RBI extends the deadline for card tokenization by three months

The implementation date for card data storage and tokenization was extended by the Reserve Bank of India (RBI) on June 24 by an additional three months, until September 30, 2022.

According to the banking regulator, significant progress has been made in terms of token creation after a review of the relevant issues and in-depth conversations with all stakeholders. However, the RBI said that transaction processing based on these tokens has already started, but it has not yet taken off across all types of shops.

Furthermore, it stated that the industry's stakeholders have not yet adopted a backup mechanism for transactions in which cardholders choose to manually enter their card information at the time of the transaction.

This means that until September 30, which has previously been extended numerous times before this, most recently by six months to June 30, payment aggregators, payment gateways, and merchants can only store the card credentials of customers in their databases.

Customers using credit or debit cards starting on July 1 will need to enter all necessary information again for each transaction, including the 16-digit card number, expiration date, and card verification value, in the absence of a substitute mechanism (CVV).

Card on File Tokenization (CoFT), an option that replaces card information with a "token" that is specific to each debit or credit card and merchant platform where it is used, has been developed by payment businesses and card networks Visa, Mastercard, and RuPay.

Merchants and the payments ecosystem are concerned that the sector is not entirely ready to deploy tokenization, according to a Moneycontrol article from May 20. The research also stated that although the procedure for manufacturing tokens has been established, there is still uncertainty around how guest checkouts would be carried out and how businesses will be able to apply cashbacks and rewards in the absence of card information.

The Payment and Settlement Systems Act, 2007 (Act 51 of 2007), under which the RBI's order was issued, was cited in the statement as Section 10 (2) read with Section 18.

Additionally, the RBI encouraged all cardholders to tokenize their cards and outlined the process in a separate circular in an effort to raise customer awareness, a move that many in the industry felt was lacking.

The cardholder must complete a one-time registration process for each card at every website or mobile application of an online or e-commerce merchant in order to create a token under the CoFT framework. During this process, they must enter their card information and grant permission for the creation of a token. This consent is verified through verification using a second factor of identification (AFA).

After that, a token is generated that can only be used to make payments at the internet or e-commerce store that accepts the card. The cardholder can identify the card using the last four numbers throughout the checkout procedure for future transactions carried out at the same merchant website/mobile application.

Therefore, for subsequent purchases, the cardholder is not required to remember or enter the token. At any number of online/e-commerce shops, a card can be tokenized. A unique token will be created for each online/e-commerce merchant where the card is tokenized.

"There have been around 19.5 billion tokens produced so far. The cardholders may choose not to participate in CoFT (i.e., create tokens). Those who don't want to create a token can carry on with their transaction as usual by manually entering their card information "RBI said further.