RBI extends deadline for card tokenisation till 30 Sept
Premium- Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. Card-on-File (CoF) citing cardholder convenience and comfort for undertaking transactions in future.
The Reserve Bank of India (RBI) on Friday extended the timeline for tokenisation of debit and credit cards by another three months till September 30, 2022. The decision was made in consultation with the stakeholders and to avoid disruption and inconvenience to cardholders. Earlier the due date for card tokenisation was set on June 30, 2022.
In a statement, RBI said this extended time period may be utilised by the industry for, (a) facilitating all stakeholders to be ready for handling tokenised transactions; (b) processing transactions based on tokens; (c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and (d) creating public awareness about the process of creating tokens and using them to undertake transactions.
At present, many entities including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. citing cardholder convenience and comfort for undertaking transactions in the future.
Although, this practice does bring in convenience and availability of card details with multiple entities, however, it is also a risker as card data can be misused or stolen.
There have been occasions where card data stored by merchants or other entities have been comprised.
According to RBI, given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.
Thereby, last year in December, RBI mandated entities other than card networks and card issuers to not store debit or credit card data with them.
Further, RBI also issued a framework for CoF Tokenisation (CoFT) services.
Under the framework, RBI directs cardholders can create “tokens" (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in the future.
Thereby, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders.
Data from RBI showed that to date, about 19.5 crore tokens have been created. It needs to be noted that opting for CoFT (i.e., creating tokens) is voluntary for the cardholders.
Hence, those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transaction").
RBI encourages cardholders to tokenise their cards for their safety. It said, "Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation."
For creating a token under the CoFT framework, as per RBI:
- The cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website/mobile application, by entering the card details and giving consent for creating a token.
- This consent is validated by way of authentication through an AFA.
- Thereafter, a token is created which is specific to the card and online/e-commerce merchant, i.e., the token cannot be used for payment at any other merchant.
- For future transactions performed at the same merchant website/mobile application, the cardholder can identify the card with the last four digits during the checkout process.
Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online/e-commerce merchants. For every online/e-commerce merchant where the card is tokenised, a specific token will be created.
