(277 kb)

Card-on-File Tokenisation (CoFT) – Enabling Tokenisation through Card Issuing Banks

RBI/2023-24/91
CO.DPSS.POLC.No.S-919/02-14-003/2023-24

December 20, 2023

All Payment System Providers and Payment System Participants

Madam / Dear Sir,

Card-on-File Tokenisation (CoFT) – Enabling Tokenisation through Card Issuing Banks

The card tokenisation services are being currently provided by card issuers and card networks in terms of Reserve Bank of India circulars DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on “Tokenisation – Card transactions”, CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 on “Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services” and CO.DPSS.POLC.No.S-567/02-14-003/2022-23 dated June 24, 2022 on “Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]”.

2. As announced in the Statement on Development and Regulatory Policies dated October 6, 2023, it has been decided to enable CoFT directly through card issuing banks / institutions also. This will provide cardholders with an additional choice to tokenise their cards for multiple merchant sites through a single process. Detailed requirements for the same are listed in the Annex.

3. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Yours faithfully,

(Gunveer Singh)
Chief General Manager-in-Charge


Annex

(CO.DPSS.POLC.No.S-919/02-14-003/2023-24 dated December 20, 2023)

CoFT through card issuers - Requirements

1. Generation of CoF Tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels.

2. CoFT generation shall be done only on explicit customer consent, and with AFA validation. If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants.

3. The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant.

4. The cardholder may tokenise the card at any time of his convenience, either on receipt of the new card or later.

5. The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services. The cardholders shall select the merchants with whom he/she wishes to maintain tokens. (Alternatively – “The cardholder can make his selection from the list”).

6. The card token so issued may be either by the card network or the issuer or both.

7. All other provisions of RBI circulars dated January 8, 2019August 25, 2021September 7, 2021 and July 28, 2022 shall remain applicable.