS-based one-time passwords for smaller transactions.
Consumers in India already can make online transaction via Google Pay, Amazon Pay and Samsung Pay using a tokenization feature.
"As digital payments continue to proliferate deeper across India, it is important to reinforce the safety and security of digital payments," says T.R. Ramachandran, Visa's group country manager, India & South Asia. "Tokenization is the foundational aspect of taking payment security and safety to the next level by devaluing data and replacing payment credentials with tokens."
In many other nations, including the United States, tokenization has evolved to enable payments through connected devices and risk-based authentication, Ramachandran says, so India is playing catch-up.
Visa and MasterCard introduced tokenization services in 2017, says Sriram Natarajan , chief operating officer at Quattro, a business outsourcing organization consulting firm.
U.S.-based analysts at the firm Research and Markets say cloud-based deployment of tokenization is gaining high traction because it requires less capital investment, helps decrease the operational and maintenance costs and reduces management's efforts.
The surge in online payments, and growth in payment fraud, has led to the need to enhance security, the analysts say. Now, rapid economic growth in the developing APAC countries, along with regulatory reforms and economic stability, is driving the growth of the tokenization in this region, they say.
The Required Steps
In offering tokenization to their customers, RBI has asked issuer banks and payment firms to use a security mechanism to ensure that the transaction request originated from an "identified device."
Card networks must monitor to detect any malfunction, anomaly, suspicious behavior or the presence of unauthorized activity within the tokenization process and implement a process to alert all stakeholders, RBI's Vasudevan says.
Before providing card tokenization services, he says, authorized card payment networks must put in place a mechanism for a periodic system audit, including security, at least annually, of all entities involved in providing card tokenization services to customers. "This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team [CERT-In] , and all related instructions of RBI in respect of system audits shall also be adhered to," he says.
RBI says registration of a card on a token requestor's app shall be done only with explicit customer consent through additional factor of authentication. Registration cannot occur by way of a forced, default or automatic selection via a check box or radio button. The AFA validation during card registration, as well as for authenticating any transaction, must be complaint with to RBI instructions for authentication of card transactions.
Under RBI's new guidelines, tokenization and detokenization can only be performed by the authorized card network. Credit and debit card networks, such as Mastercard or Visa, will work with issuing banks to enable tokenization across the cards issued.
Ramachandran says tokenization services help reduce risk. He points out that:
- Tokens don't carry the consumer's primary account number, reducing risk in storing tokens on mobile devices, at e-commerce merchants and in cloud-based mobile apps;
- Tokens are based on ISO standards and can therefore be processed and routed by merchants, acquirers and issuers just like traditional card payments.
CISOs at the banks need to work closely with payment firms to ensure that the online payment infrastructure is secure to help ensure fraud-free transactions, Natarajan says.