New Delhi: The rules for online payments for debit and credit cards are going to be changed from October 1, 2022, as Reserve Bank of India (RBI) card-on-file (CoF) tokenization norms will come to effect. The  RBI rule prohibits any platforms to save card details of the users in order to protect frauds and stolen card information of customers.

Earlier, RBI deadline was 1st of July. However, it was postponed until October 1. The move is expected to improve the payment experience of the cardholders and to increase security against payment frauds.

What is RBI’s card-on-file tokenisation norms?

Card-on-file (CoF) means credit or debit card information such as numerical number, expiry date and name stored in the database by payment gateway and merchants to process future transactions.

According to the RBI website, Tokenisation means replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor, card network, and device.

The cardholder can get the tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor and the device.

What will happen now?

Once customers begin purchasing an item, the merchant will initiate tokenization and ask for consent to tokenise the card. Once consent is taken, the merchant will send the request to the card network.

The 16-digit card number will be replaced with a token that is created by the card network and sent back to the retailer. This token will be kept on file by the retailer for future transactions. They will now have to enter their CVV and OTP, same as previously, in order to approve.

How will impact customers?

A tokenised card transaction is considered more safe as actual card details aren’t shared with the merchant during the transaction process. Once the card-on-file tokenization norms are come into effect, the platforms won’t be able to store the card sensitive details of a shopper in any form.