- May 31, 2022
- Posted by: OptimizeIAS Team
- Category: DPN Topics
The Reserve Bank of India has extended the implementation date of card-on-file (CoF) tokenisation norms by six months to June 30, 2022.
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
Example-when you make online payments through your credit card (or debit cards), it will be mandatory to enter your card details in full, that is, your card number, CVV and authenticate with OTP. But if you don’t want to go through this hassle each time, you can opt to create a token. The process is called card-on-file tokenisation (CoFT). In case of multiple cards, each will have to be tokenised.
Three steps have to be completed for smooth implementation of tokenisation:
- Token provisioning: the consumer’s card number should be convertible into a token, which means the card networks have to be ready with the relevant infrastructure.
- Token processing: Consumers should be able to complete their transaction successfully through the tokens.
- Scale-up for multiple use cases: Consumer should be able to use the token for things like refunds, EMIs, recurring payments, offers, promotions, guest checkouts etc.
How does it work?
- When you enter the card details to process the payment, the payment gateway will check with you if you want to create a token.
- If yes, it would forward the request to the card network — Visa, MasterCard, Rupay, Amex or Diner’s Club.
- Authorised by the issuer bank, upon verification of the user’s credentials.
- The card network issues the token and shares it with the user.
- Every token is unique to the payment gateway or the merchant, card network and the card. Therefore, if you have stored your card details across five merchants — say for ordering food, online shopping, booking movie tickets, OTT platforms and paying for utilities, you have the convenience of generating 5-6 tokens for each app.
- De-tokenisation involves cancelling the token
Is it mandatory?
It is not mandatory. A merchant cannot force the user to create a token. It needs explicit consent and an additional factor of authentication like an OTP or PIN to generate a token.
One can set limits for each token, including daily transaction limits. Likewise, one can renew the token just like you would do with the card. Card issuers cannot charge a fee for issuing tokens. However, interest charges, taxes and fees, including renewal fee applicable on the card, will remain. Tokens can be generated for both credit and debit cards.
Merchants and payment gateways cannot store details of their users’ credit or debit cards. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.