The RBI’s card-on-file (COF) tokenisation rules will be introduced from July 1, as per the schedule. Tokenisation refers to replacement of actual card details with an alternative code referred to as token.
This is a mechanism to keep digital transactions safer by restraining online merchants from saving the debit and credit card details of customers.
A tokenised card transaction is safe as the actual card details are not shared with the merchant during transaction.
Reserve Bank of India deputy governor T Rabi Sankar on June 8 said the payments ecosystem in India is ‘by and large prepared’ for implementation of the tokenisation system for card-based transactions, including online transactions.
The RBI deputy governor’s comments came weeks ahead of the June 30 deadline after which the new tokenisation norms will be implemented.
These rules were earlier supposed to be effective from January 1 after the banking regulator in September 2021 prohibited merchants from storing customer card details on their servers.
The industry bodies had, that time, requested the RBI to defer the deadline to June 30 citing a number of challenges in implementing the new rule under which merchants will not be able to store credit card or debit card information of customers.
Consequently, the RBI has mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. And it will apply to domestic, online purchases.
This is how the tokenisation will work:
1. When you start purchase of an item with a merchant, the merchant will start tokenisation for which it will ask for your consent.
2. After you give your consent, the merchant can then send a request for tokenisation to the card network.
3. The card network will then create a token that will act as a proxy to 16-digit card number, and send it back to the merchant.
4. The merchant can save this token for any transaction in future.
5. It is important to note that you will have to enter CVV and OTP just as before to approve transaction.
6. In case you wish to use some other debit card, the same process needs to be repeated.
So, from July 1, customers who frequently make digital payment through their debit or credit card can rest assured that their card details will not be saved by online merchants.