Come January 2022, Why You Might Need to Remember Your Card Details

December 20, 2021 Mutual Fund

The Reserve Bank of India, in its latest circular, has restrained all the merchants, payment aggregators and payment gateways to store customer card credentials, with effect from 1st January 2022. The RBI has further advised the payment gateways to use the Card on File Tokenisation (CoFT) payment method for more secured online payments. However, the card issuers, card networks, and payment gateways are yet to be fully integrated for CoFT. If any of these entities fail to be fully prepared, the tokenisation will impact all the online payments and you will be required to enter your credit or debit card credentials for every transaction.

Apart from being the apex institutions that facilitate the working of commercial banks and regulate the monetary decisions of the economy, the central banks are the driving forces in the development of national payment systems. The Reserve Bank of India takes several initiatives towards introducing and upgrading efficient and secure modes of payment system in the country to meet the requirements of the public at large.

Due to the COVID-19 pandemic, more and more individuals are preferring online shopping for their everyday needs, which has tremendously increased the use of online payment methods. Thus, increasing the number of online financial frauds. Debit and credit cards are currently the most used online payment methods in India, representing 25% to 30% of transactions. That said, it is also the most targeted payment method by fraudsters. To check out from the e-commerce websites faster, many customers prefer to save their debit card or credit card details with the merchant (e-commerce website). This data is securely stored on the merchant’s server. However, even with security measures in place, your confidential data, such as credit card number, expiry date, CVV (i.e. Card Verification Value), name, etc. are exposed to a data breach. The scammers use malicious code to steal customer card credentials, which is then used to make fraudulent transactions.

With a primary aim to prevent online frauds of debit and credit card data breaches by securing the customer card credentials, the RBI has restrained merchants and payment gateways from saving Card on File (CoF) i.e. customer card credentials on their servers, and advised to use Card on File Tokenisation (CoFT) payment method. The main objective of the RBI is to create a security framework for safer digital transactions.

Therefore, once the new rule is effective from 1st January 2022, e-commerce companies like Amazon, Flipkart, Big Basket, Myntra etc., and payment aggregators and payment gateways like Google Pay, CashFree, Razorpay, Paytm, etc. will no longer be permitted to store customer card credentials for faster transactions. However, for reconciliation purposes these entities are allowed to store limited data – the last four digits of the debit or credit card number and card issuer’s name – in compliance with the applicable standards. Only the issuing banks (the bank who issues the card) and card networks (Visa, MasterCard, Rupay, etc.) will be permitted to store customer card credentials.

As discussed above, the RBI has provided a workaround called Card on File Tokenisation (CoFT), which can be used as a payment method with explicit customer permission. Let us understand what it is and how does it work.

What is Card on File (CoF)?

Card on File (CoF) is nothing but customer card credentials, such as a 16-digit credit card number, expiry date, CVV, etc.

What is Tokenisation?

Tokenisation is the process of replacing sensitive data, such as bank account numbers, credit card details, etc. with a non-sensitive alternative, known as a token. It enables payments without actually disclosing the sensitive data that could potentially get exposed to a data breach.

What is de-tokenisation?

De-tokenisation is a conversion of the token back to the card credentials.

What is Card on File Tokenisation (CoFT)?

Card on File Tokenisation (CoFT) is the process of creating tokens for Card on File or customer card credentials to secure them from online frauds.

The authorised card networks work as Token Service Providers (TSPs), who can offer card tokenisation services to any token requestor (merchant or payment gateway i.e. third party app provider).

This mechanism also extends to Near Field Communication (NFC), in-app payments, QR code-based payments, etc.

A customer can use any number of devices to request tokenisation. However, at present, the facility is offered only through mobile phones or tablets but will be subsequently extended to laptops, desktops, wearable devices, such as wristwatches and bands, Internet of Things (IoT) devices, etc.

The Token Service Provider can do the tokenisation of credit card data only with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer (i.e. bank or any other card issuer).

The RBI also states that the complete and ongoing compliance by all the entities involved with these regulations shall be the responsibility of the card networks.

The Card on File Tokenisation is considered the safest mode of card payment as the actual card details are never shared with the merchant or payment gateway or payment aggregator.

A customer does not have to pay any additional charges for this facility.

One token will be limited to only one card and one merchant. However, a customer can tokenise multiple cards with the same merchant or same card with the multiple merchants.

A customer will not have to remember the token.

Most importantly, this facility is not mandatory for the customers. A customer can choose whether or not he wants to tokenise his/her card. Besides, a customer can register or deregister for a particular case use. So, if you want to use Card on File Tokenisation only for in-app payments and not for QR code-based and contactless payments, you will be able to do that.

Furthermore, a customer is free to set or modify his/her daily per transaction and daily transaction limits for the tokenised cards.

It is advisable to delete the tokenised cards of the e-commerce websites that you do not regularly shop with.

In case of a debit or credit card replacement due to any reason, such as renewal, upgrade, reissue, etc., a customer is required to create a fresh token. This is because your new card comes with a new 16-digit number, expiry date, and CVV.

How does the Card on File Tokenisation work?

Let us understand how the Card on File Tokenisation, i.e. CoFT works with an example.

Using her mobile phone, Maithili purchases a new laptop through an e-commerce merchant, say Amazon. She uses her HDFC Bank Visa Credit Card for the payment.

A tokenisation request will be initiated from her side on the app provided by the token requester (i.e. merchant, in this case, Amazon).

Amazon will forward the request to the card network (in this case, Visa).

As we know, the card network works as a Token Service Provider (TSP), which will take consent from HDFC Bank (who is a card issuer) and then issue a token corresponding to the combination of the card, Amazon, and the device from which the request is initiated, i.e. Maithili’s mobile phone.

So, Maithili makes a purchase through her credit card without disclosing her actual credit card number to the merchant, which ensures a reduced risk of a data breach.

Why is the RBI enforcing Card on File Tokenisation?

The RBI says, most customers save their sensitive card data for faster checkout and many merchants force their customers to save debit or credit card credentials (Card on File). However, there have been instances where customer card credentials i.e. Card of File have been stolen by scammers from the merchant servers.

There are many jurisdictions where you do not require Additional Factor Authentication (AFA), such as a One-Time-Password (OTP) or Personal Identification Number (PIN), etc. Hence, the scammers can use the stolen Card on File or CoF to make purchases. Such frauds can even take place in India through social engineering attacks.

How Can Card on File Tokenisation create disruption?

If all the entities involved in the tokenisation, i.e. Token Service Providers (TSPs), card issuers, merchants, and payment gateways, are integrated and comply with the Card on File Tokenisation before the year-end, there will not be any need to enter your complete card details for every purchase.

However, the tokenisation entities are yet not fully integrated and if they do not manage to integrate before 1st January 2022, you will be required to remember and enter your debit or credit card credentials for every purchase as the merchants, payment aggregators and payment gateways will not be allowed to store your card credentials with them. Moreover, the customers will also need time to completely understand the process. The customers might not be sure in the initial stage about providing consent and managing multiple tokens. We have witnessed the recent recurring payments disruption caused due to the under-prepared financial institutions. If the entities and customers are not well-prepared, the Card on File Tokenisation may create an even bigger disruption.

This article first appeared on PersonalFN here