The Reserve Bank of India (RBI) continues to be proactive in regulating card-based transactions to ensure the consumer confidence in security and utility is protected as the country approaches what experts have described as a digital tipping point. The RBI has issued guidance requiring that all card transactions be tokenized beginning Jan 1 of this year, both for POS transactions and card-on-file (COF) or subscription sales. Tokenization is the process of replacing the user’s card credentials with a substitute number generated by a secure algorithm. The token by itself is valueless, so if a merchant’s system is hacked, the only payment data exposed are tokens, not actual card credentials that can be used by fraudsters or sold on the dark web.
The process of tokenization happens inside what’s called a token vault, where the tokenization algorithm is stored, and the only place where a token can be exchanged for the Primary Account Number (PAN). Both card issuers and merchant processors operate token vaults that address different use cases for card security. In the case of digital wallet transactions like ApplePay or GooglePay, the user’s card credentials are stored in the digital wallet or on the mobile device as a token, which is then is sent to the point-of-sale (POS) terminal via NFC. The merchant processor then routes that transaction to the Apple token vault to exchange the token for the PAN that can then be routed to the card issuer for authorization. NFC-enabled cards work similarly, with those tokens managed by the card issuers directly. In the case of recurring or COF transactions where the user has supplied their PAN credentials to the merchant, the initial transaction is tokenized by the merchant processor and the token returned to the merchant for storage. When the merchant presents the token on subsequent transactions, the processor runs it through their token vault to retrieve the PAN that can be sent to the issuer for authorization.
This rule from the RBI follows guidance issued last year requiring merchants to obtain the user’s approval before every recurring charge is billed. Consumers signing up for a monthly subscription must be contacted every month for their approval to process the current month’s charges.
Overview by Don Apgar, Director, Merchant Services Advisory Practice at Mercator Advisory Group