The Reserve Bank of India (RBI) on Friday extended the timeline for tokenisation of debit and credit cards by three months till September 30, 2022 “to avoid disruption and inconvenience to cardholders”. After September 30, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the CoF (Card-on-File data or storage of actual card data) and any such data stored previously will be purged, it said. The central bank had earlier fixed the due date for card tokenisation on June 30, 2022. “On a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants,” the RBI said in a circular to payment system providers. “Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as ‘guest checkout transactions’) has not been implemented by the industry stakeholders, so far,” the RBI said. Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number and expiry date - Card-on-File (CoF) - citing cardholder convenience and comfort for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen or misused, the RBI said. “There have been instances where such data stored by merchants have been compromised. Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders,” the RBI said. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data. As of now, about 19.5 crore tokens have been created. Opting for CoFT (creating tokens) is voluntary for the cardholders. According to the RBI, the industry stakeholders have highlighted some issues related to implementation of the framework in respect of guest checkout transactions. Also, the number of transactions processed using tokens is yet to gain traction across all categories of merchants. These issues are being dealt with in consultation with the stakeholders, the RBI said, 🚨 Limited Time Offer | Express Premium with ad-lite for just Rs 2/ day 👉🏽 Click here to subscribe 🚨 The RBI had earlier mandated that after December 31, 2021, entities other than card networks and card issuers cannot store card data. This timeline was subsequently extended to June 30, 2022. A framework for CoF Tokenisation (CoFT) services was also issued. Under this framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details. These tokens can then be stored by the merchants for processing transactions in future. “Thus, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders,” the RBI said. To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online or e-commerce merchant’s website or mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online or e-commerce merchant - the token cannot be used for payment at any other merchant, the RBI said. For future transactions performed at the same merchant website or mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online or e-commerce merchants. For every online and e-commerce merchant where the card is tokenised, a specific token will be created, the RBI said. “The Reserve Bank encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” the central bank said. According to the RBI, this extended time period may be utilised by the industry for facilitating all stakeholders to be ready for handling tokenised transactions and processing transactions based on tokens. The industry should implement an alternate mechanism to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve storage of CoF data by entities other than card issuers and card networks.
