Tokenisation Compliances: Need of the hour
Implementation of Tokenisation norms w.e.f. 01 October 2022
The rise in unauthorised access of data and data breaches at an alarming rate has caught the attention of
organisations and authorities. This has led to data security becoming a board level discussion within
organisations. However, the idea was not to cause any operational or regulatory hurdles but to find the
perfect balance between data security and user experience. To combat such issues, in 2019, the Reserve
Bank of India (“RBI”) released a circular permitting card tokenisation by card networks for any token
The Circular titled Restriction on Storage of Actual Card Data [i.e., Card-on-File (CoF)] (“Tokenisation
Circular”) will be notified w.e.f. 01 October 2022. The implementation of tokenisation will not only lead
to cost and operational implications but will also trigger the need for cyber and data protection solutions.
Each merchant is required to employ tokenisation and if not, each customer will need to insert card details
for each transaction they make with such merchants.
The required preparation for all merchants to comply with the requirement seems to still be underway as
tokenisation related infrastructure calls for sophistication and security. A detailed analysis of what is
tokenisation and other related questions is given below.
What is tokenisation?
Tokenisation means masking or substituting sensitive data with unique identification number while retaining
all the essential information about the data. This equivalent unique replacement data is called a token.
Tokenisation is a global practice aimed at preventing disclosure of card details to any entity apart from the
cardholder, card network or issuer. The concept of tokenisation was first introduced in 2005 by
Shift4payments to protect cardholder data.
The implementation of tokenisation is carried out through Additional Factor of Authentication (“AFA”) by
the cardholder. The algorithmically generated token protects sensitive information and prevents card frauds
as it permits transactions without exposing personal information.
How does tokenisation work?
In a traditional transaction i.e., pre-tokenisation, the credit card number is sent to the payment processor and
then stored in the merchant’s internal systems for later reuse.
In a tokenised transaction, as the customer provides their credit card number for any transaction, the same
is sent to a token system or vault instead of the payment processor. The token system or vault replaces the
customer’s sensitive information, i.e., the credit card number, with a custom, randomly created
alphanumeric ID, i.e., a token. After a token has been generated, it is returned to the merchant’s POS
terminal and the payment processor in a safe form to complete the transaction successfully.
With data tokenization, enterprises can safely transmit data across wireless networks. However, for effective
implementation of data tokenization, enterprises must employ a payment gateway to store sensitive data
securely. Credit card information is safely stored and generated by a payment gateway.
What is the need for tokenisation?
The RBI has been at the forefront of regulating various stakeholders in the fintech ecosystem by releasing
working group reports with stakeholder consultation and inculcating a regulatory sandbox for companies.
Given the chain of circulars being released by RBI since 2019, it can be understood that RBI’s intention
with tokenisation is to protect card holder data. With the implementation of tokenisation, card merchants
and other stakeholders involved can move sensitive personal data without the risk of payment fraud or
unauthorised access to data.
What are the necessary compliances required for implementing tokenisation?
- Businesses that accept card payments need to be in compliance with the Payment Card Industry Data
Security Standard (“PCI DSS”), which adds credibility to ensure their customers.
- Card networks are required to get the token requestor certified for (a) token requestor’s systems,
including hardware deployed for this purpose, (b) security of token requestor’s application, (c)
features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other
functions performed by the token requestor, including customer on-boarding, token provisioning and
storage, data storage, transaction processing, etc.
- Card networks are required to get the card issuers / acquirers, their service providers and any other
entity involved in payment transaction chain, certified in respect of changes done for processing
tokenised card transactions by them.
- Registration of card on token requestor’s app shall be done only with explicit customer consent
through AFA, and not by way of a forced / default / automatic selection of check box, radio button,
- Secure storage of tokens and associated keys by token requestor on successful registration of card
shall be ensured.
- Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any
other such event which may expose tokens to unauthorised usage. Card network, along with card
issuers and token requestors, shall put in place a system to immediately de-activate such tokens and
- Dispute resolution process shall be put in place by card network for tokenised card transactions.
- Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or
the presence of unauthorized activity within the tokenisation process and implement a process to alert
Data privacy requirements for tokenisation
RBI has prescribed specific data privacy requirements for all card merchants, card issuers and other
stakeholders involved. It is required that before providing card tokenisation services, authorised card
payment networks shall put in place a mechanism for periodic system (including security) audit at frequent
intervals, at least annually, of all entities involved in providing card tokenisation services to customers. This
system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team
(“CERT-In”) and all related instructions of Reserve Bank in respect of system audits shall also be adhered
Since the law on data protection in India still remains to see the light of the day, the RBI’s tokenisation
measures for data security is an essential move to safeguard sensitive data of consumers. Across the globe,
the regulatory environment surrounding data privacy and protection is becoming stricter than ever. Despite
India not having a data protection legislation, it is necessary for organisation to be mindful of the
consequences of any data breach or compromise. Non-compliance with data protection laws could lead to
high penalties, litigation, and brand damage.