Nowadays a lot of entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc.Card-on-File citing cardholder convenience and comfort for undertaking transactions in future. Such kind of practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen misused. Reserve Bank mandated that after June 30, 2022, entities other than card networks and card issuers cannot store card data. RBI announced that extension of the timeline of June 30, 2022 by three more months, i.e., to September 30, 2022.
There are several instances where such data stored by merchants, etc. have been compromised.In many jurisdictions do not mandate Additional Factor of Authentication for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Scamers use social engineering techniques to perpetrate frauds using such data.
Under the framework for COF Tokenisation Framework services the cardholders can create themselves a “tokens” in the form of unique alternate code in lieu of card details these tokens can then be stored by the merchants for processing transactions in future. To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant. For future transactions performed at the same merchant website / mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online / e-commerce merchants. For every online / e-commerce merchant where the card is tokenised, a specific token will be created.The RBI encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation.
As per RBI records are conserened Till date, about 19.5 crore tokens have been created. Opting for CoFT is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction