The Reserve Bank of India’s (RBI’s) card-on-file tokenisation rule is all set to kick in from October 1. Under the new norm, the central bank has made it mandatory for all credit and debit card data used in online, point-of-sale, and in-app transactions to be replaced with unique tokens.
Here is all you need to know about card tokenisation:
What is card tokenisation?
According to the RBI, tokenisation means the details of a customer’s debit/credit card, such as 16-digit number, names, expiry dates and codes, which used to be saved for future payments, will now be replaced with an alternate code, called token. The token is used by a merchant’s website for the transaction.
What is the purpose of card tokenisation?
A tokenised card transaction is considered safer as the actual details of the card will not be shared with the merchant during transaction processing. This will help cut the chances of card information leakage.
How can customers tokenise their cards?
A cardholder can initiate a request on the app provided by the token requestor to get their card tokenised. The request will then be forwarded to the card network, which will then, with the consent of the card issuer, will issue a token. The token will be corresponding to the card combination, the device, and the token requestor.
Customers can get their cards tokenised without paying any charges for the service. Only authorised card networks and entities, approved by the RBI, can perform card tokenisation.
In which cases/channels, card tokenisation is allowed?
Customers can get their card tokenised through mobile phones and/or tablets for all use cases and channels, e.g., for contact card transactions, payments through QR codes, and apps.
Is tokenisation mandatory?
While the RBI has issued norms for card tokenisation, a customer can opt-out from doing the same. If a customer does not wish to get her card tokenised, she can continue the transaction by entering card details manually.
What is the number of cards a customer can request for tokenisation?
There is no limit to the number of cards a customer can request for tokenisation.
What to do in case of any issue with the card tokenisation process?
If a customer faces any issue with the card tokenisation process, she can complain directly to the card issuers. Customers shall also complaint to card issuers in case of loss of ‘identified device’ or other events in which tokens can be exposed to unauthorised users.
Can a card issuer refuse to tokenise a card?
Yes. Card issues can refuse to tokenise cards, on the basis of several factors, such as risk perception, etc.