Most of the large merchants have implemented the Reserve Bank of India (RBI’s) card-on-file tokenisation norms, sources familiar with the matter said.
The RBI on Friday extended the deadline for merchants to delete the card storage data of their customers under the card-on-file tokenisation system by three months till September 30.
As many as 195 million tokens have been issued so far and the number is going up fast, they said, adding that the system is already well-prepared to adopt the new mechanism.
Card-on-file typically refers to card information stored by payment gateway and merchants to process future transactions. To curb frauds, the central bank had directed all merchants and payment gateways to remove sensitive details of the credit and debit cards of customers that are saved at their end, and comply with its tokenisation norms by June 30, 2022.
Tokenisation usually refers to the replacement of actual credit and debit card details with an alternate code called the ‘token’. This will be unique to a particular combination of card, token user and device. The ‘token’ can be used in place of an actual card number for online purchases. This is expected to make online transactions a lot safer for customers.
However, the tokenisation of card data will have to be done only with customers’ consent, which requires an additional factor of authentication by them.
In September last year, the central bank had barred merchants from storing customer card details on their servers from January 1, 2022. It had then mandated the adoption of the card-on-file tokenisation as an alternative to card storage. Subsequently, the central bank granted a six-month extension of the deadline to comply with the order.