In news- Recently, the Reserve Bank of India has extended the implementation date of card-on-file (CoF) tokenisation norms by six months to June 30, 2022.
New guidelines of RBI-
The following are new guidelines from RBI that will come into effect starting July 1, 2022:
- E-commerce companies such as Amazon, Flipkart and any online delivery platforms such as Zomato and Swiggy won’t be able to save customers’ credit/debit card details on their servers.
- This comes after RBI’s auto debit policy, which came into effect in October, restricting any automatic recurring payment services including utility bills, phone recharges, DTH, and even OTT services such as Netflix, Amazon prime among others.
- RBI wants all the merchants and e-commerce firms to delete all saved card details of their customers available on their servers and mandate the adoption of card-on-file (CoF) tokenisation as an alternative to card storage (applies to domestic, online purchases)..
- According to the central bank, all merchants need to use encrypted tokens for transactions—and this should be achieved through tokenisation.
- As per the rules, card service providers have to send a notification to customers five days prior to the date of payment and debit will be allowed only after the customer approves the payment.
- It refers to the replacement of actual card details with a unique alternate code called the ‘token‘, which is unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenization of a card and passes it on to the card network to issue a corresponding token) and identified device.
- A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
- Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
- If a credit/debit card is used at a Point of Sale (POS) machine or on an e-commerce market place, the credit card number is transferred to the tokenisation system which generates 16 random characters, also called ‘token’, to replace the original credit card number.
- In case of multiple cards, each will have to be tokenised.
- Normally, in a tokenized card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer.
- However, an entity, other than those indicated, may also participate in the transaction.
- It aims at improving the safety and security of the payment system.