On June 24, the Reserve Bank of India (RBI) extended the credit and debit card tokenisation deadline by another three months. This is the third time that the central bank heeded the industry’s request and extended the last date, which was June 30.
First RBI deadline to tokenise the card details was June 30, 2021. But at the request of merchants and payment aggregators, as well as card companies and banks, it was extended to December 31, 2021. The deadline was again extended by six months to June 30, 2022. And now it has been pushed to September 30.
When you key-in your card number, the information is saved by the merchant and payment gateway for future transactions. It is done to save your time and the hassle of punching in a 16 digit card number -- which usually no one remembers.
Your card details are stored by merchants online or in cloud systems. It is known as ‘card-on-file’, or CoF. But the central bank has been receiving complaints about data breaches. Although encrypted, card details of consumers stored with merchants are
According to RBI, tokenisation is the replacement of actual card details with an alternate code called the ‘token’-- which will be unique for a combination of card, token requestor and device. Token requester is the entity which accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token.
Once created, the tokenised card details will be used in place of the actual card number for online purchases initiated or instructed by the cardholder.
RBI says that a tokenised card transaction is safer as the actual card details are not shared with the merchant during transaction processing.
RBI says that the consumer can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token. The customer’s consent and OTP-based authentication is needed for creating a token. However, it is not mandatory to tokenise cards.
The central bank has given enough time to the industry to ensure that the transition to this new regime is smooth. So one hopes that the deadline is not extended again and we switch to a more secure mode of transaction from October 1.
 "What is tokenisation?")
