RBI Extends Deadline to Comply With Card Tokenisation Norms Till September 30

The Reserve Bank of India (RBI) on Friday extended the card-on-file (CoF) tokenisation deadline by three months to September 30, in view of various representations received from industry bodies. Card-on-file, or CoF, refers to card information stored by payment gateway and merchants to process future transactions. Tokenisation is the process of replacing actual card details with a unique alternate code called 'Token' — thereby enabling more secure transactions.

The RBI now directed the merchants to implement its tokenisation norms by September 30. This is the third time that the central bank has extended the deadline of its implementation.

The industry stakeholders have highlighted some issues related to the implementation of the framework in respect of guest checkout transactions, the RBI said in a statement.

Also, a number of transactions processed using tokens is yet to gain traction across all categories of merchants.

"These issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the Reserve Bank has today announced an extension of the said timeline of June 30, by three more months, i.e., to September 30," it said.

As per the RBI mandate to enhance the security of online transactions, card details saved on the merchant website/app were to be deleted by the merchants by June 30.

To date, about 19.5 crore tokens have been created, the statement said.

"Opting for CoFT (i.e. creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as 'guest checkout transaction')," it noted.

The basic purpose of tokenisation is to increase and improve customer safety. With tokenisation, storage of card details is limited.

Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, (Card-on-File) citing cardholder convenience and comfort for undertaking transactions in future.

While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen/misused. There are instances where such data stored by merchants, have been compromised.

Given the fact that many jurisdictions do not mandate an additional factor of authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data, the statement said.

To create a token under the CoF framework, it said, the cardholder has to undergo a one-time registration process for each card at every online/e-commerce merchant's website/mobile application by entering the card details and giving consent for creating a token.

The consent is validated by way of authentication through an AFA. Thereafter, a token is created, which is specific to the card and online/e-commerce merchant. The token cannot be used for payment at any other merchant.

For future transactions performed at the same merchant website/mobile application, the cardholder can identify the card with the last four digits during the checkout process, the RBI said.

Thus, the cardholder is not required to remember or enter the token for future transactions and a card can be tokenised at any number of online or e-commerce merchants, it noted.

This extension of three months by the RBI will provide breathing space for all parties involved to comply with the tokenisation norms and it will surely help in a smoother transition, said Vishwas Patel, Executive Director, Infibeam Avenues Ltd and Chairman, Payment Council of India (PCI).