Introduction: The Reserve Bank of India (RBI) has issued a crucial directive, RBI/2023-24/91, dated December 20, 2023, impacting Payment System Providers and Payment System Participants. This directive focuses on Card-on-File Tokenisation (CoFT), introducing a paradigm shift by enabling tokenisation directly through card issuing banks.
Detailed Analysis:
Card Tokenisation Landscape: Card tokenisation services have, until now, been primarily provided by card issuers and networks, as outlined in previous RBI circulars. However, the recent directive (RBI/2023-24/91) marks a significant departure by allowing CoFT directly through card issuing banks. This move aims to offer cardholders more flexibility, enabling them to tokenise their cards for multiple merchants through a streamlined process.
Key Requirements for CoFT: The directive outlines essential requirements for CoFT through card issuers. It emphasizes the generation of Card-on-File (CoF) tokens through mobile banking and internet banking channels, ensuring explicit customer consent and Additional Factor Authentication (AFA) validation. Cardholders can choose multiple merchants for tokenisation, with AFA validation combined for efficiency. Tokens generated will be accessible on the merchant’s payment page within the cardholder’s account.
Flexibility for Cardholders: One of the notable aspects of the directive is the flexibility it provides to cardholders. Whether upon receiving a new card or at a later time, cardholders can tokenise their cards at their convenience. Additionally, card issuers are mandated to furnish a comprehensive list of merchants for tokenisation services. Cardholders have the liberty to select merchants from this list with whom they wish to maintain tokens.
Continued Applicability: While introducing this new directive, the RBI ensures the continuity of relevant provisions from earlier circulars, specifically those dated January 8, 2019, August 25, 2021, September 7, 2021, and July 28, 2022. This ensures consistency and compliance with established guidelines, maintaining the integrity of the overall card tokenisation framework.
Conclusion: In conclusion, the RBI’s recent directive represents a progressive step in the evolution of card tokenisation services. By enabling CoFT directly through card issuing banks, the directive introduces greater convenience and choice for cardholders. Payment system providers and participants must adapt to these changes, ensuring seamless integration with the outlined requirements. As the financial landscape continues to evolve, such directives play a pivotal role in enhancing security, efficiency, and user experience in electronic payment systems.
****
RESERVE BANK OF INDIA
RBI/2023-24/91
CO. DPSS. POLC. No.S-9 19/02-14-003/2023-24
December 20, 2023
All Payment System Providers and Payment System Participants
Madam / Dear Sir,
Card-on-File Tokenisation (CoFT) – Enabling Tokenisation through Card Issuing Banks
The card tokenisation services are being currently provided by card issuers and card networks in terms of Reserve Bank of India circulars DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on “Tokenisation – Card transactions”, CO. DPSS. POLC. No.S-516/02-14-003/2021-22 dated September 07, 2021 on “Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services” and CO. DPSS . POLC. No.S-567/02-14-003/2022-23 dated June 24, 2022 on “Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]”.
2. As announced in the Statement on Development and Regulatory Policies dated October 6, 2023, it has been decided to enable CoFT directly through card issuing banks / institutions also. This will provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process. Detailed requirements for the same are listed in the
3. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
Yours faithfully,
(Gunveer Singh)
Chief General Manager-in-Charge
Annex
(CO. DPSS. POLC. No.S-9 19/02-14-003/2023-24 dated December 20, 2023)
CoFT through card issuers – Requirements
1. Generation of CoF Tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels.
2. CoFT generation shall be done only on explicit customer consent, and with AFA If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants.
3. The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant.
4. The cardholder may tokenise the card at any time of his convenience, either on receipt of the new card or later.
5. The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services. The cardholders shall select the merchants with whom he/she wishes to maintain tokens. (Alternatively – “The cardholder can make his selection from the list”).
6. The card token so issued may be either by the card network or the issuer or
7. All other provisions of RBI circulars dated January 8, 2019, August 25, 2021, September 7, 2021 and July 28, 2022 shall remain applicable.
