RBI Extended Card Tokenization Deadline by Three Months
Bombay:
The Reserve Bank of India (RBI) on Friday extended the card-on-file (CoF) tokenization deadline by three months to September 30, 2022, given various statements received from industry associations.
Card-on-file, or CoF, refers to card information stored by payment gateway and merchants to process future transactions. Tokenization is the process of replacing the actual card details with a unique alternate code called ‘Token’, making transactions more secure.
The RBI has now instructed merchants to implement its tokenization standards by September 30, 2022. This is the third time the central bank has extended the deadline for its implementation. (Also read: New debit card rules from July 1, 2022. Details here)
Industry stakeholders have raised some concerns regarding the implementation of the framework related to guest checkout transactions, the RBI said in a statement.
Also, a number of transactions processed with tokens have yet to gain momentum across all merchant categories.
“These issues are being addressed in consultation with stakeholders, and in order to avoid disruption and inconvenience to cardholders, the Reserve Bank today announced an extension of the said timeline from June 30, 2022, for an additional three months, i.e., until September 30, 2022. ” it said.
Under the RBI mandate to improve the security of online transactions, card data stored on the merchant’s website or app had to be deleted by the merchants before June 30, 2022.
About 19.5 crore tokens have been created to date, the statement said.
“Choosing CoFT (i.e. creating tokens) is voluntary for the cardholders. Those who do not want to create a token can proceed with transactions as before by manually entering card details at the time of executing the transaction (commonly referred to as ‘ guest checkout’ transaction’),’ it noted.
The basic purpose of tokenization is to increase and improve customer security. With tokenization, the storage of card data is limited.
Currently, many entities, including merchants, involved in an online card transaction chain store card details such as card number, expiration date, etc. (Card-on-File) indicating the convenience and comfort of the cardholder to transact in the future .
While this practice provides convenience, the availability of card data across multiple entities increases the risk of card data being stolen/misused. There are instances where such data stored by merchants, etc. has been compromised.
Given that many jurisdictions do not mandate an additional factor of authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters could lead to unauthorized transactions and resulting monetary loss to cardholders. Also within India, social engineering techniques can be used to commit fraud using such data, the statement said.
To create a token under the CoF framework, it said, the cardholder must undergo a one-time registration process for each card on each online/e-commerce merchant’s website/mobile application by entering the card details and consenting to create a token .
The consent is validated through authentication via an AFA. After that, a token is created, which is specific to the card and the online/e-commerce merchant. The token cannot be used for payment at another merchant.
For future transactions performed on the same merchant’s website/mobile application, the cardholder can identify the card by its last four digits during the checkout process, the RBI said.
Thus, the cardholder does not need to remember or enter the token for future transactions, and a card can be tokened at any number of online or e-commerce merchants, it noted.
