New Delhi: The rules for online payments for debit and credit cards are going to change from October 1, 2022, as the Reserve Bank of India (RBI) card-on-file (CoF) tokenization norms will come into effect. RBI rules prohibit any platform to save the card details of the users to protect the information of fraud and theft of the card of the customers.
Earlier the RBI deadline was July 1. However, it was postponed till 1 October. The move is expected to improve the payment experience of cardholders and enhance protection against payment frauds.
What are the card-on-file tokenization norms of RBI?
Card-on-File (COF) means credit or debit card information such as numeric number, expiration date and name stored in a database for payment gateways and merchants to process future transactions.
According to the RBI website, tokenization means replacing the actual card details with an alternate code called “token”, which will be unique to the combination of the card, token requester, card network and device.
The Cardholder can obtain the token by initiating a request on the App provided by the token requester. The token requester will forward the request to the card network, which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, token requester and device.
what will happen now?
Once customers start buying an item, the merchant will initiate tokenization and ask for consent to tokenize the card. Once consent is obtained, the merchant card will send the request to the network.
The 16-digit card number will be replaced with a token that is generated by the card network and sent back to the retailer. This token will be kept on file by the retailer for future transactions. They will now have to enter their CVV and OTP for approval, as it was earlier.
How will it affect customers?
Tokenized card transactions are considered more secure as the actual card details are not shared with the merchant during the transaction process. Once the card-on-file tokenization norms are implemented, the platform will not be able to store any buyer’s card sensitive details in any form.