Call Us Now

+91 9606900005 / 04

For Enquiry

Tokenisation For Credit and Debit Card Transactions


Recently, the Reserve Bank of India’s card-on-file (CoF) tokenisation norms have kicked in, which aim at improved safety and security of card transactions.


GS-III: Indian Economy (Growth and Development of Indian Economy, Mobilization of Resources, Financial Inclusion, Banking Sector)

Dimensions of the Article:

  1. What is Tokenisation and what are RBI’s guidelines?
  2. How will tokenisation work?
  3. Who can offer tokenisation services?
  4. What do customers gain from tokenisation?

What is Tokenisation and what are RBI’s guidelines?

  • Tokenisation means replacement of actual card details with an alternate code dubbed as “token”.
  • The token will be unique for a combination of card, token requestor and device.
  • This token us used to do card transactions in contactless mode at point-of-sale terminals, code payments and quick response.
  • A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
  • Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
  • RBI had issued new guidelines in September 2021. Under the guidelines, merchants will not be able to store customers’ card data in their servers.
  • It prohibited merchants from storing customer card details as well as mandated for the adoption of card-on-file (CoF) tokenisation as an alternative to card storage.
Card-on-File (CoF)
  • In CoF transaction, cardholder authorises a merchant to store his/her Mastercard or Visa payment details. The cardholder then authorises same merchant to bill the stored Mastercard or Visa account.
  • E-commerce companies and airlines and supermarket chains normally store card details in their system.

How will tokenisation work?

  • A debit or credit card holder can get the card tokenised by initiating a request on the app provided by the token requester.
  • The token requester will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requester, and the device.
  • The customer will not be charged for availing the tokenisation service.
  • Earlier, the facility for card tokenisation was available only for mobile phones and tablets of interested card holders.
  • Subsequently, with an uptick in tokenisation volume, the RBI decided to extend the scope of tokenisation to include consumer devices – laptops, desktops, wearables (wrist watches, bands, etc.) and Internet of Things (IoT) devices.

Who can offer tokenisation services?

  • Tokenisation can be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only.
  • Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network.
  • RBI has emphasised that the integrity of the token generation process has to be ensured at all times.

What do customers gain from tokenisation?

  • A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
    • Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks.
  • The token requestor cannot store Primary Account Number (PAN), or any other card details.
  • Card networks are also mandated to get the token requester certified for safety and security that conform to international best practices/globally accepted standards.

-Source: Indian Express

February 2024