Mumbai: The Reserve Bank of India (RBI) has enabled card-on-file tokenisation (CoFT) through card issuing banks or institutions to provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process. So far card tokenisation services were provided by card issuers and card networks at merchant websites or at the time of purchase.
Tokenisation is the process of replacing a card’s 16-digit number on the plastic card with a unique alternate card number, or ‘Token’ which shall be unique for a combination of card, token requestor and device. The token hides the true details of your card, so that in case a data leak happens from the merchant website, the hacker cannot misuse the card.
Tokens can be used for online transactions, mobile point-of-sale transactions or in-app transactions. This token contains no personal information that can be directly accessed and keeps changing making it the most secure method to complete payments.
The central bank had Generation of CoF tokens for a card, through the card issuer or card network, can now be enabled through mobile banking and internet banking channels.
“CoFT generation shall be done only on explicit customer consent, and with additional factor authentication validation (AFA). If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants,” said the RBI.
The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant. The cardholder may tokenise the card at any time of his convenience, either on receipt of the new card or later.
Card issuers will need to provide a complete list of merchants for whom they can provide tokenisation services and the cardholders will select the merchants where they want to maintain tokens. The tokens, thus generated will need to be made available on the merchant’s payment page, in the cardholder’s account with the merchant.
“The card token so issued may be either by the card network or the issuer or both,” said the RBI.
“CoFT process poses minimal challenges for issuer banks, as most of them can leverage the existing unified payment framework for token creation. CoF Tokenization, in particular, adds an extra layer of protection to card credentials, making it essential for every cardholder to utilize this feature to safeguard their data, which would otherwise be vulnerable during card transactions,” said Rahul Jain, chief financial officer of NTT Data Payment Services India.
