RbiSearchHeader

Press escape key to go back

Past Searches

Theme
Theme
Text Size
Text Size
S3

RbiAnnouncementWeb

RBI Announcements
RBI Announcements

FAQ DetailPage Breadcrumb

RbiFaqsSearchFilter

Content Type:

Category Facet

Category

Custom Facet

ddm__keyword__26256231__FaqDetailPage2Title_en_US

Search Results

Device based Tokenisation – Card Transactions

Ans. Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).
Ans. Conversion of the token back to actual card details is known as de-tokenisation.
Ans. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
Ans. The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
Ans. The customer need not pay any charges for availing this service.
Ans. Tokenisation has been allowed through mobile phones and / or tablets for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)
Ans. The feature of tokenisation is available on consumer devices like mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.

Ans. Tokenisation and de-tokenisation can be performed by the authorised card network or by the card issuer. The list of card networks authorised by RBI to operate in India is available on the RBI website at the link /en/web/rbi/-/publications/certificates-of-authorisation-issued-by-the-reserve-bank-of-india-under-the-payment-and-settlement-systems-act-2007-for-setting-up-and-operating-payment-system-in-india-12043.

Ans. Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, token service provider (card payment network or card issuer), token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.
Ans. Actual card data, token and other relevant details are stored in a secure mode by the token service provider (card payment network or card issuer). Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.
Ans. No, a customer can choose whether or not to let his / her card tokenised.
Ans. Customers have the option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
Ans. The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.
Ans. Customers have the option to set and modify per transaction and daily transaction limits for tokenised card transactions.
Ans. A customer can request for tokenisation of any number of cards. For performing a transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Ans. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Ans. A customer can request for tokenisation of his / her card on any number of devices.
Ans. All complaints should be made to the card issuers. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage.
Ans. Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.

These FAQs are issued by the Reserve Bank of India (hereinafter referred to as “Bank”) for information and general guidance purposes only. The Bank will not be held responsible for actions taken and / or decisions made on the basis of the same. For clarifications or interpretations, if any, one may be guided by the relevant circulars, guidelines and notifications issued from time to time by the Bank.

Web Content Display (Global)

Install the RBI mobile application and get quick access to the latest news!

Scan Your QR code to Install our app

RbiWasItHelpfulUtility

Page Last Updated on: December 11, 2022

Was this page helpful?