On Friday, the Reserve Bank of India (RBI) extended the card-on-file (CoF) tokenization deadline by three months to September 30, given various representations received from industry bodies. Card-on-file, or CoF, refers to card information stored by payment gateway and merchants to process future transactions. Tokenization replaces actual card details with a unique alternate code called ‘Token’, thereby enabling more secure transactions.
The RBI now directed the merchants to implement its tokenization norms by September 30. This is the third time the central bank has extended its implementation deadline.
The industry stakeholders have highlighted some issues related to the implementation of the framework in respect of guest checkout transactions, the RBI said in a statement.
Also, manynsactions processed using tokens are yare to gain traction across all categories of merchants.
“These issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the Reserve Bank has today announced an extension of the said timeline of June 30 by three more months, i.e., to September 30,” it said.
As per the RBI mandate to enhance the security of online transactions, card details saved on the merchant website/app were to be deleted by the merchants by June 30.
To date, about 19.5 crore tokens have been created, the statement said.
“Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as ‘guest checkout transaction’),” it noted.
The basic purpose of tokenization is to increase and improve customer safety. With tokenization, storage of card details is limited.
Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, and expiry date (Card-on-File), citing cardholder convenience and comfort for undertaking transactions in the future.
While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen/misused. There are instances where such data stored by merchants have been compromised.
Given that many jurisdictions do not mandate an additional factor of authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorized transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data, the statement said.
To create a token under the CoF framework, the cardholder has to undergo a one-time registration process for each card at every online/e-commerce merchant’s website/mobile application by entering the card details and giving consent for creating a token.
The consent is validated by way of authentication through an AFA. A token is created thereafter, specific to the card and online/e-commerce merchant. The ticket cannot be used for payment at any other merchant.
The RBI said that for future transactions performed at the same merchant website/mobile application, the cardholder could identify the card with the last four digits during the checkout process.
Thus, the cardholder is not required to remember or enter the token for future transactions, and a card can be tokenized at any number of online or e-commerce merchants, it noted.
This extension of three months by the RBI will provide breathing space for all parties involved to comply with the tokenization norms, and will surely help in a smoother transition, said Vishwas Patel, Executive Director, Infibeam Avenues Ltd and Chairman, Payment Council of India (PCI).
