RBI Mandate on Recurring Payments: Card on File (CoF) Tokenization

RBI Mandate on Recurring Payments

The new RBI mandate on recurring payments aims to mitigate the risk of security breaches associated with Card on File (CoF) tokenization during online monetary transactions. The move is intended to enhance the data security & safety of people transacting card payments through digital means.

The RBI tokenization guidelines will require e-commerce platforms, payment gateways, and all authorized card payment networks to adopt a token-based payment method. This online payment development prohibits these entities from storing customers’ card data on file, which in turn prevents them from debiting recurring payments from customers.

What is a CoF Payment Transaction?

Card-on-File or CoF transaction is a method of conducting business payment transactions wherein a cardholder authorizes the merchant to save his/her card details on the merchant’s internal systems.

Businesses such as e-commerce platforms, supermarket chains, airlines, etc., store their customers’ card details on their systems. Further, the cardholder permits the same merchant to bill his/her card to complete any payment.

The downside to this kind of transaction is that the safety of sensitive information of debit/credit cards is compromised whenever a user transacts online.

The New RBI Regulations On Tokenization

In September 2021, the RBI, i.e., the Reserve Bank of India, mandated the use of tokenization as a substitute for card data storage when transacting online. It required online retailers & merchants to terminate the storage of customers’ card details on their servers.

The RBI guidelines on recurring payments & transactions carried out via credit/debit cards were effective from the 1st of January 2022 & they are set to become the norm for every card-based transaction occurring on etailer platforms.

Card-On-File Tokenization: Making Card Payments Safer

The new RBI guidelines instruct the use of tokenization, which is the process that replaces a user’s actual debit & credit card details with an alternative code known as the ‘token.’ The token can either be a series of numbers or a combination of alpha-numeric characters. It can either be in the same format as the card number or may follow a different format.

Using a token significantly brings down the safety risks of sensitive card data, including the card numbers & CVVs, from being exposed while users make payments online.

Payment systems use the tokenization process to link their customer’s card data to a token they will provide to the specified merchant. When a user initiates a digital payment, a token will be generated, which will be exclusive for a card, merchant & token requester combination.

Tokenization also makes online payments effortless for users as it eliminates the need for them to key in their 16-digit card number, name, card expiration date & CVV every time they transact an online payment. The RBI mandate on recurring payments makes repeating card transactions safer & simpler.

The RBI has put forth the following guidelines with regard to tokenization:

  • Online payment aggregators must utilize network tokens to refer to their customer’s card data to process transactions instead of using the actual number/CVV/validity details of the credit or debit card.
  • The token created for this purpose has to be distinct for a combination of token requester, merchant & card.
  • Tokenization of card details has to be done solely on the basis of the card issuer’s Additional Factor of Authentication (AFA) validation & the customer’s consent.
  • The merchant must offer the cardholder the option to de-register the token.
  • In a case where the card is replaced or renewed, the card issuer has to obtain permission from the cardholder to link his/her card with the merchant(s) he/she had previously registered the card with.
  • The Token Service Provider (TSP) has to set up a mechanism to assure that the request for the transaction has arisen from the merchant & the token requester with whom the token is associated.

How Does the Recent RBI Regulation Help Consumers?

The RBI mandate on recurring payments offers several benefits to people making online purchases that enhance their experience while heightening their credit/debit card security. The RBI’s new guidelines help customers do away with memorizing and typing out their card details as the generated token will facilitate the payment seamlessly.

Some of the advantages card tokenization offers to consumers are:

Advantages of card tokenization

  • Heightened Data Security
  • Physical Card Requirement Eliminated
  • Lower Payment Declination
  • Quicker Transactions
  • Enhanced Payment Flexibility

How Does Tokenization Improve Data Security?

The primary motive behind tokenization is to protect consumers’ card data so as to reduce the risk of online fraud & financial theft. As distinct tokens are created for the same card payment across many platforms, the risk of fraud is reduced.

Even if a fraudster gains access to the token, it is highly challenging for him to extract the actual card details from it. Tokenization prevents credit/debit card details from getting hacked, increasing customer trust & enabling more widespread use of digital payment methods.

What Can Businesses Expect From the Latest RBI Tokenization Guidelines?

The RBI mandate on recurring payments helps heighten card data security right from the point of data capture as it eliminates the need for online businesses to store sensitive card information on their servers.

The RBI rules on mandating online retailers & payment gateways to employ tokenization for receiving payments help reduce the risk of card data theft & security breaches which can cause substantial losses to the business and the customer.

Additionally, businesses can experience ease in receiving payments from customers through card tokenization as they will not be burdened about compliance issues concerning the internal storage of customers’ card data.

Businesses can use SignDesk’s eMandate solution – link.it, to automate recurring payments without worrying about data security breaches.