The Reserve Bank of India (RBI) has unveiled enhancements to the existing card tokenization system. According to the official declaration dated September 7, 2021, RBI has said that the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well, and card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA). These enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, RBI stated.
"Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details [also known as Card-on-File (CoF)]. In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised / leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques," RBI reported.
As a result, in March 2020, the RBI mandated that authorized payment aggregators and merchants onboarded by them should not maintain or store actual card details. This would minimise vulnerable points in the system. On a request from the industry, the deadline was extended to end-December 2021 as a one-time measure, said RBI.
RBI has also further stated "It may be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now. Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts to deepen digital payments in India and make such payments safe and efficient shall continue."