RBI’s Tokenization Circular Update – The What, Why and How
The digital era has revolutionized the way we pay. Everything about the transaction experience is changing dynamically. Strengthened by technological advancements such as blockchain, mobile wallets, scan-based payment methods and artificial intelligence, the volume of digital transactions is only expected to explode. And regulators will have to ensure that in the process of offering convenience, security does not get compromised.
“India is one of the fastest growing digital payments markets. This is also known to attackers, intruders, and hackers.”
– Kaushik Pandey, Global Head of Compliance and Testing Services, SISA
India has been at the forefront of this revolution with the payments landscape witnessing remarkable transformation over the past five years. In FY2021, India retained the top spot in real-time digital payments across the globe with a staggering 25.5 billion transactions processed – way ahead of China which ranked second with 15.7 billion transactions according to a report by CLSA1. Emergence of new players, innovations in technology and forward-looking regulatory changes have been key drivers behind India’s dominant position. As per RBI’s annual report, India’s digital payments have grown three folds in volume to 43.7 billion from FY 2018 to FY2021 spurred by cheap internet, widespread smartphone penetration and biometric identity card, and now constitute 98% of total retail payments2. The greater thrust on innovations especially in the fintech space targeted at cross-border payments, financial inclusion and digital commerce are expected to further accelerate the growth of digital payments.
As India’s digitization continues to gather steam, it also faces new challenges. Hackers, intruders, and other malicious actors have become increasingly active in the digital payments space. According to a report by VPN provider Surfshark, in 2021 alone, 9 major data breaches were reported in which 86.6 million user accounts were exposed3. India was ranked 3rd in the number of global data breaches in 2021 behind US and Iran, with a 351.6 % increase in the number of compromised accounts. Similarly, more than 45% of all financial frauds in 2020, under communication device-related cybercrimes, were related to online banking frauds, as per data from National Crime Records Bureau4.
Online financial frauds using payment cards increased by 225% in 2020 during the pandemic, according to a report by National Crime Records Bureau5.
These worrying facts and figures paint a vivid picture of our shortcomings in handling this new and rapidly expanding digital ecosystem. The need of the hour has become to secure and protect private card data from all forms of malicious attacks; this is where tokenization can prove to be the ultimate solution.
What is Tokenization?
Tokenization is the process of replacing actual sensitive debit or credit card details with an alternate code called a “token”. This uniquely generated code will be a combination of the card used to process the payment, token requestor and the device used, like a mobile phone or a tablet. A tokenized card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Instead, card details are converted into a unique token, specific to the card and saved with only one merchant at a time, as against the current practice that requires a customer to key in the 16-digit card number along with 3–4-digit card verification number (CVV). What this means is that original data never leaves the organization, rendering abstracted data useless for hackers.
“The typical way in which we were handling the digital payment ecosystem needs to be changed, that is the need of the hour. Otherwise, it will be fairly easy for intruders, hackers and all malicious people to get hold of the particular data and accordingly compromise those records as well.”
– Kaushik Pandey, Global Head of Compliance and Testing Services, SISA
What’s with the latest RBI update?
In September 2021, the RBI introduced regulations to prohibit merchants from storing sensitive customer card details on their servers with effect from January 01, 2022, and implement card-on-file tokenization (CoFT) as an alternative to card data storage. This was a huge announcement for India’s financial sector, as each and every party across the payment chain had been storing card details until now.
Later, realizing the massive architectural-level changes this would entail, alongside concerns of potential disruptions and loss of revenue, especially for merchants voiced by industry bodies, RBI updated the tokenization guideline and extended the implementation timeline to June 30, 2022. This date marks the beginning of a new phase of transaction security as all old card data stored by payment service providers (PSPs) on their platforms has to be purged and no new data can be added. With initial tokenization guidelines being in place since 2019, we can see how the idea of tokenization has developed within India and how the RBI has extended the scope of the permitted devices over time to include laptops, desktops, wearables, IoT devices etc. beyond mobile phones and tablets.
