The Reserve Bank of India (RBI) has, in consultation with the stakeholders, extended the deadline for tokenisation of debit and credit cards by another three months until 30 September 2022. 

The extension was granted so as to avoid disruption and inconvenience to cardholders. Besides, number of transactions processed using tokens is yet to reach substantial scale across all categories of merchants.

The RBI said the extended time period may be utilised by the industry for, (a) facilitating all stakeholders to be ready for handling tokenised transactions; (b) processing transactions based on tokens; (c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and (d) creating public awareness about the process of creating tokens and using them to undertake transactions.

The central bank had earlier set the due date for card tokenisation on 30 June, which would have required merchants and payment aggregators to delete customer debit and credit card data. This were to be replaced with unique tokens to customers for all online, point-of-sale and in-app transactions.

Currently, many entities including merchants, who are involved in an online card transaction chain, store card data like card number, expiry date, etc. citing cardholder convenience and comfort for undertaking transactions in the future.

The availability of card details with multiple entities may be a convenient practice but it is also risker as it can be misused or stolen. There have been instances when card data stored by merchants or other entities have been comprised.

The RBI is encouraging cardholders to tokenise their cards for their own safety. So far, 19.5 crore tokens have been created. Since it is voluntary, cardholders who do not want to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.

Tokenisation involves replacement of card details by a unique code or token, allowing online purchases to go through without exposing sensitive card details.

Since many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, the RBI feels that stolen data in the hands of fraudsters may result in unauthorised transactions and cause monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.

In December last year, the RBI mandated entities other than card networks and card issuers to not store debit or credit card data with them.

The central bank also issued a framework for CoF Tokenisation (CoFT) services. Under this, cardholders could create ‘tokens’ (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in the future. Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders.

The creation of a token under the CoFT framework involves these processes:

- The cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website/mobile application, by entering the card details and giving consent for creating a token.

- This consent is validated by way of authentication through an AFA.

- Thereafter, a token is created which is specific to the card and online/e-commerce merchant, i.e., the token cannot be used for payment at any other merchant.

- For future transactions performed at the same merchant website/mobile application, the cardholder can identify the card with the last four digits during the checkout process.

The cardholder, thus, need not remember or enter the token for future transactions. A card can be tokenised at any number of online/e-commerce merchants. For every online/e-commerce merchant where the card is tokenised, a specific token will be created.