Home Insights  > RBI introduces bank-level card tokenization

Date: 22 December 2023

Share :

Introduction

In a significant move aimed at bolstering transaction security and enhancing user convenience, the Reserve Bank of India (“RBI”) announced the introduction of Card-on-File (“CoF”) token facilities at the level of banks and other financial institutions. This initiative is set to provide cardholders with a streamlined process for creating and linking tokens to their existing accounts across various e-commerce applications.

UNDERSTANDING CARD-ON-FILE TOKENIZATION (COFT)

Card-on-file tokenization involves the generation of a unique 16-digit token associated with a specific card, token requestor, and merchant. This token serves as a secure substitute for actual card details, ensuring that it can only be utilized with the designated merchant. The RBI, recognizing the effectiveness of tokenization in improving transaction security and approval rates, introduced CoFT in September 2021, with implementation beginning on October 1 of the same year.

EXPANSION OF TOKENIZATION CHANNELS

One noteworthy development is the expansion of channels through which CoF tokens can be generated. Previously limited to creation through a merchant’s application or webpage, the RBI has now enabled CoFT directly through card-issuing banks and institutions. This enhancement provides cardholders with an additional choice, allowing them to tokenize their cards for multiple merchant sites through a unified process.

USER-FRIENDLY TOKENIZATION PROCESS

To facilitate a seamless experience for cardholders, the generation of CoF tokens through the card issuer can be initiated via mobile banking and Internet banking channels. This empowers users to efficiently manage their tokenization preferences at their convenience, either at the time of receiving a new card or at a later date.

REGULATORY SAFEGUARDS: EXPLICIT CONSENT AND AUTHENTICATION

The RBI circular underscores the importance of regulatory safeguards in the tokenization process. CoFT generation will be carried out only with explicit customer consent, coupled with the Additional Factor of Authentication (AFA) validation. This ensures a robust security framework, safeguarding users against unauthorized tokenization attempts.

Moreover, the AFA validation can be combined for all selected merchants if a cardholder chooses to tokenize their card for multiple merchants. This approach strikes a balance between user convenience and stringent security measures.

COMPLIANCE WITH RBI DIRECTIVES

The RBI’s directive mandates compliance with the stipulated rules and regulations governing CoFT. Card issuers must furnish a comprehensive list of merchants for whom tokenization services can be provided. This transparency ensures that cardholders are well-informed about the scope and options available for tokenization.

Conclusion

The RBI’s move to introduce CoFT directly through card-issuing banks marks a significant step in aligning regulatory frameworks with evolving technological landscapes. By providing cardholders with a choice and enhancing security measures, this initiative reflects the central bank’s commitment to fostering a secure and user-friendly digital payment ecosystem.

As users increasingly engage in online transactions, the combination of convenience and security embedded in CoFT is poised to reshape digital payments, offering a more robust and resilient framework for the future.

 

For more information or queries, please email us at
[email protected]