Formerly limited to merchant applications or websites, individuals can now conveniently tokenise their cards via internet and mobile banking services
RBI has now enabled card-on-file tokenisation through card issuing banks and institutions
The card issuer will need to provide a complete list of merchants for whom it can provide tokenisation services
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The Reserve Bank of India (RBI) has expanded the scope of card tokenisation for both debit and credit cards. Formerly limited to merchant applications or websites, individuals can now tokenise their cards via internet and mobile banking services.
In an effort to make digital payments more secure, safe and sound, RBI has now enabled card-on-file tokenisation (CoFT) through card issuing banks and institutions.
“It has been decided to enable card-on-file tokenisation directly through card-issuing banks/institutions also. This will provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process,” the RBI said in a circular.
The circular further said CoFT generation should be done only on explicit customer consent, and with Additional Factor of Authentication (AFA) validation.
“If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants,” the RBI said.
In addition, the card issuer will need to provide a complete list of merchants for whom it can provide tokenisation services.
Currently, the creation of a Card-on-File (CoF) token is exclusively possible through the merchant’s application or webpage. The storage of card details by merchants is referred to as CoF.
Earlier, it was a prevalent practice for merchants to retain card information, and in certain cases, users were often compelled to store their card details on the merchant’s app or webpage before completing a transaction. However, this practice of freely storing such sensitive information posed a significant threat to the security of users’ financial data.
To mitigate the risk of data breaches and leaks, RBI implemented the rule of tokenisation in September 2021. Under this regulation, rather than storing actual card details, a unique token, specially generated for each transaction, is securely saved with the merchant.
Eventually, the RBI rolled out CoFT from Oct 1, 2022. India has issued around 560 Mn card tokens since October last year, following the RBI’s directive to tokenise cards for ecommerce transactions, global payments operator Visa said in its new report.
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.