RBI on Tuesday extended the device-based tokenisation to card-on-file tokenisation (CoFT) services, a move that will bar the merchants from storing actual card data.
Tokenisation is a process by which actual card details mask sensitive card details of your debit/credit / prepaid card with an alternate code. This process by which the primary details of a card are replaced with a surrogate value is called a token.
Reserve Bank of India in its notification dated January 8, 2019, has given permission to offer tokenised card transactions services to authorized networks. Initially limited to mobile phones and tablets, this facility was subsequently extended to laptops, desktops, wearables (wristwatches, bands, etc.), Internet of Things (IoT) devices, etc. The details of tokenization of cards are explained in our previous post;
“What is tokenised card transaction?”
The Card-on-file refers to card information stored by payment gateway and merchants to process future transactions. While extending the device-based tokenisation framework to CoFT services, Central Bank said that card issuers have been permitted to offer card tokenisation services as token service providers. The RBI in March 2020 had stipulated that authorised payment aggregators and the merchants onboarded by them should not store actual card data with a view to minimising vulnerable points in the system. The tokenisation of card data, however, shall be done with explicit customer consent requiring additional factor of authentication (AFA), the Central Bank said.
“Some merchants force their customers for storing card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/ leaked” RBI said.
Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions, the RBI said adding that stolen card data can also be used to perpetrate frauds within India through social engineering techniques, it added.
RBI said that the CoFT while improving customer data security, will offer customers the same degree of convenience as now.
“Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement,” it said.