IT Correspondent
Mumbai, Dec 27:
The Reserve Bank of India (RBI) which was planning to implement date of card-on-file (CoF) tokenisation norms from first January 2022, has extended its implementation by six months till June 30, 2022. As such the tokenisation norms will now be brought into effect from first July, 2022.
“In terms of our circular dated March 17,2020 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, the authorised non-bank payment aggregators and merchants on-boarded by them were prohibited from storing card data (CoF) from June 30, 2021. At the request of industry stakeholders, this timeline was extended till December 31, 2021. The regulations on CoF Tokenisation (CoFT) were issued vide circular dated September 07, 2021, on “Tokenisation-Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services”.
“In light of various representations received in this regard, we advise that “ the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022, post this, such data shall be purged and “in addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks”, RBI General Manager Sudhanshu Prasad stated in a press release dated December 23,2021.
From July, new rules for online payments through debit, credit cards will come into force. So, while shopping on any online platform such as Flipkart, Amazon, Myntra, the user’s 16-digit card number along with the card’s expiry date will not be saved on the website. Instead, the user will have to make the card payment through the process called ‘tokenisation.’
The customers carrying out an online transactions on any e-commerce platform will need to enter their debit or credit card details each time. However, customers can avoid the hassle and choose to provide consent to the platforms to tokenise their cards. Tokenisation helps replace card details with a unique algorithm-generated code, or token, which allows online purchases to go through without exposing card details.
Quick takeaways
Starting July 01, 2022, customers will not be able to save their debit or credit card details on any e-commerce platform. Customers will have to re-enter card details every time they conduct an online transaction. To avoid the repeated hassle, customers can provide their consent to e-commerce companies to “tokenise” their cards. After receiving a customer’s consent, e-commerce platforms will ask the card network to encrypt details with additional factor authentication as needed.
Once the e-commerce platform receives the encrypted details, customers can save that card for future transactions. For now, only Mastercard and Visa-provided cards can be tokenised by most leading e-commerce platforms. It is expected that cards from other financial services should be able to be tokenised soon.
The new guidelines will not be applicable to international transactions. Only domestic cards and transactions fall under the gamut of the new RBI guidelines. Customers won’t need to pay any extra charge for tokenisation of cards. E-commerce platforms will show the last four digits of tokenised cards for customers to easily identify them, along with the issuing bank and card network name.
Tokenisation Vs current online transactions
Online debit/credit card transactions involve information such as the 16-digit card number, the card expiry date, CVV and an OTP or transaction PIN. These details need to be accurately submitted to merchants or companies for successful online card transactions. The merchants and companies will have to delete such information from their database and replace it with tokenisation, which will replace actual card details with a unique alternate code called a token. The token will be unique for each combination of cards.
A card user can get the card tokenised with a merchant or service provider by initiating a request on the app provided by the token requestor. According to RBI, the tokenisation process will help make online card transactions more secure as merchants will not be aware of the actual debit and credit card details of a customer.
Changes
For any online card transaction from July 01, 2022, a cardholder will have to give consent to a particular merchant or company via additional factor authentication for tokenisation. After this, the merchant will send a tokenisation request to the card network. The card network will then create a token, which will act as a replacement or proxy for the 16-digit card number, and send it back to the merchant. This token will be saved by the merchant for future online card transactions.
Following the tokenisation, an individual will need to enter CVV and OTP like before for approval of transactions. It may be noted that the tokenisation process has to be done separately for different merchants. For instance, individuals will have a different token for transactions on Zomato and Netflix.
