The Reserve Bank of India (RBI) on Friday extended the deadline for card-on-file (CoF) tokenisation by another three months to September 30 as transaction processing based on such tokens is yet to gain traction across categories of merchants.
“…it has been decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, after which such data shall be purged,” said an RBI notification. (CoF refers to card information stored by payment gateway and merchants to process future transactions).
RBI said that the industry should use the extended time to facilitate stakeholders to be ready for handling tokenised transactions. The extended timeline should also be used to implement an alternate mechanism to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, which currently involve /require storage of CoF data by entities other than card issuers and card networks.
Under CoF Tokenisation (CoFT) framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in the future. Thus, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders. To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant. For future transactions performed at the same merchant website / mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online / e-commerce merchants. For every online / e-commerce merchant where the card is tokenised, a specific token will be created. (To know more read: What is tokenised card transaction?)
Reserve Bank urged customers to tokenise data, saying it was necessary to prevent fraud. RBI said that 1.95 million tokens have been created so far and it is voluntary for the customers. However, the banking regulator also clarified that those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction. Cardholders have to tokenise their cards for their own safety, it said.
Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data, the regulator said. The regulator asked the payment players to create public awareness about the process of creating tokens and using them to undertake transactions.