As stated earlier, by turning a meaningful piece of data into a random string of characters and making them irreversible, tokenization secures the real data against malicious actors. It can deliver very tangible benefits in securing payments information by preventing the loss of sensitive data and protecting businesses against reputational damage. As tokenization uses unique and irreversible tokens that do not bear any relationship with original data, it renders them meaningless to hackers in the event of a data breach. Organizations can also lower the scope of PCI-DSS compliance by eliminating the storage of sensitive data on back-end systems. Some of the key advantages offered by tokenization include:
- Decreases risks of data breaches
- Strengthens trust between customers and businesses
- Reduces the level of red-tape for businesses
- Drives payment innovations
- Creates an ecosystem of smoother and safer payment experience for all parties involved
“There is no standard on how to store customers’ card data. Everyone is using their own standards, their own security measures, which is not good. That is where RBI is also setting a precedent defining a standard and also allowing room for innovation through issuer tokenization.”
– Ravi Battula, VP Merchant Acquiring Solutions, Wibmo Inc.
As tokenization becomes widely used and accepted, it is expected to bring in a sense of standardization that can benefit the entire payments industry. By allowing issuers to be the Token Service Provider (TSP), RBI has enabled an added layer of innovation and convenience to digital transactions. This creates a fast, secure and efficient payment method. Whether you are on your phone, mobile or on any browser, it still gives you a one-click frictionless checkout experience whilst providing enhanced security.
The How: Implementing Tokenization
As with any new technology, implementing tokenization requires changes to back-end systems, deployment of token servers and integration with supporting systems among others. Tokenization systems and processes must be protected with strong security controls and monitoring to ensure the continued effectiveness of those controls. Payment processors, gateways, card issuers, card networks, banks and aggregators considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their implementation. This must include all interactions with payment card data and the tokenization systems and processes – specifically covering provisioning, processing and storage of tokens. It also involves complying with several security standards applicable to network segmentation, authentication, monitoring and deployment models. The following guidelines and best practices can help organizations in effective implementation of tokenization.
PCI-DSS Product Security Recommendation for general tokenization:
- If hardware products are used for tokenization, the hardware products should be validated to FIPS 140-2 Level 3, operate in FIPS mode, and be initialized to overall level 3 (or greater) per security policy
- If software products are used for tokenization, the software products should be validated to FIPS 140-2 level 2, operate in FIPS mode, and be initialized to overall level 2 (or greater) per security policy
Beyond these general guidelines, additional considerations may apply depending on the nature of the tokenization product – e.g., irreversible or reversible.
Here are SISA’s recommended best practices to Implement CoFT Regulations:
- Review the “PCI SSC’s guidelines on tokenization” and all the mandatory requirements by the RBI to understand the role played by tokens in payment ecosystems
- Onboard a token service provider (TSP) to generate tokens before June 30th, 2022
- Identify the dependency on old, stored card data across the organization and gradually start reducing it
- Implement the transition for requesting customers to give their authorization for performing safe transactions
- Organizations can also integrate with a payment gateway (third party TSP) that enables tokenization of cards
Future Challenges and Opportunities
As with the adoption of any new technology, tokenization too comes with its own set of challenges. There have always been numerous use cases for card data in the Indian payment ecosystem. Having to completely absolve it means bringing radical changes across the network. This process of transitioning to a new model could result in revenue losses for merchants, may affect the processing of EMIs, recurring payments, refunds, loyalty offers etc. and may present integration and scalability challenges. In order to make sure organizations can transition smoothly and prevent any revenue loss, the RBI provided a breather by extending the implementation timeline.
As the world continues to tackle an increasing pace and complexity of cyberattacks, tokenization can prove to be a comprehensive solution. The decision by the RBI to purge old card data and replace it with tokenization will herald a new beginning in payment security. The comprehensive solution encompassing all three dimensions of customer data protection, standardization and innovation, promises a safe and secure future for the digital payments ecosystem. That said, merchants and service providers should continue to monitor the advent of new attack vectors that may pose new threats to tokenization systems.
To learn more about the RBI’s updated guidelines on tokenization and our recommended best practices for implementing it, check out our webinar.