The Reserve Bank of India (RBI) on October 20, 2023, revamped the process of Card-on-File (CoF) tokenisation, simplifying it for cardholders and enhancing convenience in their online shopping experience.
Tokenisation is a process of replacing a card's 16-digit number with a unique 'Token,' which can be used for online transactions. Until now, these tokens called Card-on-File (CoF) tokens could only be generated through the merchant's platform or webpage during a transaction.
At checkout from your shopping cart, customers will be required to enter their card details for payments, instead, they typically choose tokenization. Your bank will generate a unique token which can be stored by the merchant for future use. You might remember seeing masked card details and the four last digits of the card number. You don’t need to remember anything but your CVV, that too only rarely. Here tokenisation is done on the merchant’s page.
However, the RBI changed this landscape by allowing banks and financial institutions to directly enable CoF Tokenisation (CoFT) for their customers. Now, cardholders can seamlessly tokenise their cards across various e-commerce platforms through a single process provided by their card issuer. "This will provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process," the RBI said in a circular.
Under the new system, the generation of CoF tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels. “This measure will enhance convenience for cardholders to get tokens created and linked to their existing accounts with various e-commerce applications,” RBI says.
But this process requires explicit customer consent and also with Additional Factor Authentication (AFA) validation, which typically means One-Time Passwords (OTPs) sent to registered mobile numbers. If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants.
The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant. The cardholder may tokenise the card at any time of his convenience, either on receipt of the new card or later. The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services. Also, cardholders get the flexibility to select specific merchants for tokenisation and the move improves convenience and security for cardholders.