Card-on-File Tokenisation Can Now be Done at Issuer Bank Level

The Reserve Bank of India (RBI) has enabled the generation of Card-on-File (CoF) tokens directly through card-issuing banks or institutions. This will facilitate the tokenisation of cards for multiple merchant sites through a single process. Prior to this notification, such tokens could be generated only through the merchant’s application or webpage.

Tokenisation refers to the substitution of the card’s 16-digit number with a unique alternate card number known as ‘token’. Such tokens could be used for online transactions, mobile point-of-sale transactions, or in-app transactions. The transactions using tokens are safer since the personal details of cardholders are not shared or stored with the merchants.

Highlighting the benefits of tokenisation, the RBI announced its decision to enable CoF token generation directly at the issuer bank level, in October of this year. The decision was taken with the expectation that it would be convenient for cardholders to get tokens created and then linked to their existing accounts with e-commerce applications.

The directive dated December 20, 2023, elaborates on the process, stating that CoF token generation can be made only when explicit customer consent is obtained and with Additional Factor Authentication (AFA) validation. The same may be enabled through mobile banking and internet banking channels.