According to the RBI, “Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).
According to the Canara Bank website, these are the Frequently Asked Questions (FAQs) on Card-on-File Tokenization (CoFT) for card transactions.
1. What is Tokenization?
Tokenisation refers to replacement of actual or clear card number with an alternate code called the “Token”. This shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).
2. What is the benefit of Card-on-File Tokenization (CoFT)?
A tokenised card transaction is considered safer as the actual card details are not shared / stored with the merchants to perform the transaction.
3. If the cardholder has already registered for e-Mandate for Standing Instructions (SI), will it get affected? If yes, How? What should be done to enable e-Mandate for SI transactions?
If the cardholder has already registered for e-Mandate for Standing Instructions, that will no longer be valid as the merchant should not be storing the Full card number anymore from 1st July, 2022. Hence the customer needs to freshly register for Card-on-File tokenization on the card and then give consent for the e-mandate for SI transactions. If the customer chooses not to opt for tokenization, e-mandate for SI transactions cannot be enabled on the card.
4. How can the tokenisation be carried?
Step 1 – The card holder can get the card tokenised by initiating a request on the website/app provided by the token requestor and any such similar facility provided by the merchant.
Step 2 – The token requestor / merchant will forward the request to Visa / Mastercard / Rupay, with the consent of the Customer/ Cardholder.
Step 3 – The card networks (Visa / Mastercard / Rupay) receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant.
5. Is the Card-on-File Tokenization (CoFT) guideline applicable for both Credit and Debit cards?
Yes. Card-on-File Tokenization (CoFT) guideline is applicable for all the Cards namely Credit, Debit or Prepaid cards.
6. Is Card-on-File Tokenization (CoFT) applicable for International Card on File transactions?
No. Tokenisation is applicable only for Domestic transactions.
7. What are the charges that the cardholder needs to pay for availing this service?
The customer need not pay any charges for availing the service of Tokenising the card.
8. Who can perform tokenisation and de-tokenisation?
Tokenisation and de-tokenisation can be performed only by the card issuing Bank or Visa / Mastercard / Rupay who are referred as authorised card networks.
9. Is tokenisation of card mandatory for a customer?
No, a customer can choose whether or not to let his / her card tokenised. If not Tokenised, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.
10. How does the process of registration for a Card-on-File Tokenization (CoFT) request work?
The registration for a Card-on-File Tokenization (CoFT) request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.
11. Is the Card-on-File Tokenization (CoFT) needed to be done at every merchant?
Yes. A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants, then tokens must be created at all the merchants.