The Reserve Bank of India (RBI) on June 24 extended the deadline for card data storage and tokenisation implementation by three more months to September 30, 2022.
The banking regulator said on a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. However, the transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants, the RBI said.
Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction has not been implemented by the industry stakeholders, so far, it said.
This means that payment aggregators, payment gateways, and merchants can store the card credentials of customers in their databases only until September 30, a deadline that has already been extended a number of times before this, most recently by six months to June 30.
In the absence of an alternative mechanism, customers using their credit or debit cards from July 1 will have to enter the details afresh for each transaction, including the 16-digit card number, expiry date, and card verification value (CVV).
Payment companies and card networks Visa, Mastercard, and RuPay have been working to implement the alternative – Card on File Tokenisation (CoFT) – which replaces card details with a ‘token’ that will be unique for every debit or credit card and merchant platform where it is used.
Moneycontrol had reported on May 20 that merchants and the payments ecosystem are worried that the industry is not fully prepared for implementing tokenisation. The report further said that while the process of creating tokens has been put in place, there is no clarity on the execution of guest checkouts and how merchants can implement cashbacks and rewards in the absence of card data.
The RBI’s directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007), it said.
Further, the RBI, in a separate circular, also encouraged all cardholders to tokenise their cards and laid out the process in a bid to create further awareness among customers -- a move that many in the industry thought was lacking.
To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online/e-commerce merchant’s website/mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an additional factor authentication (AFA).
Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant. For future transactions performed at the same merchant website/mobile application, the cardholder can identify the card with the last four digits during the checkout process.
Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online / e-commerce merchants. For every online/e-commerce merchant where the card is tokenised, a specific token will be created.
"Till date, about 19.5 crore tokens have been created. Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction," RBI further said.RBI extends card tokenisation deadline by three months - Moneycontrol
Read More
No comments:
Post a Comment