Tokenization Circular:

What is tokenisation?
It refers to replacing the card details (referred as the “Primary Account Number”- PAN) with a unique
alternate code referred to as “Token”. De-tokenisation refers to generating card details from the token.

Who can perform tokenisation?

Only “Authorized Card Network” (ACN) can perform tokenisation/ de-tokenisation. ACN has full
discretion for issuance of tokenisation based on its risk perception.

Authorised Card Network:-

Visa, Mastercard, American Express Bank Corp. (USA), Diners Club International Ltd., Rupay (affiliation
NPCI). The ACN is solely responsible for the tokenized cards.

Who is a token requestor?

It is a third party app/ payment provider who will act as an intermediary between the customer and the
Authorised Card Network which will help in facilitating the tokenisation. For eg. Google Pay, Samsung Pay,
Paytm.

What is the difference between Authorised cards Network, Token requestor?

Authorised Card Networks refers to payment processing networks who are authorized to issue the debit/
credit card which may be co-branded with banks. Token requestor are the third party app provider who
get themselves certified with the ACN and act as an intermediary for smooth facilitation of the
tokenisation process between the ACN and customer.

Why is Tokenisation secured?

The PAN details of the card holder is only stored at the ACN in a secure mode and the token requestor
does not have any kind of access to the PAN details nor does it have any authority to store it. Hence, it is
more secure than the current way of making transactions as the Card details are stored with the third
party (Token requestor)

Modes for which Tokenization can be used?

It extends to all the use cases which involves: NFC (Near filed communication), MST (Magnetic Secure
Transmission), In-app payments, QR Code-based payments or token storage mechanism.
Customer will have liberty to enable/ disable any of such methods.

Devices through which tokenization facility shall be offered?

As of now RBI has only permitted use of tokenization for Mobile phones and tablet devices which shall be
called as “Identified Devices”. The transactions using tokens can only be originated from such identified
devices.

Is it mandatory for every card holder (customer) to register for tokenisation?

Tokenisation will be done through token requester’s app only upon explicit consent by the customer
through an AFA/ PIN. AFA authentication as well as transaction authentication mechanisms must follow
the RBI Instructions.
What will be the charges for tokenisation?
It is free of cost and no charges can be levied or collected from card holders availing such service. RBI
Guidelines for safety and security of Card Transactions shall as-is applicable to tokenized card transactions
as well. It shall include AFA/ PIN Entry.

What is the applicability of tokenisation?

Tokenisation is applicable for Debit Card/ Credit card. It is also applicable for all the POS transactions. It is
applicable only in case of Online Transactions.

How can one access/ use token after its issuance?

The list of cards tokenised will be displayed on the merchant’s site where the card holder have to identify
the card through which it wishes to make payment by recognizing the last four digits of the card.

Is token issued common for all the cards held by the customer? Or Token issued by one Token Requestor
shall work across all payment Transactions?
No, Token issued through a tokenisation process will only be a combination of will be a combination of
Card, Token Requestor and device. Hence, for every different Token Requestor token will be unique.

How does the payment functions work under tokenisation?

Step #1:
When the end user performs a payment online, in-store or in-app, the merchant provides the token and
related cryptogram as part of the authorization request to the network.
STEP #2:
Then the Tokenization Platform verifies the validity of the transaction, checks that it is the correct token
of the correct wallet or eMerchant.
STEP#3:
It then uses the token vault to convert it back to the primary account number (PAN) and recalculate the
related cryptogram, before requesting the transaction authorization from the issuer.

Compliance requirements to be fulfilled by Token Requestor?

- Mandatory system audit to be conducted by a Cert-in empanelled auditor atleast once in a year.
- Report as per Annex 2 has to be emailed every month to the Chief General Manager, RBI Department
of Payment and Settlement Systems, Central Office, Mumbai.

Following are the measures to be taken by ACN:

While performing Tokenisation:
- Integrity of the process shall be ensured.
- Every Tokenisation and De-tokenisation requests shall be logged and available.
 - Actual Card Data, token and other relevant data shall be stored securely.
- Ensure that the token requestor does not store any kind of details.
- Tokenisation must be performed in such a manner that the PAN cannot be identified by anyone
except the ACN.

While certifying a Token requestor:

- Token requestor’s systems including hardware is deployed for this purpose.
- Security of token requestor’s application.
- Features for ensuring authorised access to token requestor’s app on the identified device.
- Other functions performed by the token requestor, including customer on-boarding, token
provisioning and storage, data storage, transaction processing, etc.
- Safeguards to ensure secured storage of tokens and associated keys.

On usage of tokens:
ACN may put a velocity check on tokenised transactions.
For eg. how many such transactions will be allowed in a day / week / Month.

Ensure systems in place at all levels viz, ACN, Card issuers and Token requestors; which facilitates easy
access for reporting of loss identified devices or any event leading to unauthorized use of such token.
Also, provide for immediate de-activation of tokenised cards upon such report. After deactivation of the
token the card holder can re-issue the token after revisiting the Token Requestor’s page.

Ensure easy access for reporting loss of identified devices or any event leading to unauthorized use of
such token.