Come September 30, 2022 and as per the Reserve Bank of India’s (RBI) guidelines, all your existing card information saved on merchant platforms (e-commerce portals) will be deleted, and online purchases will have to be made through Card-on-File (CoF) tokenisation or by keying in card details during checkout for every purchase. As part of this initiative, merchants and payment aggregators are required to delete all card details and replace them with tokens.

Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in the future.
While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc, have been compromised.

Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. 

Tokenisation is the process of masking actual card details with a randomly generated ‘token’ or code using algorithms. The token can then be used for various transactions. In a transaction without tokenisation, the card information is shared among the issuer, card network, acquirer, merchant, and third parties, if any. However, in a tokenised transaction, not all stakeholders across the payment value chain are privy to sensitive information such as the card number and expiry date. As a result, a tokenised transaction becomes highly secure since it minimises the risks to customers in case of data leaks anywhere in the value chain. Tokens from one merchant cannot be used at another merchant and hence has no value to hackers even if there’s a databreach.

In India, the RBI’s guidelines allow only authorised card networks and issuers to tokenise payment credentials and store the tokens. The predominant tokenisation is called network tokenisation, and it involves card networks generating a unique token in partnership with issuers. The tokens are specific to a single merchant or device. Sensitive card information data is confined to the issuer and card network. The acquirer, merchant, and any other third party can only view the token. In network tokens, real-time updates eliminate the problem of expired cards or invalid accounts.

As the RBI’s deadline looms, key players in the payment ecosystem, such as card networks, have already laid the foundation for the adoption of tokenisation.

Accordingly, a framework for CoF Tokenisation (CoFT) services was also issued by RBI. Under this framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details; which can then be stored by the merchants for processing transactions in future.

Thus, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders.

How to create token?

To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant.

For future transactions performed at the same merchant website / mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions.

A card can be tokenised at any number of online / e-commerce merchants. For every online / e-commerce merchant where the card is tokenised, a specific token will be created.

As per the RBI, till date, about 19.5 crore tokens have been created. Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transaction”).

We hope your curiosity around tokenization is satiated now.
Want to earn knowledge and a badge of honour, to showcase the validation – head to Grazing Minds and check out some cool programs on offer.
You can also follow our LinkedIn page and be updated with the latest in-trend news around finance!!