ADVERTISEMENT

RBI Allows Card-on-File Tokenisation: What Is It? Is It Safer for Consumers?

We explain RBI's changes to tokenisation guidelines and how they will impact payment aggregators and consumers.

Published
Explainers
4 min read
<div class="paragraphs"><p>The changes “are expected to reinforce the safety and security of card data while continuing the convenience in card transactions,” RBI said in a press note.</p></div>
i

The Reserve Bank of India (RBI) on Tuesday, 7 September, announced that it will allow card-on-file tokenisation for e-commerce companies.

According to the new digital payments guidelines, RBI has permitted card networks/aggregators to offer card tokenisation services as Token Service Providers (TSPs).

The changes “are expected to reinforce the safety and security of card data while continuing the convenience in card transactions,” RBI said in a press note.

Here, we explain the new changes and how they impact payment aggregators and consumers.

RBI Allows Card-on-File Tokenisation: What Is It? Is It Safer for Consumers?

  1. 1. What Is Tokenisation?

    Tokenisation is the process of replacing credit or debit card details with a unique set of characters – or a ‘token’ – that enables payments to be processed without exposing any sensitive account details that could potentially breach security and privacy of the consumers.

    Here's what happens when a customer uses his card and transacts on a tokenisation-based authentication server:

    • A credit/debit card is used at a POS machine or on an e-commerce market place

    • The credit card number is transferred to the tokenisation system

    • The tokenisation system generates 16 random characters, also called as 'token', to replace the original credit card number

    • The tokenisation system returns the newly generated 16 digit random characters to the e-commerce site to replace the customer’s credit card number in the system.

    For instance, card number (example): 5931 9212 3933 3391, will be replaced to token number: 4321 2365 4545 2111.

    It is worth noting that tokenisation has been around for a while as a way to separate data in ecosystems, and databases.

    According to Razorpay, before tokenisation was introduced, encryption with reversible cryptographic algorithms was the preferred method of protecting sensitive data.
    Expand
  2. 2. What Does the Latest Enhancement Mandate Say?

    The central bank said the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well.

    This means that card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs).

    The tokenisation of card data shall be done with explicit customer consent, requiring Additional Factor of Authentication (AFA).

    The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them.

    Meanwhile, the ability to tokenise and de-tokenise card data shall be with the same TSP.

    The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, the RBI said.

    Earlier, the facility of tokenisation by card networks to token requestor was limited to only mobile phones and tablets of interested card holders. But the central bank included consumer devices laptops, desktops, wearables (wrist watches, bands, etc), Internet of Things (IoT) devices, etc, to extend the scope of tokenisation.

    Expand
  3. 3. Why Is RBI Enforcing Tokenisation?

    The central bank said that many entities involved in the card payment transaction chain store actual card details (also known as Card-on-File (CoF)) of its users.

    In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.

    In the recent past, there were incidents where card data stored by some merchants has been compromised/leaked.

    Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.

    The Reserve Bank had, therefore, stipulated in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system.

    It must be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now.

    RBI has also made it clear that customers won't have to memorise all of their card details.

    "Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue"
    The Reserve Bank of India, in a press statment
    Expand
  4. 4. How Will Tokenisation Help Card Payment Networks?

    Interestingly, storing the card information in form of tokens may help the card payment aggregators/networks – as it reduces the merchant’s efforts to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.

    This does not mean that tokenisation solutions completely eliminate the need to maintain and validate PCI DSS compliance, but it may simplify a merchant’s authentication efforts by reducing the number of system components for which PCI DSS requirements apply.

    Expand
  5. 5. What Is the Impact of Tokenisation for Customers?

    Tokenisation is very convenient for customers in the case of fraud or theft. This works because multiple tokens are issued for the same card payment on different platforms that use tokenisation.

    This means that even if a website faces a data breach and the tokens are acquired by the cybercriminal/hacker. It will be extremely difficult to reverse engineer the actual card number, hence safeguarding your card information.

    Tokenisation will also make recurring payments convenient and safe, by allowing payment providers to save cards using tokens.

    (At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

    Expand

What Is Tokenisation?

Tokenisation is the process of replacing credit or debit card details with a unique set of characters – or a ‘token’ – that enables payments to be processed without exposing any sensitive account details that could potentially breach security and privacy of the consumers.

Here's what happens when a customer uses his card and transacts on a tokenisation-based authentication server:

  • A credit/debit card is used at a POS machine or on an e-commerce market place

  • The credit card number is transferred to the tokenisation system

  • The tokenisation system generates 16 random characters, also called as 'token', to replace the original credit card number

  • The tokenisation system returns the newly generated 16 digit random characters to the e-commerce site to replace the customer’s credit card number in the system.

For instance, card number (example): 5931 9212 3933 3391, will be replaced to token number: 4321 2365 4545 2111.

It is worth noting that tokenisation has been around for a while as a way to separate data in ecosystems, and databases.

According to Razorpay, before tokenisation was introduced, encryption with reversible cryptographic algorithms was the preferred method of protecting sensitive data.

What Does the Latest Enhancement Mandate Say?

The central bank said the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well.

This means that card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs).

The tokenisation of card data shall be done with explicit customer consent, requiring Additional Factor of Authentication (AFA).

The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them.

Meanwhile, the ability to tokenise and de-tokenise card data shall be with the same TSP.

The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, the RBI said.

Earlier, the facility of tokenisation by card networks to token requestor was limited to only mobile phones and tablets of interested card holders. But the central bank included consumer devices laptops, desktops, wearables (wrist watches, bands, etc), Internet of Things (IoT) devices, etc, to extend the scope of tokenisation.

ADVERTISEMENT

Why Is RBI Enforcing Tokenisation?

The central bank said that many entities involved in the card payment transaction chain store actual card details (also known as Card-on-File (CoF)) of its users.

In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.

In the recent past, there were incidents where card data stored by some merchants has been compromised/leaked.

Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.

The Reserve Bank had, therefore, stipulated in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system.

It must be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now.

RBI has also made it clear that customers won't have to memorise all of their card details.

"Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue"
The Reserve Bank of India, in a press statment
ADVERTISEMENT

How Will Tokenisation Help Card Payment Networks?

Interestingly, storing the card information in form of tokens may help the card payment aggregators/networks – as it reduces the merchant’s efforts to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.

This does not mean that tokenisation solutions completely eliminate the need to maintain and validate PCI DSS compliance, but it may simplify a merchant’s authentication efforts by reducing the number of system components for which PCI DSS requirements apply.

ADVERTISEMENT

What Is the Impact of Tokenisation for Customers?

Tokenisation is very convenient for customers in the case of fraud or theft. This works because multiple tokens are issued for the same card payment on different platforms that use tokenisation.

This means that even if a website faces a data breach and the tokens are acquired by the cybercriminal/hacker. It will be extremely difficult to reverse engineer the actual card number, hence safeguarding your card information.

Tokenisation will also make recurring payments convenient and safe, by allowing payment providers to save cards using tokens.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

ADVERTISEMENT
ADVERTISEMENT
Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!
ADVERTISEMENT