Card on File Tokenisation (CoFT) | 24 Dec 2021

For Prelims: Card-on-file tokenisation (CoF), Card-on-File, Reserve Bank of India (RBI)

For Mains: Issues related to Card on File Tokenisation (CoFT)

Why in News

The Reserve Bank of India (RBI) has extended the timeline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF) by six months to 30th June, 2022.

  • The digital payment firms, merchant bodies and banks had sought more time to integrate the systems and onboard all the stakeholders amid fears over disruption of business transactions.
  • In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from 1st January, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.

Key Points

  • About:
    • Tokenisation: It refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
      • A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
      • Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
    • Card-on-File: A CoF transaction is a transaction where a cardholder has authorised a merchant to store the cardholder’s Mastercard or Visa payment details.
      • The cardholder then authorises that same merchant to bill the cardholder’s stored Mastercard or Visa account.
      • E-commerce companies and airlines and supermarket chains normally store card details in their system.
  • More Time Sought for Implementation:
    • If the new RBI mandate is implemented in the present state of readiness, it could cause major disruptions and loss of revenue, especially for merchants.
      • Online merchants can lose up to 20-40 % of their revenues post 31st December due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop.
      • Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments.
    • Merchants cannot start the testing and certification of their payment processing systems until banks and card networks are certified and live with stable APIs (Application Programming Interface) for consumer-ready solutions.

Way Forward

  • The RBI has said that after June 2022, credit and debit card data should be purged from the online systems of merchants.
  • In addition to tokenisation, industry stakeholders may devise alternate mechanisms to handle any use case, including recurring e-mandates and EMI option or post-transaction activity, including chargeback handling, dispute resolution, reward or loyalty programme, that currently involves storage of CoF data by entities other than card issuers and card networks.

Source: IE