Moneycontrol PRO
UPCOMING EVENT:Know how Global Investing can be spread beyond the US markets by joining an engaging webinar on November 30, 11:30 a.m.

Explainer | RBI expands tokenisation facility to card-on-file tokenisation services

The RBI has now made tokenisation feature formally available to all card networks. This feature is only available for purchases if you buy through your mobile phone or tablet.

September 08, 2021 / 04:03 PM IST
Rank 5 | Visa | Company: Payments | Brand value: $1,86,809 million | Brank value change: 5 percent (Image: Reuters)

Rank 5 | Visa | Company: Payments | Brand value: $1,86,809 million | Brank value change: 5 percent (Image: Reuters)

  • bselive
  • nselive
Todays L/H

On September 7, the Reserve Bank of India extended the tokenisation guidelines to card-on-file tokenisation (CoFT) services and said tokenisation of data should be done with explicit customer consent. This is being done to allow seamless recurring payments through tokenisation framework.

What is card-on-file tokenisation?

Card-on-file tokenisation is helpful for recurring payments as it can store payment information. In this scheme, multiple entities does the tokenisation. This includes payment gateway providers such as VISA, Mastercard, etc., payment aggregators and merchant outlets.

What are the benefits of card-on-file tokenisation?

It enables consumer payment details to be refreshed instantly when a card is lost, stolen or expires. The consumer does not have to login to online shopping account, over-the-top (OTT) platforms, etc. for updating the card details.


What is tokenisation?

Tokenisation of cards is a process by which your card details remain secure and do not get stored or revealed to the merchant. Only your card network and your card issuing bank knows them. The 16-digit number on the card gets replaced with a unique alternate code, also known as ‘token.’

"Currently, card details shared by a customer while making card transactions are stored at the merchant’s end, which makes them susceptible to hacking or data theft," said Naveen Kukreja, CEO and CO-founder of

To be sure, tokenisation of cards for payment is available across several countries which includes USA, Europe, Australia, etc. In India too, tokenisation has been available since the launch of Samsung Pay, on Samsung mobile phones. For those who have just joined the party, Samsung Pay is a feature that allows you to shop from physical stores using your credit card details, but without physically requiring your credit card. All you need to do is key in your credit card details on your Samsung phone. At the checkout counter of your store, you need to wave your Samsung phone (if the point of sale terminal at your shop supports contactless card; known as Near Field Communication or NFC) and the transaction goes through. Incidentally, even if the POS terminal doesn’t have NFC enabled, you can still complete the transaction using Samsung Pay. Abroad, Apple Pay is also a similar feature that is made available by Apple Inc on all its iPhones. Apple Pay has not come to India.

The RBI has now made this feature formally available to all card networks. This feature is only available for purchases if you buy through your mobile phone or tablet. Tokenisation needs three elements to be present; your device, a token requester (TR) and a credit card. But how tokenisation help and what exactly do you have to do to be able to do shopping using this secure feature?

How tokenisation works and customers could initiate it?

To appreciate how tokenisation secures your vital information, let’s visualise how a normal credit card transaction.

Say, you have a credit card of HDFC Bank (issuer bank). You walk into a shop (merchant) that uses a Citibank’s card reading machine. In this example, Citibank is the acquirer. When you swipe your card at the check-out counter, your details, including your card number, are captured by the acquirer (Citibank; since it owns the card reader). The acquirer sends the details to the card network (VISA, for instance, if you have a VISA card), which in turns send it to the issuer bank to verify your card details. Your issuer bank decides whether or not to approve the transaction. We assume it does. And the payment goes through. Here though, your card number travels through the system.

Enter tokenisation. The firm that enables you to make a card (credit or debit) payment- in this case, Samsung, has to become the token requester (TR). Once you key in your card details on your Samsung phone, it generates a token from the card network whose card you use. For instance, if you register a VISA card (it doesn’t matter which bank’s credit card you use), then Samsung Pay will request for a token from VISA on your card. VISA will, in turn, issue a token that acts as a proxy to your card number. Now, whenever you use your card to buy a product, your card number will not travel through the payments system. Just select the card image that is stored and the TR will generate a token and complete the transaction.

Let's go back to the shop from where you originally bought some goodies using your credit card. Once you swipe your Samsung phone (that has Samsung Pay on it and your credit card image stored on it), the acquirer sends your token to the card network. The card network has your original card number as well as your token. But your issuer bank only has your card number. Hence, it sends the card number to the issuer bank for payment authorization. Your bank authorizes it and sends the details back to the card network, which in-turn sends the acceptance to the acquirer. In all this, the only entity that knows your card details is the card network (VISA) and your own bank (card issuer; HDFC Bank).

Tokenisation will be particularly useful when you buy something on an e-commerce website like Amazon or Flipkart. At present, many of us opt to store our card number and details on these websites. This speeds up our shopping as we merely have to select our chosen card at the time of check-out. But what if the e-commerce website is hacked into and our card details are lost?

Tokenisation ensures that just our card image is stored. If the e-commerce website chooses to become a TR, every time we buy a product on an e-commerce website, we have to just select our card (image, since our card details need not be stored then) and the TR will generate a token and complete the transaction.

What if you have multiple cards and more than one mobile phone? The token that your card network issues is unique to your card (credit or debit), the device and a token requester. If any of these three factor change, there will be a new token that gets generated.

How soon can you secure your card?

Although tokenisation is not new to India, it isn’t as wide spread. At present, Samsung Pay and a handful of other issuer wallets use tokenisation. But after RBI’s circular, online shopping and e-commerce platforms that otherwise store your card details, will also be allowed to offer tokenization request. These platforms, though, would need to become TRs. Industry officials say not everyone would rush to be TRs as they would need to comply with stringent RBI guidelines as well as spend money to develop the infrastructure. However, small e-commerce platforms may not find it feasible to adapt tokenisation.

"A significant investment is required by a merchant to adapt tokenisation. It also requires technical know-how to be able to store these tokens and process this tokenisation transactions, said Sreemoyee Mukherjee, Head-Unsecured loans, BankBazaar.

Also, according to RBI guidelines, customers will be allowed to decide whether they want to adapt tokenisation for payment through their mobile / tablets or continue with traditional methods of using physical card to swipe at a store or by storing card details online / on third party apps to complete the payment transactions.

In case card is lost, there is lengthy process to get a reissued card from the bank also risks are of misuse by a theft. Where for consumers using tokenisation there is an added benefit of convenience. TR Ramachandran, Group Country Manager, India and South Asia of financial services company Visa explained, “Tokens tied to lost, or stolen mobile devices, can be instantly reissued – without the need to change the consumer’s primary account number or reissue the plastic card.”

In guidelines, RBI said the tokenisation should be performed by the authorised card network which includes Visa, MasterCard, RuPay, American Express and Diners Club. Tokenisation facility will only be offered on payment transactions through mobile phones and tablets.

According to guidelines, no charges should be recovered from the customer for availing this service.

Hiral Thanawala is a personal finance journalist with 9 years of reporting experience. Based in Mumbai, he covers financial planning, banking and fintech segments from personal finance team for Moneycontrol.
first published: Jan 17, 2019 01:20 pm

stay updated

Get Daily News on your Browser
ISO 27001 - BSI Assurance Mark