Economy
The
Reserve Bank of India has extended the implementation date of card-on-file
(CoF) tokenisation norms by six months to June 30, 2022. In September 2021, the
RBI prohibited merchants from storing customer card details on their servers
with effect from January 01, 2022, and mandated the adoption of card-on-file
(CoF) tokenisation as an alternative to card storage. It applies to domestic,
online purchases.
·
Tokenisation refers to
replacement of actual credit and debit card details with an alternate code
called the “token”, which will be unique for a combination of card, token
requestor and device.
·
Example-when you make online payments through
your credit card (or debit cards), it will be mandatory to enter your card
details in full, that is, your card number, CVV and authenticate with OTP.
·
But if you don’t want
to go through this hassle each time, you can opt to create a token.
·
The process is called
card-on-file tokenisation (CoFT).
·
In case of multiple cards, each can have to be tokenised.
·
3 steps have to be completed for smooth implementation of
tokenisation: Token provisioning: the consumer’s card number should be
convertible into a token, which means the card networks have to be ready with
the relevant infrastructure.
·
Token processing: consumers should be able to complete
their transaction with success through the tokens.
·
Scale-up for multiple
use cases: consumer should be able
to use the token for things like refunds, EMIs, recurring payments, offers,
promotions, guest checkouts etc.
How
does it work ?
·
When you enter the card
details to process the payment, the payment gateway will check with you if you
want to create a token.
·
If yes, it would forward the request to the
card network — Visa, MasterCard, Rupay, Amex or Diner’s Club.
·
Authorised by the
issuer bank, upon verification of the user’s credentials. The card network
issues the token and shares it with the user.
·
Every token is unique
to the payment gateway or the merchant, card network and the card.
·
Therefore, if you have stored your card
details across five merchants — say for ordering food, online shopping, booking
movie tickets, OTT platforms and paying for utilities, you have the convenience
of generating 5-6 tokens for each app.
De-tokenisation
involves cancelling the token Is it mandatory?
·
It is not mandatory.
·
A merchant cannot force the user to create a
token.
·
It needs explicit consent and an additional
factor of authentication like an OTP or PIN to generate a token.
·
One can set limits for
each token, including daily transaction limits.
·
Likewise, one can renew
the token just like you would do with the card.
·
Card issuers cannot
charge a fee for issue tokens.
·
However, interest charges, taxes and fees,
including renewal fee applicable on the card, will remain.
·
Tokens can be generated for both credit and
debit cards. Impact: Merchants and payment gateways cannot store details of
their users’ credit or debit cards.
·
A tokenised card transaction is considered
safer as the actual card details are not shared with the merchant during
transaction processing.
Comments