The Reserve Bank of India (RBI) has announced the expansion of Card-on-File Tokenisation (CoFT) services to include card-issuing banks. This development, outlined in a recent RBI circular dated December 20, 2023, builds upon previous guidelines and aims to provide cardholders with more flexibility and security in their online transactions. Previously, card tokenisation services, which replace sensitive card details with a unique digital token in online transactions, were offered by card issuers and card networks. The latest directive from the RBI now enables card-issuing banks and institutions to directly offer CoFT services. This move offers cardholders an additional, convenient option to tokenise their cards for use across multiple merchant sites through a single process.
Key features of this new facility include:
- Generation of Card-on-File (CoF) tokens through mobile banking and internet banking channels, initiated by card issuers.
- Generation based on explicit customer consent and Additional Factor of Authentication (AFA) validation. For cardholders opting to tokenise their cards for multiple merchants, a combined AFA validation process will be employed.
- Availability of generated tokens on the merchant’s payment page and in the cardholder’s account with the merchant.
- Flexibility for cardholders to tokenise their cards at their convenience, whether upon receiving a new card or later.
- Provision by card issuers of a comprehensive list of merchants eligible for tokenisation services, from which cardholders can make their selections.
- The RBI emphasizes that all other provisions from its circulars dated January 8, 2019, August 25, 2021, September 7, 2021, and July 28, 2022, regarding tokenisation and card transactions, remain applicable.