MUMBAI: The Reserve Bank of India (RBI) on Friday announced an extension of the deadline for card data storage and tokenisation implementation by another three months to September 30, 2022.
The RBI had earlier set a deadline of June 30 for tokenisation of debit and credit cards. As part of this initiative, merchants and payment aggregators are required to delete all card details and replace them with tokens.
The industry stakeholders have highlighted some issues related to implementation of the framework in respect of guest checkout transactions. Also, number of transactions processed using tokens is yet to gain traction across all categories of merchants, the RBI said in a statement.
“These issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the Reserve Bank has today announced extension of the said timeline of June 30, 2022, by three more months, i.e., to September 30, 2022,” the central bank said.
According to the RBI, this extended time period may be utilised by the industry for, (a) facilitating all stakeholders to be ready for handling tokenised transactions; (b) processing transactions based on tokens; (c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and (d) creating public awareness about the process of creating tokens and using them to undertake transactions.
Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in the future.
While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc, have been compromised.
Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data, the RBI noted in the statement.
Given the foregoing, the Reserve Bank mandated that after December 31, 2021, entities other than card networks and card issuers cannot store card data. This timeline was subsequently extended to June 30, 2022.
A framework for CoF Tokenisation (CoFT) services was also issued. Under this framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in future. Thus, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders.
To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token.
This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant.
For future transactions performed at the same merchant website / mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online / e-commerce merchants. For every online / e-commerce merchant where the card is tokenised, a specific token will be created.
As per the RBI, till date, about 19.5 crore tokens have been created. Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transaction”).
“The Reserve Bank encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” the central bank said in the statement.