Introducing new channels for Card-on-File Tokenisation
The Reserve Bank of India (RBI)
introduced Card-on-File Tokenisation (CoFT) in September 2021, marking a
significant step in enhancing the security and efficiency of electronic
transactions.
The implementation of CoFT began
on October 1, 2022, and its impact has been noteworthy.
To date, more than 56 crore
tokens have been generated, facilitating transactions totaling over ₹5 lakh
crore.
This demonstrates the widespread
adoption and acceptance of tokenisation as a security measure in the digital
payment landscape.
Tokenisation has played a crucial
role in bolstering transaction security, ensuring that sensitive card details
are shielded from potential security breaches.
Additionally, it has contributed
to an improved transaction approval rate, making electronic payments smoother
and more reliable for both consumers and merchants.
Previously, the creation of
Card-on-File (CoF) tokens was primarily the domain of merchants, involving
their applications or webpages.
However, there is now a proposal
to expand the token creation process directly at the issuer bank level.
This proposed measure holds the
promise of greater convenience for cardholders, as they will have the option to
easily create tokens and link them to their existing accounts with various
e-commerce applications.
This step is poised to simplify
and streamline the tokenisation process, ultimately benefiting consumers and
promoting the adoption of secure digital payments.
RBI is set to issue specific
instructions regarding this enhancement, further solidifying its commitment to
advancing the security and accessibility of electronic transactions.
Tokenization is the process of
converting actual card details into a unique token, while de-tokenization
involves converting the token back into the original card details.
Tokenization offers enhanced
security for card transactions because it prevents the sharing of actual card
details with merchants during transaction processing. Instead, a token
representing the card is used, minimizing the risk of sensitive information
exposure.
Customers can initiate
tokenization by requesting it through an app provided by the token requestor.
The request is then sent to the card network, which, with the consent of the
card issuer, generates a corresponding token for that specific card, token
requestor, and device.
Tokenization is permitted on
various consumer devices such as mobile phones, tablets, laptops, wearables,
and IoT devices for different use cases, including contactless card
transactions, payments through QR codes, and app-based payments.
Tokenization and de-tokenization
can be performed by authorized card networks or card issuers. The RBI provides
a list of authorized card networks operating in India.
In tokenized card transactions,
key stakeholders include the merchant, merchant's acquirer, token service
provider, token requestor, issuer, and the customer. However, other entities
may also participate in the transaction.
Card details, tokens, and
relevant information are securely stored by the token service provider,
ensuring the safety of customer data. Token requestors must meet international
safety and security standards.
Tokenization is not mandatory for
customers; they have the choice to decide whether to tokenize their cards.
Customers can also select tokenization for specific use cases like contactless,
QR code-based, or in-app payments.
Registration for tokenization
requires explicit customer consent through Additional Factor of Authentication
(AFA), ensuring customers are fully aware and in control of the process.
Customers can set and modify transaction
limits for tokenized card transactions, allowing them to customize their
security preferences.
Customers can request
tokenization for any number of cards, and they are free to use any of the
registered cards with the token requestor app for transactions.
Additional Reading:
Tokenisation – Card transactions
dt.Jan 08, 2019 @ https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11449&fn=9&Mode=0
Tokenisation – Card Transactions:
Permitting Card-on-File Tokenisation (CoFT) Services dt.September 07, 2021 @ https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0
MasterCard Issuer-Initiated
Tokenization @ https://developer.mastercard.com/mdes-pre-digitization/documentation/use_case/issuer-tokenization/
Disclaimer: These views represent
my personal perspective and understanding at the moment. As operating
guidelines evolve and become more defined, my understanding may also evolve.
However, our unwavering commitment remains focused on spreading the Joy of Safe
ePayments.
Diabetes Care Motivator
#DiabetesCareMotivator