The Reserve Bank of India (RBI), in a recent development, extended the deadline for tokenisation of debit and credit cards by three months till 30th September 2022. The decision was made to prevent disruption and inconvenience to cardholders. Following this date, no entity in the card transaction or payment chain, except card issuers and card networks, should store the CoF (Card-on-File data or storage of actual card data). Any such data stored before will now be eradicated.
Understanding Tokenisation and Card-on-File
Tokenisation refers to the replacement of real credit and debit card details with a unique code known as the “token”. Each token is specific to a card, token requestor, and device. This process makes a transaction through a tokenised card safer because the original card information is not shared with the merchant during the transaction. Customers without tokenisation will need to enter their details like name, 16-digit card number, expiry date, and CVV every time they make an online purchase. Currently, around 19.5 crore tokens have been generated.
Meanwhile, Card-on-File represents a transaction in which a cardholder authorizes a merchant to save their Mastercard or Visa payment data. The cardholder then allows the same merchant to charge their saved Mastercard or Visa account. Usually, e-commerce companies and airlines and supermarket chains save card details in their system.
The Need for Tokenisation of Cards
Numerous entities involved in an online card transaction chain save card data like the card number and expiry date — Card-on-File (CoF) for conducting future transactions. While this practice does provide convenience, the availability of card details with multiple entities increases the risk of card data being stolen or misused. Instances of such data being compromised by merchants have been reported.
Many jurisdictions do not require an Additional Factor of Authentication (AFA) for authenticating card transactions. If stolen data ends up with fraudsters, it could lead to unauthorized transactions and consequential financial loss to cardholders. Even within India, social engineering techniques can be used to commit frauds using such data.
The RBI as a Bankers’ Bank
The Reserve Bank of India (RBI) acts as a ‘bankers’ bank’. This implies that other banks retain their deposits with the RBI, the RBI lends funds to commercial banks when needed, and advises commercial banks on monetary matters.
The origin of the Reserve Bank of India can be traced back to 1926 when the Royal Commission on Indian Currency and Finance (also known as the Hilton- Young Commission) recommended the creation of a central bank for India. This was to separate the control of currency and credit from the Government and to improve banking facilities throughout the country. The Reserve Bank of India Act of 1934 established the Reserve Bank.
Role of RBI as a Bankers’ Bank and Supervisor
The RBI holds a part of the cash reserves of banks, lends them funds for short periods, and provides them with centralized clearing and cheap and quick remittance facilities. The RBI is authorised statutorily to require scheduled commercial banks to deposit with it a stipulated ratio of their Net Demand Time Liabilities (NDTL).
As a Banker to Banks, the Reserve Bank also acts as the ‘lender of last resort’. It can come to the rescue of a bank that is solvent but faces temporary liquidity problems by supplying it with much needed liquidity when no one else is willing to extend credit to that bank. The RBI is supposed to function as the lender of the last resort. RBI also supervise and advise the commercial banks in monetary matters.