RBI CIRCULAR

             [Individuals, HUFs, Proprietorship & Partnership firms,  The ultimate responsibility for the card tokenisation
             Trusts including Mutual Funds/Exchange Traded Funds  services rendered rests with the authorised card
             registered under SEBI (Mutual Fund) Regulations,    networks.
             Companies, charitable institutions, Central
                                                                 No charges should be recovered from the customer for
             Government, State Government or any other entity
                                                                 availing this service.
             owned by Central Government or State Government]
             can make deposits under the scheme. Joint deposits of  Before providing card tokenisation services, authorised
             two or more eligible depositors are also allowed under  card payment networks shall put in place a mechanism
             the scheme and the deposit in such case shall be    for periodic system (including security) audit at frequent
             credited to the joint deposit account opened in the  intervals, at least annually, of all entities involved in
             name of such depositors. The existing rules regarding  providing card tokenisation services to customers. This
             joint operation of bank deposit accounts including  system audit shall be undertaken by empanelled
             nominations will be applicable to these gold deposits."  auditors of Indian Computer Emergency Response Team
                                                                 (CERT-In) and all related instructions of Reserve Bank
         2. The Reserve Bank of India Master Direction
                                                                 in respect of system audits shall also be adhered to. A
             No.DBR.IBD.No.45/23.67.003/2015-16 dated October    copy of this audit report shall be furnished to the
             22, 2015 on Gold Monetization Scheme, 2015 has been
                                                                 Reserve Bank, with comments of auditors on deviations,
             updated incorporating the above changes.
                                                                 if any, from the conditions listed in Annex 1, along with
                                       Chief General Manager     the compliance thereto. Further, a report on the details
                                                                 provided in Annex 2 shall be submitted at monthly
                                                                 intervals to the Chief General Manager, Reserve Bank
         Tokenisation - Card transactions                        of India, Department of Payment and Settlement
         Continuing the efforts to improve safety and security of card  Systems, Central Office, Mumbai and by email.
         transactions, Reserve Bank of India had permitted card  This directive is issued under Section 10 (2) read with
         networks for tokenisation in card transactions for a specific  Section 18 of Payment and Settlement Systems Act,
         use case.                                               2007 (Act 51 of 2007).

                                                                                           Chief General Manager
         It has now been decided to permit authorised card payment
         networks to offer card tokenisation services to any token
         requestor (i.e., third party app provider), subject to the
         conditions listed in Annex 1. This permission extends to all  Customer Protection - Limiting Liability of
         use cases / channels [e.g., Near Field Communication (NFC) Customers in Unauthorised Electronic Payment
         / Magnetic Secure Transmission (MST) based contactless  Transactions in Prepaid Payment Instruments
         transactions, in-app payments, QR code-based payments,  (PPIs) issued by Authorised Non-banks
         etc.] or token storage mechanisms (cloud, secure element,
         trusted execution environment, etc.). For the present, this  Please refer to paragraph 9 of Statement on Developmental
                                                              and Regulatory Policies regarding framework for limiting
         facility shall be offered through mobile phones / tablets only.
                                                              customer liability in respect of unauthorised electronic
         Its extension to other devices will be examined later based
         on experience gained.                                payment transactions involving PPIs, announced in the Fifth
                                                              Bi-monthly Monetary Policy Statement for 2018-19 by the
                                                              Reserve Bank of India (RBI).
             All extant instructions of Reserve Bank on safety and
             security of card transactions, including the mandate for
                                                              2. As you are aware, a framework for 'Risk Management'
             Additional Factor of Authentication (AFA) / PIN entry
                                                              and 'Customer Protection' has already been laid down in
             shall be applicable for tokenised card transactions also.
                                                              paragraphs 15 and 16 of Master Direction on Issuance and
             All other instructions related to card transactions shall
             be applicable for tokenised card transactions as well.  Operation of Prepaid Payment Instruments (PPI MD) issued
                                                              vide DPSS.CO.PD.No.1164/02.14.006/2017-18 dated October
            50 | 2019 | FEBRUARY                                                           | BANKING FINANCE