The Reserve Bank of India on September 7 announced that it was allowing card-on-file tokenization for e-commerce companies. The changes "are expected to reinforce the safety and security of card data while continuing the convenience in card transactions," RBI said in a press note. "Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details [also known as Card-on-File (CoF)]. In fact, some merchants force their customers to store card details. "Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an Additional Factor of Authentication [like one-time passcodes] for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques," the RBI added. What is tokenization? Tokenization is the process of converting a fixed identifier, like a credit card number, into a use-case specific, merchant-specific, and/or device-specific 'token', a process which makes sure that card data is not stolen. Tokenized payments in the real world have already been happening for a while — chip and PIN transactions, and the NFC payments that came after them, always give point of sale (POS) terminals a scrambled one-time token instead of the card number, as magnetic stripes on cards had…
