Reserve Bank of India’s (RBI’s) card-on-file (CoF) tokenisation norms will come into effect from October 1, 2022. According to the RBI, the new tokenisation system will improve the cardholders’ payment experience and also make it safer and more convenient.
The RBI also informed that, after the implementation of the tokenisation norms, the customers’ credit card and debit card details – used in online, point-of-sale, and in-app transactions – will be stored as an ‘encrypted’ token in order to ease the transaction process. The new tokenisation guidelines were scheduled to come into effect from July 1, but the deadline was pushed to September 30.
However, according to news agency PTI report citing sources, most of the large merchants have complied with the RBI’s card-on-file (CoF) tokenisation norms and 19.5 crore tokens have been issued so far.
The RBI last September prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.
What is tokenisation?
Under RBI’s tokenisation initiative, all companies are required to delete cardholders’ all existing information and replace it with a unique ‘token’. Once the policy is implemented, merchants will not be allowed to save one’s card information as, according to the RBI, this will prevent any misuse of cards and make online transactions more secure.
Soumee Bhatt, General Counsel, BankBazaar.com, says, “This means that going forward, instead of saving your card details on a web service – for example, Amazon – you would be saving a unique token. This token would be only for that particular merchant and that particular device. With tokenisation, customers can register or de-register their card for a particular use, i.e., contactless, QR code-based, in-app payments etc.”
The RBI describes tokenisation as “the replacement of actual card details with an alternate code called the ‘token’, which will be unique for a combination of card, token requestor and device.” The ‘requestor’ accepts a request from the customer to tokenise their card and pass it on to the card network to issue a corresponding token.
Benefits of tokenisation
RBI has stated that many entities, including e-commerce, merchant stores, websites and applications – involved in the credit/debit card payment transaction chain save users’ card details.
Interestingly, it should also be mentioned that some merchants even force their customers to store card details before using their services and apps which ultimately increases the risk of users’ sensitive information being stolen.
“Credit card data such as number, CVV and card expiry date is stored on the databases of web services for ease of payments. But this data faces info-security risks. We’ve seen in the past that data stored on some websites have been breached and leaked into the public domain. Once that happens, cards may be fraudulently used, and their owners may suffer financial losses. Hence, the Reserve Bank issued directives that no entity except card issuers or networks will be allowed to store debit or credit card details. Data already stored needs to be erased,” Bhatt added.
According to media reports, many such incidents have occurred in the recent past where users’ credit/debit card data stored by merchants has been compromised/leaked and sometimes even sold on the dark web or similar platforms. This stolen information could be used to carry out frauds.
Is tokenisation mandatory for everyone
According to RBI, credit/debit card users don’t need to use the token system mandatorily. However, if the card user opts to not use the tokenisation system, they will be required to manually enter credit/debit card details every time while conducting a transaction on an e-commerce or merchant website.
In addition to this, as stated by RBI, one will have to create separate tokens for each card they own.
How to create a token for debit, credit cards
Once the new norms are implemented, the cardholder has to go through a one-time registration process for every card, at every online merchant’s website they intend to use the card by entering its details and providing consent to create a token during checkout. A token will be generated for a particular card at a single website.
Steps to generate the tokens:
Go to any e-commerce merchant website or application and start a transaction.
During the check-out, enter the details of the credit/debit card along with additional details.
Secure the card and tokenise it per RBI’s latest guidelines by selecting the ‘secure your card as per RBI guidelines’ or ‘secure your card’ option.
Authorise the token’s creation by using the bank-provided one-time password (OTP) sent to the registered mobile phone or email to complete the transaction.
After creating the token, the data of one’s card will be replaced with the above-mentioned token.
To help one recognise their card while making a transaction, the last four digits of the saved card will be displayed when they revisit the same website or application for any future transaction, representing