RBI allows card-on-file tokenisation through issuer banks, card networks
The Reserve Bank of India has allowed card-on-file tokenisation (CoFT) through card issuing banks or institutions to provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process.
Earlier, card tokenisation services were provided by card issuers and card networks at merchant websites or at the time of purchase. The central bank had first announced extending this to issuer banks and financial institutions as part of the Statement on Development and Regulatory Policies in October 2023.
Generation of CoF tokens for a card, through the card issuer or card network, will now be enabled through mobile banking and internet banking channels, at customers’ convenience, either on receipt of the new card or later.
Card issuers will need to provide a complete list of merchants for whom they can provide tokenisation services and the cardholders will select the merchants where they want to maintain tokens. The tokens, thus generated will need to be made available on the merchant’s payment page, in the cardholder’s account with the merchant.
However, the tokenisation will need to be done only with explicit customer consent, and with AFA (additional factor authentication) validation, RBI said, adding that if the cardholder selects multiple merchants for which the card is to be tokenised, AFA validation may be combined for all the merchants.