FinTech

RBI announces improvements to card transaction tokenisation

According to an official statement dated September 7, 2021, the RBI has announced changes to the current card tokenisation mechanism. The device-based tokenisation framework advised in January 2019 has been extended to Card-on-File Tokenisation (CoFT) services. Card issuers have also been authorized to card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data must be done with the explicit consent of the consumer. Further, an Additional Factor of Authentication will be used. 

What is Tokenisation?

In today’s time, we have witnessed a significant increase in data theft. To limit/ stop such incidents, RBI introduced tokenisation. In January 2019, the RBI had released the terms and conditions of this initiative.

The RBI has allowed tokenisation of debit, credit, and prepaid card systems to enhance the safety of the digital payments ecosystem in the country. Currently, while transacting online, we put our card number, CVV, and date of expiry. The merchant saves all these details so we don’t have to enter the same details again and again. However, if there is a data breach, malicious actors can access these financial details.

Tokenization will replace card details with a code called a “Token”. It will be specifically used for the card, the token requestor, and the device being used to pay. Instead of the card’s details, the token will act as the card at the point of sale (PoS) terminals and quick response (QR) code payment systems. The goal of the process is to improve the safety and security of payments.

How will it work?

For example, if you have to make payments on an online shopping portal, you have to enter the 16 digit debit/credit card number. For instance, the card number is IIII IIII IIII IIII. Now, as soon as you enter your card number a token number will be created for your card number. It will be alphanumeric. For instance 9$48#%I##&7. With tokenization the merchant stores only a token number, not your card number.

This token will then be sent to the Payment Processor of Card networks (Visa, Mastercard, RuPay) and it is the only readable link in the whole system. Once it is sent to the payment processor, it will be de-tokenised and the payment will be made to the merchant. These tokens have high-security features. Once the token is issued, nobody can reverse the token to find the original card number other than the cardholder himself. One token will be used for one transaction only.

Tokenisation and IoT

Recently, the RBI expanded the scope of tokenisation to include laptops, desktops, wearables such as wristwatches and bands, and Internet of Things (IoT) devices. Banks have even started to experiment in the domain, with the Axis Bank already having a range of wearable devices for contactless payments.


Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Pukhraj Biala

I am an undergraduate student at Symbiosis Law school, NOIDA, pursuing B.A.LL.B. I am a problem solver who believes in reaching to a conclusion by weighing all the options and identifying the best possible one. I find Technology Laws quite fascinating and I continue to follow and learn the subject.

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.