Issuance of Tokenization Regulations in Egypt to enhance ‘cashless society’ goals

The Central Bank of Egypt (“CBE”) issued on 8 March 2023 regulations for Payment Cards Tokenization on Electronic Devices’ Applications (the “Tokenization Regulations”) which come as key step in achieving Egypt’s vision for financial inclusion and more heightened cash-free society.

The Tokenization Regulations are intended to capsulize the infrastructure requirements for banks and tokenization service providers to avail and implement card tokenization services. Said Regulations are further intended to enhance the digital payments’ eco system by availing and maximizing access to banking services.

What is Card Tokenization?

In a nutshell, tokenization is a process of substituting the actual card details (and thus the sensitive payment credentials of the cardholder) with a unique randomly generated code, being the ‘token’.  The tokenization encourages public use of digital payment methods given that the token is uploaded on the electronic device as part of the virtual profile of the cardholder and the payment transaction would be then initiated by a near field communication (NFC) device or other relevant channel. In this case, the token (when verified) represents and replaces the payment card.

To that end, the Tokenization Regulations mandate that all ‘acquirer banks’ (being banks authorized by the CBE to provide payment acceptance and settlement services) to activate the NFC tool on all its points of sale (POS).

Scope of the Tokenization Regulations

The Tokenization Regulations apply to all banking institutions licensed as such and operating in Egypt as well as the tokenization service providers (“TSPs”) that are licensed by the CBE. The Regulations also govern the provision of card tokenization related services.

The Tokenization Regulations set forth the minimum standards and requirements that banks and TSPs should observe while availing the tokenization infrastructure and payment systems.

Salient issues under the Tokenization Regulations

• The Egyptian Banks Company (EBC), being the domestic operator of payments infrastructure that is affiliated to the CBE, is mandated to act as the sole provider of the Unified Issuer TSP Interface that links between the issuer banks and payment acceptance networks.
• Payment service providers (PSPs) or electronics manufacturers such as Apple Pay, Google Pay and Samsung Pay may avail applications for tokenization of cards issued by banks. Those applications would take the form of ‘mobile wallets’ and which referenced under the Regulations as Host Card Emulation Wallets and original electronic manufacturer wallet. The approval of the CBE should be obtained for such PSPs or electronic manufacturers through the issuer bank that wishes to activate the tokenization service through its online banking application. The PSPs and electronic manufacturers would be required to conclude a contract with all networks and card issuer banks participating in the tokenization system.
• Each card issuer bank must obtain a separate license from the CBE to avail payment via card tokenization applications with respect to those cards issued by such bank. Such CBE license should be obtained for each application separately whether such application is owned to the bank (i.e. online banking application) or the electronic manufacturer (i.e. Apple Pay, Google Pay and/or Samsung Pay).
• Entities requesting tokenization of cards (i.e. Token Requestors) are required to conclude an agreement with the national payment scheme “Meeza” to be able to issue an auxiliary token for all international cards.
• Participating banks and TSPs are required to observe certain operation parameters that guarantees strict confidentiality and security of payment cards’ and cardholders’ data. To that end, participating banks and TSPs should deploy relevant encryption technologies that ensure proper protection of data.
• Data storage on the internal memory of mobile phones or such other electronic devices utilization to the tokenization applications should be generally limited.

Licensing Procedures

Issuer banks wishing to obtain licenses to offer Card Tokenization services to its customers must file a licensing request to the Banking Affairs Department of the CBE. The license request should be submitted in pertinence with each application through which the bank would avail payment via the tokenization service.

The competent department of the CBE should be furnished with, among other requirements, the following:

• Information on the infrastructure system to be deployed.
• Necessary technology and cybersecurity measures to secure the infrastructure, systems, applications and data.
• An action plan with respect to the technical connection with the Egyptian Banks Company as well as companies having acceptance mark.
• Data related to the application of the token requestor, if any, for cards issued by the bank.
• Role of the bank and entities authorized to request tokenization of cards issued by the bank.
• Data related to the management systems of the electronic card tokenization applications (Wallet Management Server), if any.
• Submit a three years’ business plan which contains the following:
  • Number of customers and cards to whom the service is targeted.
  • Number and value of annual transactions intended to be executed using the cards that have been tokenized.
  • A comprehensive marketing plan that creates awareness with respect to the tokenization service and its activation provided that the plan should contain the allocated budget as approved.

How can we help?

For more information regarding the Tokenization Regulations, please contact Zeinab Shohdy.