The Reserve Bank of India (RBI) on September 7th, 2021, announced new digital payment guidelines to card-on-file tokenisation services. Apart from building customer confidence in card as a payment method, these guidelines will also help to prevent online fraud by helping keep the critical financial information of customers secure from card data breaches.

Here are the new guidelines –

• The new guidelines restrict any merchant/Payment Aggregator/Payment Gateway from vaulting card data at their end except for the limited purpose of transaction tracking.
• All existing card vaults would need to be purged, by June 30th, 2022. (extended deadline, as per the new circular issued by RBI on December 23rd, 2021).
• The alternative to Card On File (COF) is the Card On File Tokenisation (COFT) solution.
• Only Card Schemes and Card Issuers would be allowed to offer CoFT
• Card Schemes or Issuers are only allowed to offer Tokenisation services for their own set of cards, and hence to tokenise the entire card base multiple tie-ups are required.

Tokenisation is the process of protecting sensitive data by replacing it with an algorithmically generated surrogate number called a token. These tokens are issued and utilized subsequently to safeguard real card credentials. It is passed through the internet or the various wireless networks to process the payment without actual card details getting exposed. The card number is held safe in a secure network token vault.

The process of tokenisation -

1. The cardholder can get the card tokenised by initiating a request on the merchant application, and explicitly providing their consent for tokenisation.
2. The tokens are generated and issued by card schemes/issuers. They will act like Token Service Providers (TSPs) and will facilitate card data protection and security. The tokens are mapped with underlying card credentials and stored in a secured card vault at TSP’s end.
3. The token requestor will forward the request to the card network, and with the consent of the card issuer, the TSP will provision and issue a token for the combination of a card/token requestor.
4. When users enter their card details on the merchant payment page, the Merchant/TR sends a request for Token provisioning. The TSP on receipt will first request verification of the data from the customer’s bank. When the data gets verified, a token unique reference number gets generated and is sent back to the TR/Merchant.
5. Tokenisation of card data will be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer.