Sep 10, 2021

Card Transactions: Card-On-File Tokenisation Services

On September 7, 2021, the Reserve Bank of India (RBI) issued a directive with an objective to enhance the regulatory framework on card tokenisation (2021 Directive).


The RBI prescribed certain restrictions on storage of cards data under the Guidelines on Regulation of Payment Aggregators and Payment Gateways issued on March 17, 2020 (PA-PG Guidelines) and the clarifications issued in connection with the PA-PG Guidelines on March 31, 2021.

In terms of the PA-PG Guidelines, neither the authorised ‘payment aggregators’ nor merchants (onboarded by payment aggregators) are permitted to store customer card credentials.

These restrictions have severe repercussions for entities that offer ‘Card-on-File’ services by storing card data for future transactions. In view of the representations from the industry, the RBI, on March 31, 2021, granted an extension till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation in accordance with the framework set-out in the directive ‘Tokenisation – Card transactions’ issued by the RBI on January 8, 2019 (2019 Directive) to address issues associated with card data storage restrictions imposed by the PA-PG Guidelines.


Tokenisation refers to replacement of actual card details with an alternate code called the ‘token’, which is unique for a combination of card, Token Requestor (i.e., the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and a device. Unlike a regular card transaction where the card details are used to process the payment transaction, a token is used for the purpose of authorisation and processing of a tokenised card transaction. This helps ensure safety and security of sensitive card data and prevents it from being stolen or misused by bad actors.


As per the 2019 Directive, the RBI permitted authorized card networks, such as Visa and Mastercard, to offer card tokenisation services to Token Requestors. At that time, the tokenisation solution was device-binding and Token Requestors could make available tokenisation solution only on mobile phones or tablets of users. However, through a recent notification dated August 25, 2021, the RBI extended the scope of the permitted devices for tokenisation to also include laptops, desktops, wearables (wrist watches, bands, etc.), internet of things (IoT) devices, etc., besides mobile phones and tablets.


With an intent to reinforce safety and security of card data while continuing convenience in card transactions, the RBI issued the 2021 Directive to make enhancements to the extant framework on card tokenisation. The key highlights of the 2021 Directive are as under:

♦   Card-on-file tokenisation: The device-based tokenisation framework under the 2019 Directive is extended to Card-on-File Tokenisation (CoFT) services.

♦  Card issuers can offer tokenisation service: Card issuers can offer card tokenisation services, as token service providers (TSPs). The TSP card issuers can tokenise or de-tokenise the cards data only for cards issued by or affiliated to such card issuers.

♦  Customer consent and authentication: Tokenisation of cards data must be carried out with explicit customer consent that requires validation through additional factor of authentication (AFA) undertaken by the card issuer. The AFA may be combined with a purchase transaction (where card payment is being performed along with the registration for CoFT). Cardholder’s explicit consent will also be required when a card is renewed or replaced.

♦  Unique token: The token must be unique for a combination of card, Token Requestor and merchant (i.e., the end-merchant or the e-commerce entity in case of an e-commerce marketplace).

♦  Option to de-register: The merchant must give the cardholder an option to de-register the token. Further, a Token Requestor having direct relationship with the cardholder must provide a list of merchants in respect of whom CoFT has been opted through it, by the cardholder and also provide an option to de-register any such token.

♦ The existing operational requirements stipulated under the 2019 Directive will continue to be applicable even for CoFT.

Additionally, in context of the PA-PG Guidelines, the 2021 Directive clarifies that:

♦  No entity in the card transaction or payment chain (other than card issuers or card networks) can store the actual cards data, with effect from January 1, 2022. All previously stored cards data must be purged.

♦  For transaction tracking (which is the only recognized exception for storage of cards data under the PA-PG Guidelines), entities can store limited data i.e., last four digits of actual card number and card issuer’s name, in accordance with applicable standards.

In a press release with respect to the 2021 Directive, the RBI has highlighted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now for undertaking card transactions. Contrary to some concerns expressed in certain sections of the media, there will be no requirement to input card details for every transaction under the tokenisation arrangement.

Rohan Bagai, Partner
Arjun Uppal, Senior Associate
Karishma Sumi, Associate





These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.