The Reserve Bank of India’s card-on-file (CoF) tokenisation norms have start in from 1st October, which aim at improve safety and security of card transactions.
From now, for any purchases done online or through mobile apps, merchants, payment aggregators and payment gateways will not be able to save crucial customer credit and debit card details such as three-digit CVV and expiry date.
After multiple extensions, the RBI decide not to give any further relaxation in implementing these norms.
The RBI’s Deputy Governor T Rabi Sankar said that many extensions were given to the system for a comfortable switchover.
T Rabi Sankar said :
“We just want to make sure that the customer’s safety doesn’t get compromise because of problems face in the implementation of tokenisation. The feedback we have from all stakeholders is that it is perfectly ready and the system can go on,”.
Close to 35 crore tokens have already created.
In September only, 40% of transactions, valuing around Rs 63 crore, were done using tokens, T Rabi Sankar said.
What is Tokenisation?
Tokenisation refers to the replacement of actual card details with a unique alternate code call as ‘token’, which shall be unique for a combination of card, token requester, (i.e. the entity which accepts requests from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and the device.
Why did India decide to Carry out Tokenisation?
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from 1st January, 2022, and mandate the adoption of card-on-file (CoF) tokenisation as an alternative.
The June 2022 deadline was further extend as the RBI felt that although considerable progress had made in terms of token creation and transaction processing base on these tokens had also commence, the concept was yet to gain traction across all categories of merchants.
As, the deadline was extend till 30th September, 2022.
Deputy Governor T Rabi Sankar said that ever since the regulation on tokenisation was issue, the central bank was constantly talking to all stakeholders to ensure that the transition to the tokenisation framework was smooth.
T Rabi Sankar Said :
“There are a few participants who may not be ready, but that would probably be because of their unwillingness to comply. And we don’t believe that we should hold back efforts to ensure customer protection because of such laggards,”.
As these players may take some more time but they will eventually join the framework.
How will Tokenisation Work?
A debit or credit card holder can get the card tokenise by initiating a request on the app provide by the token requester.
The token requester will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requester, and the device.
The customer will not be charge for availing the tokenisation service.
As, the facility for card tokenisation was available only for mobile phones and tablets of interested card holders.
So, with an uptick in tokenisation volume, the RBI decide to extend the scope of tokenisation to include consumer devices, laptops, desktops, wearables (wrist watches, bands, etc.) and Internet of Things (IoT) devices.
Who can offer Tokenisation Services?
Tokenisation can be perform only by the authorise card network and recovery of original Primary Account Number (PAN) should be feasible for the authorise card network only.
Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network.
RBI has emphasise that the integrity of the token generation process has to be ensure at all times.
Customers benefits from Tokenisation
A tokenise card transaction is consider safer as the actual card details are not share with the merchant during transaction processing.
Actual card data, token and other relevant details are store in a secure mode by the authorise card networks.
The token requestor cannot store Primary Account Number (PAN), or any other card details.
Card networks are also mandate to get the token requester certified for safety and security that conform to international best practices/globally accept standards.
What is the Size of the Industry?
During 2021-22, payment transactions carry out through credit cards increased by 27% to 223.99 crore in volume terms and 54.3% to 9.72 lakh in value terms, as per the RBI’s annual report for 2021-22.
As RBI provides total credit and debit card transaction data in terms of value and volumes, it does not provide separate numbers for online and offline transactions.
However, the number of debit and credit cards in the system can give some idea of the tokenisation industry, experts feel.
Till end July 2022, while the number of credit cards issue stood at around 8 crore, debit cards in the system were 92.81 crore, recent RBI data shows.
