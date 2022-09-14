New Debit And Credit Card Rules: The rules for online transactions for debit and credit cards will change next month as the Reserve Bank of India’s (RBI) card-on-file (CoF) tokenisation norms come into effect from October 1, 2022. With this norm, the payment experience of cardholders is expected to improve. The earlier deadline for RBI’s new tokenisation guidelines was July 1, however, it was extended to September 30, on the back of various representations received from stakeholders.Also Read - Retail Inflation Rises To 7% In August From 6.71 Per Cent In July Over High Food Prices

If media reports are to be believed, most of the large merchants have complied with the RBI’s card-on-file (CoF) tokenisation norms and 19.5 crore tokens have been issued so far. The RBI last September prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage. Also Read - Why RBI Imposed Rs 12L Penalty On Indiabulls Commercial Credit Ltd

WHAT IS CARD-ON-FILE TOKENISATION?

CoF refers to credit or debit card information stored by payment gateway and merchants to process future transactions. To create a token, the card-holders have to undergo a one-time registration process for all their cards at every e-commerce website. By entering the card details and saving, the cardholder gives consent to create a token. Also Read - RBI's Debit, Credit Card Rule To Change From Oct 1: Here’s What SBI Says on Card Tokenisation

This consent is then validated by way of authentication through an additional factor of authentication (AFA). Thereafter, a token is created which is specific to the card and e-commerce merchant. That token cannot be used for payment at any other merchant.

After creating the token, the cardholder can identify the card with the last four digits during the checkout process during all future transactions at the same merchant’s website. Thus, the cardholder is not required to remember or enter the token for future transactions.

HOW WILL IT IMPACT CUSTOMERS?

A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Once the card-on-file (CoF) tokenisation norms are implemented, platforms won’t be able to store the card details of a shopper in any form.

HOW CAN THE TOKENISATION BE CARRIED?

The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.

Let’s understand this with an example. When customers buy anything on e-commerce site like Flipkart, Amazon for the first time, they are asked to enter the 16-digit debit/credit card number and then the CVV code. But while making the second purchase from the same e-retailer one have to enter only the CVV as the site has already saved the 16-digit card number.

However, with the new norms, customers have to enter their entire card details while making buying something. After this, tokenisation will be initiated by the merchant. Customers will be asked for consent, after which the merchant will send the request to the card network which will create a token. That token will act as a proxy to the 16-digit card number and send it back to the merchant.

FAQs on Tokenisation

What is the benefit of tokenisation?

A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.

What are the charges that the customer need to pay for availing this service?

The customer need not pay any charges for availing this service.

What are the use cases (instances / scenarios) for which tokenisation has been allowed?

Tokenisation has been allowed through mobile phones and / or tablets for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)

Can tokenisation be enabled through a smart watch or such other devices?

The feature of tokenisation is restricted to mobile phones and / or tablets only.

Who can perform tokenisation and de-tokenisation?

Tokenisation and de-tokenisation can be performed only by the authorised card network. The list of card networks authorised by RBI to operate in India is available on RBI website at the link https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=12043.

Who are the parties / stakeholders in a tokenisation transaction?

Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.

Are the customer card details safe after tokenisation?

Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.

Is tokenisation of card mandatory for a customer?

No, a customer can choose whether or not to let his / her card tokenised.