.svg)
After more than a year of delays, new rules aimed to strengthen the security of online card payments in India are coming into force at the weekend.
On October 1, India’s card-on-file tokenisation (CoFT) rules will become effective, prohibiting merchants, payment aggregators, payment gateways and acquiring banks from storing customer card information.
The rules will finally come into effect on Saturday after the Reserve Bank of India (RBI) had agreed to three previous extensions to help the industry better prepare for the impactful change.
The requirement was originally planned to come into effect in March 2021, although reluctantly the RBI agreed to a number of delays in response to a massive push from the industry to do so.
According to Reuters, it is now unlikely that the RBI would grant a further time extension as banks, card networks and merchants are better prepared now to comply with the rules.
During the summer, both Visa and Mastercard made significant improvements in enabling CoFT for merchants.
In June, Visa announced that it had created 100m CoF tokens in India. In the following months, Mastercard said that it had enabled CoFT for more than 200,000 online merchants and had created 90m tokens for Mastercard cardholders since December 2021.
CoFT enables payment processors to process a debit or credit card payment without actually accessing and storing the card data. It is particularly beneficial for subscription-based business models or those that provide services to the same customers.
When the customer decides to save their credit or debit card data at the merchant or payment processor’s site, the card data is converted into a token by the issuing bank or the card network, such as Rupay, Visa or Mastercard.
The new rule is intended to reduce the risk of fraud in light of the large uptake of digital payments and e-commerce.
As of August, there were 1.01bn cards in circulation, in a country with a population of 1.4bn. Meanwhile, India's e-commerce sector is estimated to grow to $111.4 bn by 2025, up from $46.2bn in 2020.
As merchants and payment processors are getting hold of an ever larger amount of data, the RBI has grown wary of their increasing vulnerability to data theft or leakage.
Despite the initial difficulties to adopt the rules, many experts believe that CoFT is a necessary step to making online card payments safer.
“India is moving in the right direction in securing its digital payments ecosystem and protecting its consumers,” Karthik Ramasamy, product head at MinkasuPay, said.
As card tokenisation is gaining serious momentum in India, Ramakrishnan Gopalan, vice president and head of products and solutions at Visa, welcomed the move as one that will improve the safety and soundness of the ecosystem.
In addition to making the storage of payment data more secure, CoFT could reduce the costs of securing the storage of cardholder data and offer a better customer experience, potentially enabling better conversion rates at the checkout page.
