The Reserve Bank of India’s (RBI) Monetary Policy Committee (MPC) meeting on Friday extended the card-on-file tokenisation or token creation facility at the level of the issuer bank. It was earlier available only through merchant applications or websites, RBI Governor Shaktikanta Das said on the concluding day of its fourth bi-monthly MPC meeting this year.
It is a process where the debit or credit card number is replaced with a unique code or ‘token’ for online or point-of-sale (POS) transactions. It allows the card data to remain hidden during a transaction, ensuring added security. Currently, the data gets stored on the merchant platform.
The RBI governor said the MPC has proposed to introduce the card tokenization facility at the level of the issuer bank, allowing customers to get their cards tokenized at their respective banks and link them to their existing bank accounts with the e-commerce applications.
RBI implemented the tokenisation facility on October 1, 2022. In a press statement, Das said that over 56 crore tokens have been created so far, and over Rs 5 lakh transactions were done through these cards. Tokenisation has helped improve the transaction approval rate, the statement said.
However, the banks will still require guidelines from RBI for the tokenisation facility, which will be issued separately, RBI said. This will ensure ease of cardholders. Currently, the cardholders need to tokenise separately with different merchants.
Rahul Jain, chief financial officer of NTT DATA Payment Services India, says, “The central bank’s recent announcement regarding new channels for card-on-file tokenisation marks a significant advancement towards a cashless payment system. Additionally, this process poses minimal challenges for issuer banks, as most of them can leverage the existing unified payment framework for token creation.
"This strategic move not only promotes safer and more secure card transactions but also enhances overall transaction efficiency. Furthermore, it aims to combat fraud and bolster cardholder data security.”
There is no difference in the way transactions are done, but the card details, like the card number, etc., remain hidden in a tokenised card; the merchant can see only the code.
When one transacts through a tokenised card, the merchant receives the token data and transmits it to the card issuing company, which checks the token number linked with the card number and then permits the transaction if all the requirements are met.
RBI initially permitted the tokenisation facility only through mobile phones and tablets. In August 2021, the scope was widened to include desktops, laptops, wristwatches, Internet of Things (IoT) devices, etc.