Skip to main content

What is tokenisation of card transactions?

Reserve Bank of India (RBI) has issued guidelines on tokenisation of card transactions. 

What is tokenisation?

Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor and device.

What is de-tokenisation?

Conversion of the token back to actual card details is known as de-tokenisation.

What is the benefit of tokenisation?

As the actual card details are not shared with the merchant during a transaction, it is expected to make card transactions more safe, secure and convenient for the users. 

Which devices or use cases are covered for tokenisation?

Authorised card payment networks are allowed to offer card tokenisation services to any token requestor (i.e., third party app provider), through mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)

What are the conditions for offering tokenisation facility?

  • Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA). It shall not be mandatory for the customers to tokenise their cards.
  • Customers shall have option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
  • Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions.
  • A customer shall have option to request for tokenisation of any number of cards. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
  • Customers shall be given option to tokenise their cards on any number of devices.
  • No charges should be recovered from the customer for availing tokenisation service.
  • All extant instructions of Reserve Bank of India (RBI) on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions as well.
  • Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system audit at frequent intervals, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In).

What is the deadline for tokenisation of cards?

  • With effect from October 01, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
  • For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.

How to get card tokenised?

The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.

(Updated on January 06, 2024)

The tokenisation facility will also be offered directly through card issuing banks / institutions enabling cardholders to tokenise their cards for multiple merchant sites through a single process. 

  • Generation of CoF Tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels.
  • CoFT generation shall be done only on explicit customer consent, and with AFA validation. If the cardholder selects multiple merchants for which to tokenise his / her card, AFA validation may be combined for all these merchants.
  • The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant.
  • The cardholder may tokenise the card either on receipt of the new card or later.
  • The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services and the cardholder can make his selection from the list.
  • The card token may be so issued either by the card network or the issuer or both.

Whom to approach in case of issues with tokenisation?

In case of any issues with regard to the tokenisation or loss of device, it shall be reported to / raised with the card issuer.


References

Reserve Bank of India. (2019, January 08). 'Tokenisation – Card transactions. Retrieved from https://rbi.org.in/Scripts/NotificationUser.aspx?Id=11449&Mode=0

Reserve Bank of India. (2021, August 25). 'Tokenisation – Card Transactions : Extending the Scope of Permitted Devices'. Retrieved from https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12152&Mode=0

Reserve Bank of India. (2021, September 07). 'Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0

Reserve Bank of India. (2022, September 26). 'FAQ-Device based Tokenisation – Card Transactions'. Retrieved from https://rbi.org.in/Scripts/FAQView.aspx?Id=129

Reserve Bank of India. (2022, July 28). 'Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12363&Mode=0

Reserve Bank of India. (2023, December 20). 'Card-on-File Tokenisation (CoFT) – Enabling Tokenisation through Card Issuing Banks'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12573&Mode=0


Follow at - Telegram   Instagram   LinkedIn   Twitter

Labels:

Comments

Post a Comment

Popular Posts

Reserve Bank of India Act, 1934 – Part-II – Section 17 to 19

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the second article in the series.  Section 17 – Business which the Bank may transact RBI shall be authorized to carry on and transact the several kinds of business hereinafter specified, namely – 17(1) – Accept deposit without interest from the Central / State Government, local authorities, banks and any other persons. 17(1A) – Accept deposit, repayable with interest, from banks or any other person under the Standing Deposit Facility Scheme, as approved by the Central Board, for the purposes of liquidity management.   Bills of Exchange (B/E) & Promissory Note (PN) Bearing 2 or more good signatures, one of which shall be of B/E & PN arising out of Maturing within 17(2)(a) Purchase, sale and rediscou...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-I – Preamble and Section 1 to 13

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the first article in the series. Preamble of the Act RBI to – Regulate the issue of bank notes. Keep reserves for monetary stability in India. Operate currency and credit system of the country to its advantage. The primary objective of the monetary policy is to maintain price stability while keeping in mind the objective of growth. Chapter I – Preliminary Section 1 – Short title, extent and commencement 1(1) – This Act may be called the Reserve Bank of India Act, 1934. 1(2) – The Act extends to whole of India. Chapter II - Incorporation, Capital, Management and Business Section 3 – Establishment and incorporation of Reserve Bank 3(1) – RBI to take over management of the currency from the Central Government. 3(2) – RBI to have perpetual succession, common seal, and shall by...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-III – Section 20 to 40

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the third article in the series.  Chapter III - Central Banking Functions Section 20 – Obligation of the Bank to transact Government business RBI shall undertake – To accept monies for account of the Central Government and to make payments up to the amount standing to the credit of its account, and to carry out its exchange, remittance and other banking operations. Management of the public debt of the Union. Section 21 – Bank to have the right to transact Government business in India The Central Government shall entrust RBI with – All its money, remittance, exchange and banking transactions in India, and shall deposit free of interest all its cash balances with RBI. The Central Government may carry on money transactions at places where RBI has no branches or agencies and m...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-IV – Section 42 to 45

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fourth article in the series.  Section 42 – Cash reserves of scheduled banks to be kept with the Bank 42(1) – Every bank included in the Second Schedule shall maintain with RBI an average daily balance at a percent (notified by RBI) of its total demand and time liabilities in India. 42(1A) – RBI may direct every scheduled bank to maintain with RBI, in addition to the balance prescribed under Section 42(1), an additional average daily balance at a rate (specified by RBI). 42(1C) – RBI may specify any transaction or class of transactions to be regarded as liability in India of a scheduled bank. If any question arises as to whether any transaction or class of transactions shall be regarded as liability in India of a schedule bank, the decision of RBI thereon shall be fina...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-V – Section 45B to 45JA

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fifth article in the series.  Chapter IIIA - Collection and Furnishing of Credit Information Section 45B – Power of Bank to collect credit information RBI may collect credit information from banking companies and furnish it to any banking company in accordance with section 45D. Section 45C – Power to call for returns containing credit information RBI may direct any banking company to submit statements relating to credit information. Section 45D – Procedure for furnishing credit information to banking companies A banking company may apply to RBI to provide credit information. RBI shall furnish the requested credit information without disclosing the names of the banking companies which have submitted the information. RBI may levy fees of up to Rs.25 for furnishing credit...
Post a Comment
Read more