- 25 Jun 2022
- 6 min read
Why in News?
The Reserve Bank of India (RBI) extended the timeline for tokenisation of debit and credit cards by three months till 30th September, 2022 to avoid disruption and inconvenience to cardholders.
- After 30th September, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the CoF (Card-on-File data or storage of actual card data) and any such data stored previously will be done away with.
What is Tokenisation and Card-on-File?
- Tokenisation: It refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
- A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
- Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
- As of now, about 19.5 crore tokens have been created. Opting for CoFT (creating tokens) is voluntary for the cardholders.
- Card-on-File: A CoF transaction is a transaction where a cardholder has authorised a merchant to store the cardholder’s Mastercard or Visa payment details.
- The cardholder then authorises that same merchant to bill the cardholder’s stored Mastercard or Visa account.
- E-commerce companies and airlines and supermarket chains normally store card details in their system.
Why is Tokenisation of Cards Required?
- Many entities involved in an online card transaction chain store card data like card number and expiry date — Card-on-File (CoF) for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen or misused.
- There have been instances where such data stored by merchants have been compromised.
- Many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.