Post by VittNivesh NIBM in Macro Economy community on FrontPage

#MacroEconomy #RBI

The role of technology has been ever increasing in the financial sector and so are its applications. India is rapidly embracing this incorporation of technology specially in its day to-day financial activities. People are now moving from conventional transaction methods to various digital payment spaces thereby transitioning to a cashless system. One of the major payment methods in use currently is payment via cards. As more and more people turn to card payments for online shopping, entertainment and numerous other services, recurring payments are on the rise. Due to an exponential growth in card transactions, a need to secure these payments arises.
This can be realized by tokenizing card payments. Let’s begin by getting a prima facie idea about tokenization. What is tokenization? - Tokenization refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor. What is CoFT? – Card-on-File Tokenization (CoFT) is a method wherein the card number can be saved when you opt-in during your payment online for recurring payments. Such tokenization can be carried out by the merchant, payment aggregators, payment gateways or networks like Visa and Mastercard to meet the PCI DSS guidelines. Eyeing the risk of data breaches, RBI has set some guidelines so as to ensure efficient implementation of card tokenization services. Let’s have a look at these guidelines:

1. RBI said the device-based tokenization framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenization (CoFT) services as well.
2. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA (Additional Factor of Authentication) validation may be combined. 
3. A token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through by the cardholder.
4. The merchant shall give an option to the cardholder to de-register the token, if required.
5. A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. 
6. Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom the cardholder had earlier registered the card.