RBI extends card tokenization deadline by 6 months - Key points you need to know
In a major development, the card tokenisation deadline by the Reserve Bank of India (RBI) has been extended by 6 months. RBI in a statement said, "The timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022." Earlier, RBI had given a deadline of December 31 for tokenisation.
Now, with the extension in the tokenisation deadline, let us go through the important facts, we need to know about tokenisation.
What is tokenisation?
Tokenisation refers to the replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts the request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”). Source: Reuters
What will this mean?
Earlier, RBI had given a deadline of December 31 for tokenisation. This meant that from January 1, merchants will not be able to store the card information of users and will have to replace each card number with a randomised token number. However, with the six months' extension coming into place, it means that the merchants will face the same issue from July 1, 2022. Source: Reuters
Benefits of tokenisation
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Source: Reuters
How can the tokenisation be carried?
The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. Source: Reuters
Who can perform tokenisation and de-tokenisation?
Safety after tokenisation?
Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards. Source: Reuters
Is it mandatory?
How the process works?
The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customers will also be given the choice of selecting the use case and setting-up of limits. Source: Reuters