According to RBI, “Tokenization refers to the replacement of the actual card details with an alternate code called “Token”, which will be unique to the card combination, token Requester (ie the entity that accepts a request from the Customer for the Card’s token and sends it to the Card network to issue the corresponding token) and the Device (hereinafter referred to as the “Identified Device”).
according to Canara Bank Website, these are Frequently Asked Questions (FAQs) on Card-on-File Tokenization (COFT) for card transactions.
1. What is tokenization?
Tokenization refers to the replacement of the actual or explicit card number with an alternative code called a “token”. This will be unique to the combination of the card, the token requestor (i.e. the entity that accepts a request from the customer for the card’s token and sends it to the card network for the respective token issuance) and the merchant (the token requester and the merchant or a cannot be the same entity).
2. What is the benefit of Card-on-File Tokenization (COFT)?
A tokenized card transaction is considered secure as the actual card details are not shared/stored with the merchants to perform the transaction.
3. If the Cardholder has already registered for e-Mandate for Standing Instructions (SI), will it be affected? If yes, how? What should be done to enable e-mandate for SI transactions?
If the cardholder has already registered for the e-mandate for standing instructions, the same will no longer be valid as the merchant should no longer store the complete card number with effect from July 1, 2022. Hence the customer needs to register afresh for the card-on- file the token on the card and then consent to the e-mandate for SI transactions. If the customer chooses not to opt for tokenization, e-mandate cannot be enabled for SI transactions on the card.
4. How can tokenization be done?
STEP 1 – The Cardholder can get the Token to the Card by initiating a request on the website/app provided by the Token Requester and any such facility provided by the Merchant.
Step 2 – Token Requester / Merchant will forward the request to Visa / MasterCard / Rupay with the consent of the Customer / Cardholder.
Step 3 – The card network (Visa/MasterCard/RuPay) card receiving the request from the token requester will issue a token corresponding to the combination of the token requester and the merchant.
5. Whether Card-on-File Tokenization (COFT) Guidelines are applicable for credit and . Applicable to both? debit cards,
Yes. Card-on-File Tokenization (COFT) guidelines are applicable for all cards such as credit, debit or prepaid cards.
6. Is Card-on-File Tokenization (COFT) applicable for International Card on File Transactions?
No, tokenization is applicable only for domestic transactions.
7. What are the charges that the cardholder will have to pay for availing this service?
There is no charge to the customer for availing the service of tokenizing the card.
8. Who can tokenize and de-tokenize?
Tokenization and de-tokenization can only be done by the card issuing bank or Visa/Mastercard/RuPay, referred to as authorized card networks.
9. Is the card token mandatory for the customer?
No, the customer can choose whether to tokenize his card or not. If not tokenized, the card holder will have to enter the complete card number, CVV and expiry date each time to complete his online transaction.
10. How does the process of registration for Card-on-File Tokenization (COFT) request work?
Registration for Card-on-File Tokenization (COFT) request is done only with explicit customer consent through Additional Authentication Factor (AFA) and not through forced/default/automatic selection of check boxes, radio buttons etc. is done. ,
11. Is every merchant required to do Card-on-File Tokenization (COFT)?
Yes. A token must be unique to a specific merchant’s card. If the customer intends to keep the card on file with individual merchants, tokens must be created for all merchants.