.svg)
India’s central bank has extended its deadline for the holding of card-on-file data by entities other than card issuers and networks, as the country struggles to prepare itself for a new tokenised alternative.
In a statement published on June 24, the Reserve Bank of India (RBI) said that it will extend the deadline for all entities to hold card-on-file data for three more months, from June 30 to September 30 this year.
After the September 30 deadline, all card-on-file data not held by card issuers or networks must be “purged”.
This marks the second time that the RBI has extended the deadline, which was originally set for December 31, 2021.
The move concerns the right of online merchants and other entities to save card-on-file data from customers. Card-on-file data includes card numbers, expiry dates and other details.
In March 2020, the RBI issued the first of several circulars designed to prohibit the holding of card-on-file data by any entity in the card transaction or payment chain outside card issuers and networks.
Although recognising the convenience for consumers of such data being saved, the RBI said that multiple entities holding this data increases the risk of cards being misused, stolen or leaked.
The RBI’s solution, which it is encouraging all consumers to use, is something it calls card-on-file tokenisation (CoFT).
Under the RBI’s framework for CoFT, cardholders can create a unique alternate code in lieu of card details, and this data can then be tokenised and stored by merchants for processing transactions in the future.
To create a token under the CoFT framework, cardholders must undergo a one-time registration process for each card they wish to tokenise and at each merchant website or app where they wish to use it.
This is done by entering the card details and giving their consent for creating a token, and the consent is validated by way of an additional factor of authentication (AFA).
A token is thereby created that is specific to both the card and the merchant. For future transactions performed at the same merchant website or mobile app, the cardholder can identify the card with the last four digits of the token during the checkout process.
A card can be tokenised at any number of online merchants, and for every online merchant where the card is tokenised, a specific token will be created.
So far, about 195m tokens have been created; a process that is entirely voluntary for the consumer.
Those who do not wish to create a token can continue to transact as before by entering card details manually when making transactions (the RBI refers to these as guest checkout transactions).
Token teething pains
The RBI has said that the number of transactions processed using tokenised card-on-file data has “yet to gain traction” across all categories of merchants.
With this being so, the RBI said it is appropriate to give the industry more time to prepare for handling tokenised transactions.
It also said the industry needs time to implement alternative mechanisms to handle post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions.
This is because they currently involve or require storage of card-on-file data by entities other than card issuers and card networks.
Finally, the RBI said the public needs more time to be made aware of the tokenisation process and how to use it.
