RBI has refused to extend its deadline for card tokenisation beyond 1 January 2022
The Reserve Bank of India (RBI) has enhanced the guidelines on card tokenisation services in order to ensure that the consumers are least susceptible to frauds and their card transactions remain secure. The central bank refused to extend its deadline for card tokenisation beyond the 1 January 2022 date.
While non-cash transactions simplify processes and save time and effort, they also make you susceptible to fraud.
In a release, RBI said the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-Fite Tokenisation (CoFT) services as well.
Card-on-file refers to card information stored by payment gateway and merchants to process future transactions.
“…card issuers have been permitted to offer card tokenisation services as token service providers. The tokenisation of card data shall be done with explicit customer consent requiring additional factor of authentication (AFA),” the RBI said in a statement
What is tokenisation
When you use your card, debit or credit, for a transaction, the execution of the transaction is based on information like the 16-digit card number, the card expiry date, the CVV as well as the one-time password or transaction PIN. In fact, a transaction is successful only if all of these variables are entered correctly for a specific transaction. Tokenisation refers to replacement of actual card details with a unique alternate code called the “token”. This token is unique for each combination of card, token requestor and device.
How secure is the token?
Merchants process millions of card transactions in a day. At the check-out, many of these merchants give you the option to save the card number, and there is a risk of these saved details getting compromised.
When the card details are saved in an encrypted manner, the risk of fraud or compromised data gets reduced. To, put it simply, your risk gets reduced when you share the details of your debit/credit card in the form of a token.
“In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” RBI said in its release.
The central bank further added that there will be no requirement to input card details for every transaction under the tokenisation arrangement
“Contrary to some concerns expressed In certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue,” RBI release noted.
The initiative is expected to make card transactions more safe, secure and convenient for the users
RBI had last month had extended the scope of ‘tokenisation’ card payment services to several consumer devices including laptops, desktops, wearables like wristwatches, bands and Internet of Things (IoT), in addition to mobile phones and tablets
In January 2019 the RBI had issued guidelines on “Tokenisation – Card transactions”, permitting authorised card networks to offer card tokenisation services to any token requestor, subject to conditions. On a request from the industry, it extended the deadline to end-December 2021 as a one-time measure.