Card-on-File Tokenisation

• Context (TH): The RBI has enabled Card-on-File-Tokenisation at the issuer bank level.

• Tokenisation is a service where a unique alternate code is generated to facilitate transactions through cards. It involves substituting a 16-digit customer card number with a token.
• Tokens are unique for a combination of cards, token requestors, and devices.
• The tokenized data is stored to bill the cardholders’ accounts for future purchases.
• The customer need not pay any charges for availing of this service.
• Tokenisation is not mandatory for a customer, and those who choose not to let their card be tokenized can continue to transact as before by entering card details manually.
• A customer can request for tokenization of his/her card on any number of devices.

Tokenisation and de-tokenization can be performed by the authorised card network or by the card issuer.

• Benefits of tokenization: Token contains no personal information that can be directly accessed and keeps changing, making it the most secure method to complete payments.
• Applications: Tokens can be used for online transactions, mobile point-of-sale transactions or in-app transactions.

RBI Guidelines on Tokenisation

• Online payment aggregators are not allowed to store card number, CVV and expiry date for processing online transactions.
• Single-use provision: Tokens registered on one merchant cannot be used on another merchant.