What changed
Previously, card-on-file tokenisation (CoFT) services were provided by card issuers and card networks. Now, RBI has enabled card issuing banks and institutions to directly offer CoFT services, allowing cardholders to tokenise their cards for multiple merchants in one go via mobile or internet banking.
What it means for you
Banks can now offer tokenisation as a direct service, reducing reliance on third-party networks and simplifying the process for customers. This could increase adoption of tokenisation, reduce card data storage risks, and enhance customer loyalty. Lenders must update their mobile and internet banking platforms to support this feature.
What you must do
- Enable CoFT generation through mobile banking and internet banking channels.
- Ensure explicit customer consent and AFA validation for token generation, with combined AFA for multiple merchants.
- Provide cardholders a list of merchants for tokenisation and allow them to select merchants.
- Make generated tokens available on merchant payment pages and in cardholder accounts.
- Comply with all existing RBI circulars on tokenisation from January 2019, August 2021, September 2021, and July 2022.
Who it affects
Card issuing banks and institutions, Payment system providers and participants, Cardholders using UPI and digital payments, Merchants accepting card payments
What is the key benefit of this change for cardholders?
Cardholders can now tokenise their cards directly through their issuing bank's mobile or internet banking, in a single process for multiple merchants, instead of doing it separately on each merchant site.
Do we need to update our existing tokenisation systems?
Yes, banks must enable CoFT generation through their digital channels, ensure AFA validation, and provide a merchant list. Existing tokenisation rules from earlier RBI circulars still apply.
Can tokens be issued by both the card network and the issuer?
Yes, the token may be issued by either the card network, the issuer, or both, as per the requirements.