Banks want time for card tokenisation

Tokenisation is the process of replacing debit and credit card numbers with a set of characters or tokens.

Some commercial banks are likely to miss the December 31 deadline set by the Reserve Bank of India to comply with the card-on-file tokenisation norms that were announced in early September.

The banking regulator has instructed that only card-issuing banks and payment networks are allowed to store customer data from January 1, 2022, and all other entities in the payment chain will have to purge all previously stored data.

According to banking sources, most large banks and payment networks like Visa, Mastercard, and Rupay of the National Payment Corporation of India (NPCI) are ready to meet the deadline. Some mid and smaller size banks, however, are not ready.

“Some of the card-issuing banks have requested the deadline to be extended,” said a source with direct knowledge of the issue.

The banking regulator held a meeting with some of the stakeholders. “The RBI took updates from the players on their readiness,” the source said.

“The main work of tokenisation is done by the payment networks and the issuing banks. Once their systems are ready, they give it to the aggregators and merchants to implement,” a second source said.

Tokenisation is the process of replacing debit and credit card numbers with a set of characters or tokens.

This is mainly done for making the payments process more secure.

Tokenisation is currently done by payment aggregators free of cost.


While observing that many entities involved in the card payment transaction chain store actual card details, the RBI had said such customer details with a large number of merchants substantially increases the risk of card data being stolen.

There have been some recent incidents where card data stored by some merchants have been compromised or leaked.

Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an Additional Factor of Authentication (AFA) for card transactions.

“Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” the RBI had said.

“We have asked the members for their readiness and give us an updated status so that we can go to the RBI with correct status of our members and there is a smoother transition to tokenisation by January 1, 2022,” said Vishwas Patel, chairman of the Payment Council of India, an apex body representing companies in payments and settlement system, told Business Standard.

The RBI, while allowing only card-issuing banks and merchant networks to store data, had clarified that for transaction tracking and reconciliation purposes, entities can store limited data — the last four digits of actual card number and the card issuer’s name.

‘Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks,’ the regulator had added.

Feature Presentation: Rajesh Alva/

Source: Read Full Article