Egypt – New Tokenization Regulations to allow contactless payments through smart phone
The Central Bank of Egypt (“CBE”) issued new regulations on 8 March 2023 to introduce “Tokenization” services and allow contactless payments through smartphones (the “Regulations”).
Tokenization is a process of substituting the actual card details (including the consumers’ sensitive card information) with a unique randomly generated code (which is the “token”), resulting in the registration of payment cards on smart phone applications and the use of them to complete payments at electronic points of sale or make online purchases in a secure manner.
This means that consumers can register payment cards to their smartphone to be able to make contactless and online payments through various applications, including Apple Pay, Google Pay, Samsung Pay.
The Regulations set the regulatory and licensing requirements on banks and non-bank entities providing tokenization services for payment cards, including the Token Service Providers (“TSP”).
The CBE will be the service provider for the Unified Issuer TSP Interface connecting Issuer Banks and Approved Networks for the purpose of managing the provision of tokens for all payment cards issued in Egypt.
An Issuer Bank is required to obtain a license from the CBE for each application on which the card will be enabled to make payments. The Regulations lay out the process issuing banks should follow to obtain the CBE licenses.
The Issuer Bank is responsible, amongst other things, for the following:
- Making available the tokenization services to all approved networks.
- Undertaking all appliable Know Your Customer (“KYC”) checks and verifying the data of the Electronic Payment Methods held by its clients.
- Setting maximum limits for the number and value (daily and monthly) of transactions that may be completed using a single Token within the limits mandated by the CBE.
An Acquirer Bank is the bank authorized to provide electronic acceptance services for transactions completed utilizing different payment methods and to settle transactions. An Acquirer Bank is required to ensure that:
- Points of Sale (“PoS”) are compatible with all Token acceptance methods including near field communications (“NFC”).
- Sufficient training is provided to the bank’s employees on the various contactless payment methods.
- Procedures are implemented to avoid incorrect duplication of transactions on a merchant’s PoS.
Token Requester, which are the entities requesting tokenization of for payment cards, are required to enter into an agreement with the national payment scheme “Meeza” in order to issue an auxiliary token when using an offshore card.
Manufacturers of mobile devices or payment service providers, such as Apple Pay, Google Pay and Samsung Pay, are required to obtain a license from the CBE to become authorized to provide Original Equipment Manufacturer and Host Card Emulation Wallets through their own applications (using the cards issued by banks regulated in Egypt). Banks and TSPs are required to comply with strict confidentiality and security measures and use relevant encryption technologies to protect payment cards’ and cardholders’ data.
For more information about the Regulations, please contact Dr. Fatma Salah.