Reserve Bank of India (RBI) on Friday announced extension of its tokenisation norms from an earlier June 30, 2022 deadline by three more months to September 30, 2022, an RBI release said. The step was taken after consultation with the stakeholders and to avoid disruption and inconvenience to cardholders, the release said.
This extended time period may be utilised by the industry for facilitating all stakeholders to be ready for handling tokenised transactions, the release said. The period must also be used for processing transactions based on tokens, the release further said.
The RBI release said that the tiime period given by it must also be used for implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and (d) creating public awareness about the process of creating tokens and using them to undertake transactions.
The move came in the wake of industry stakeholders highlighted certain issues related to implementation of the framework in respect of guest checkout transactions. Also, number of transactions processed using tokens is yet to gain traction across all categories of merchants, the RBI reasoned for extending the timeline.
RBI mandated that after December 31, 2021, entities other than card networks and card issuers cannot store card data. This timeline was subsequently extended to June 30, 2022.
A framework for CoF Tokenisation (CoFT) services was also issued. Under this framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in future.
Till date, about 19.5 crore tokens have been created. Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders.
See Zee Business Live TV Streaming Below:
Why RBI brought tokenisation norms?
“Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc., have been compromised. Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.