Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services


📌 1. RBI invite reference  to  circular  DPSS.CO.PD  No.1463/02.14.003/2018-19  dated January  8, 2019  on  “Tokenisation  –  Card  transactions”,  permitting  authorised  card  networks  to  offer  card tokenisation  services  subject to  the  conditions  listed therein.  Initially  limited to mobile  phones  and tablets,  this  facility  was  subsequently  extended to  laptops,  desktops,  wearables  (wrist watches, bands, etc.), Internet of Things  (IoT)  devices, etc.,  vide  circular  CO.DPSS.POLC.No.S469/02-14-003/2021-22 dated August 25, 2021  on  “Tokenisation  –  Card Transactions  : Extending the Scope of Permitted Devices”. 

📌 2. Reference  is  also invited to circulars  DPSS.CO.PD.No.1810/02.14.008/2019-20  dated March 17, 2020  (as  updated from  time to time)  and  CO.DPSS.POLC.No.S33/02-14-008/20202021 dated  March 31, 2021  on “Guidelines  on Regulation of  Payment Aggregators  and Payment Gateways”,  advising  that  neither  the  authorised  Payment  Aggregators  (PAs)  nor  the  merchants on-boarded by  them  shall  store customer  card credentials  [also known as  Card-on-File (CoF)]. 

📌 3. On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –
  1. Extend the device-based tokenisation framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.

  2. Permit card issuers to offer card tokenisation services as Token Service Providers (TSPs).

  3. The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.

  4. The ability to tokenise and de-tokenise card data shall be with the same TSP.

  5. Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.

  6. Additional requirements relating to CoFT are listed in the annex.

📌 4. Further, in the interest of cIarity, the following points may be noted –

  1. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.

  2. For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.

  3. Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks.

📌 5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).


RBI Compliance Group - Ozg Lawyers
WhatsApp 📲 WA.me/918779696580

Follow us for Updates 💗 @rbicompliance

Join us at Ozg Lawyers & Ozgian 24x7

(CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated  September  07, 2021)  - Annex

Conditions to be fulfilled  for  offering  CoFT  services -

📌 1.  For the purpose of CoFT, the token shall  be unique for  a combination of card, token requestor and merchant. 

📌 2.  If card payment for  a purchase transaction  at  a merchant  is  being  performed along with the registration for  CoFT, then  AFA  validation may  be combined. 

📌 3.  The  merchant  shall  give an  option  to  the  cardholder  to  de-register  the  token.  Further,  a  token requestor  having direct relationship  with the cardholder  shall  list the merchants  in respect  of whom  the  CoFT has  been opted  through  it  by  the cardholder;  and provide  an option to deregister  any  such token. 

📌 4.  A facility  shall  also  be  given  by  the card issuer  to the cardholder  to view  the list of  merchants in respect of  whom  the CoFT has  been opted by  her  / him,  and to de-register  any  such  token. This  facility  shall  be provided through one or  more of the following channels  –  mobile application, internet banking,  Interactive Voice Response  (IVR)  or  at branches  / offices. 

📌 5.  Whenever  a  card is  renewed or  replaced, the card issuer  shall  seek  explicit consent of the cardholder  for  linking  it  with the merchants  with  whom  (s)he  had earlier  registered the card.   

📌 6.  The  TSP  shall  put in place a mechanism  to ensure that the  transaction request has  originated from  the merchant and the token requestor  with  whom  the token is  associated. 

📌 7.  All  other  provisions  of the  RBI  circulars  dated January  8, 2019  and  August 25, 2021  shall  be applicable.   

📌 8.  The  TSPs  shall  monitor  and ensure  compliance in this  regard. 

RBI Compliance Group - Ozg Lawyers
WhatsApp 📲 WA.me/918779696580

Follow us for Updates 💗 @rbicompliance

Join us at Ozg Lawyers & Ozgian 24x7