Update (December 24): Following requests, RBI has extended the deadline for CoF card tokenization by six months until June 30, 2022. Until then, industry stakeholders are advised to come up with mechanisms to handle use cases where the card information is stored by entities other than card issuers and card networks.
The original story starts here.
Over the last two decades, there has been a big shift in how people buy their stuff. Almost everything can be purchased online through eCommerce sites like Flipkart, Paytm, Amazon, and even groceries on BigBasket and Grofers. One thing that remains a point of concern is protecting the users’ debit, credit, and prepaid card details.
To this end, the Reserve Bank of India (RBI) is mandating new online shopping guidelines that include CoF (Card on File) tokenization. This will be effective from January 1, 2022, but this is not the first time. RBI initially allowed card transaction tokenization back in 2019 for credit, debit, prepaid cards, and now it’s being made compulsory.
What is CoF Tokenization for Credit/Debit cards?
As the name explains, it’s a process where the details of a card (16-digit number) are converted to a digital encrypted token that can be used on online shopping websites. In other words, it’s an anonymized combination of the card number, the merchant, and the token requester in the transaction.
This way, the actual details of the card are never revealed to the other parties involved in the transaction.
“Customers who opt for tokenization can complete transactions without inputting their card details every time they make a transaction. Overall, it is a step towards consumer convenience and preventing fraud cases,” Shailesh Paul of Visa Inc. told Financial Express. Paul is the VP/Head of Merchant Sales & Acquiring and CyberSource, India and South Asia at Visa.
RBI has made it compulsory for all online merchants to enable card tokenization on their platforms and services. The actual process of creating tokens will be carried out by the card issuers. However, it’s optional for the users, which means you can choose whether to enable tokenization for your credit/debit card or not.
While no security measure is considered fool-proof these days, the new card tokenization guidelines are expected to reduce the chances of fraud and data leaks by a great margin.
It becomes more important during times when almost every online shopping website prompts you to save your card details for easy payments. Speaking of which, RBI ordered all online merchants to delete their existing card details from their websites.
While merchants deploy required safety measures to store cards, it could bring dark clouds during the unlikely event of a data breach on a site with millions of card details.
Moreover, adding tokenization to the picture will not affect the online shopping experience for the users. Most of the work will happen in the background without much user interaction required. It’s a good step towards making mobile and online transactions safer for people living in India.