The Reserve Bank of India (RBI) stated on Friday that the implementation date for card data storage and tokenization will now be September 30, 2022.
The debit and credit card tokenization was originally given till June 30 by the RBI. Merchants and payment aggregators are expected to replace all card information with tokens as part of this program.
The industry’s key players have called attention to a few problems with the framework’s application to guest checkout transactions. The RBI stated in a statement that the volume of transactions handled using tokens has yet to take off across all categories of merchants.
The Reserve Bank today announced an extension of the said deadline of June 30, 2022, by three more months, i.e., to September 30, 2022, the central bank said. The issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the Reserve Bank has today announced.
The RBI states that the industry may use this extra time to (a) prepare all stakeholders to handle tokenized transactions; (b) process tokenized transactions, and (c) implement alternative mechanisms to handle all post-transaction activities (including chargeback handling and settlement) associated with guest checkout transactions that currently involve or call for the storage of CoF data by entities other than card issuers.
Many organizations, including merchants, now save card information, such as card numbers, expiration dates, etc. [Card-on-File (CoF)] to make future transactions easier and more comfortable for cardholders.
While this technique does offer convenience, the risk of card data being stolen or abused rises because the card information is available to various businesses. Such information, maintained by businesses, etc., has occasionally been compromised.
Since many jurisdictions do not require an Additional Factor of Authentication (AFA) for verifying card transactions, stolen data in the hands of criminals may result in unauthorized transactions and subsequent financial loss to cardholders.
The RBI warned in the statement that social engineering methods could be used within India as well to commit fraud utilizing such data.
According to a Reserve Bank regulation, after December 31, 2021, only card networks and card issuers will be permitted to hold card data. Later, this deadline was raised to June 30, 2022.
A framework for CoF Tokenization (CoFT) services was also released. Following this structure, cardholders can create “tokens” (a distinctive alternate code) in place of card information, and merchants can keep these tokens for use in processing transactions in the future. Therefore, CoFT eliminates the requirement for retailers to maintain card information and offers cardholders the same level of convenience.
The cardholder must complete a one-time registration process for each card at every website or mobile application of an online or e-commerce merchant to create a token under the CoFT framework. During this process, they must enter their card information and grant permission for the creation of a token.
Through authentication using an AFA, this consent is verified. After that, a token is generated that can only be used to make payments at the internet or e-commerce store that accepts the card.
The cardholder can identify the card using the last four numbers throughout the checkout procedure for future transactions carried out at the same merchant website or mobile application. Therefore, for subsequent purchases, the cardholder is not required to remember or enter the token.
A card can be tokenized at any number of online or e-commerce shops. A unique token will be created for each online or e-commerce merchant where the card is tokenized. According to the RBI, around 19.5 crore tokens have been produced to date. The cardholders may choose not to participate in COFT (i.e., create tokens).
Those who don’t want to create a token can carry on with their transaction as usual by manually entering their card information while making the purchase (commonly referred to as a “guest checkout transaction”).
“For their security, the Reserve Bank advises cardholders to tokenize their cards. Tokenization would give an extra degree of protection to improve the cardholders’ payment experience. ” In the announcement, the central bank noted
Here is all the information you require on the RBI’s tokenization rule for debit and credit cards, which is scheduled to take effect on July 1:
The RBI website states that “Tokenization refers to the replacement of actual card details with an alternate code called the “token,” which shall be unique for a combination of card, token requestor (i.e., the entity that accepts requests from customers for tokenization of a card and forwards them to the card network to issue a corresponding token), and device (referred to herein as “identified device”). Customers who conduct business online have previously been informed to tokenize or save their cards prior to July 1.
Debit and credit card tokenization is optional. The time it takes to pay online will be longer if consumers decide not to tokenize their cards. The RBI has emphasised numerous times that a tokenized card will ensure that domestic online payment fraud is reduced. Online purchases Cards are safer thanks to credit card and debit card tokenization, which prevents merchants from storing your data and adds an extra layer of security by requiring you to enter your CVV and the OTP you got.
The cardholder can request that the card be tokenized on the app that has been made available by the token requestor or customer. The token requestor will send the request to the card network, which will provide a token matching the combination of the card, the token requestor, and the device with the approval of the card issuer.
Edited by Prakriti Arora
