The central bank said that cardholders’ payment experience will be enhanced through an additional layer of security through tokenization. However, the RBI also said that opting for card tokenization is voluntary and not mandatory. The RBI extended the deadline for card tokenization and card data storage by three months to Friday, September 30
Reserve Bank of India (RBI)
The Reserve Bank of India RBI said on Friday June 24 that around 19.5 Cr card tokens have been issued in the country so far and called on the general public to tokenize their cards.
The Reserve Bank encourages cardholders to tokenize their cards for their own security. Cardholders’ payment experience will be enhanced through an additional layer of security through tokenization, the RBI said.
However, the central bank added that opting for card tokenization is not mandatory.
Opting in to CoFT i.e. creating tokens is voluntary for cardholders. Those who do not wish to create a token can continue to transact as before by manually entering card details at the time of transaction, the central bank said in a statement.
He highlighted the risks of fraud with customers by sharing their card details with online platforms. the availability of card details with multiple entities increases the risk of card data theft or misuse. There have been cases where such data stored by merchants etc has been compromised, the RBI said.
The RBI also said that the lack of a tokenization mechanism on cards without additional factor of authentication AFA may leave them vulnerable to fraudsters and monetary loss.
The central bank also said that it is working with industry stakeholders to address the issues highlighted by them to avoid any disruption to cardholders from the switch to tokenization.
The notice came on the day RBI extended the deadline for card tokenization & card data storage for three months to September 30, 2022. This is the third instance of the deadline being postponed for implementation. of the new guidelines.
What is tokenization?
Tokenization refers to the replacement of the actual card details with an alternative code, called a token. This will ensure that a user card details are not shared with merchants.
Under the RBI guidelines for card tokenization & storage, payment aggregators, merchants & payment gateways will be required to delete customer card data stored on them.
Under the new framework, the cardholder will have to undergo a unique registration process for each card on each online platform and give their consent to create a token.
This consent is validated as authentication through an AFA. Thereafter, a token is created that is specific to the card and the online/e-commerce merchant, i.e. the token cannot be used to pay at any other merchant, the central bank explained.
For future transactions made on the same merchant website/mobile app, the cardholder can identify the card with the last four digits during checkout. However, a token generated in a particular online channel cannot be used anywhere else.
Is the payment ecosystem ready for tokenization?
The RBI noted on Friday that token-based transactions have yet to gain momentum across the country & called for encouraging their use.
The central bank directed industry stakeholders to use the tokenization deadline extension period to strengthen their systems to handle such transactions and implement an alternative mechanism to handle all post-transaction activities. He also urged the industry to raise awareness among the public to promote the use of token-based transactions.
A large number of fintech players & payment aggregators have switched to token-based transactions. From Google to PhonePe & from Razorpay to PayU, many platforms have moved to the new system.
Interestingly, the RBI, in its ‘Payments Vision 2025’, said it aims to ensure debit card usage exceeds credit card usage in terms of value by 2025. It also targets a 3X increase in the number of digital transactions in the country. by 2025