Introduction

RBI allows issuing banks to tokenize cards with multiple merchants through their through mobile banking and internet banking channels (RBI Circular: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12573&Mode=0).

Issuers can combine a single consent and AFA for multiple merchants to create tokens against each merchant.

Customers can add details for their card onto the online platform either when they make a purchase for the first time or with a new card. To reduce this friction of manual entry  of card details, this framework supports the auto discovery of customer cardholder details (token).

This will remove the need for cardholders to enter card details on the merchant app, thereby reducing friction. Card holder will give explicit permission to seed a token onto the selected merchant  and reference to the card instrument i.e. token will be generated.

Token will be stored against the customer_id with token vault (against merchant) and merchants can request the token seeded above while processing the transaction.

To comply with the regulatory requirements, JUSPAY does not store any card number and during transaction after the customer selects tokenized card ( masked with last 4 digits), they will be required to verify their card  with OTP based authentication (like a normal 3DS transaction).

Product Suite contains 2 APIs :

• Get Merchant Matrix: Present list of merchants to cardholder to save their card

• Initiate Token Request : Tokenize the card for selected merchants as consented by card holder

Salient points

• Card numbers not stored on Merchant/PA/PG/TSP

• Token is not stored without explicit permission from the cardholders

• 2FA is still required for completion of transaction