MANU/RMIC/0130/2023
Ministry : Reserve Bank of India
Department/Board : Department of Payment and Settlement Systems
Circular No. : CO.DPSS.POLC.No.S-919/02-14-003/2023-2024
RBI/2023-2024/91
Date : 20.12.2023
Notification/ Circulars Referred : Reserve Bank of India circulars DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 MANU/RMIC/0003/2019;CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 MANU/RMIC/0121/2021;CO.DPSS.POLC.No.S-567/02-14-003/2022-23 dated June 24, 2022 MANU/RMIC/0118/2022;Statement on Development and Regulatory Policies dated
October 6, 2023 MANU/RPRL/0598/2023;August 25, 2021 MANU/RMIC/0114/2021;July 28, 2022 MANU/RMIC/0131/2022
Subject: Banking
Citing Reference:
Reserve Bank of India circulars DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 MANU/RMIC/0003/2019 Referred
CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 MANU/RMIC/0121/2021 Referred
CO.DPSS.POLC.No.S-567/02-14-003/2022-23 dated June 24, 2022 MANU/RMIC/0118/2022 Referred
Statement on Development and Regulatory Policies dated
October 6, 2023 MANU/RPRL/0598/2023 Referred
August 25, 2021 MANU/RMIC/0114/2021 Referred
July 28, 2022 MANU/RMIC/0131/2022 Referred
All Payment System Providers and Payment System Participants
Madam / Dear Sir,
Card-on-File Tokenisation (CoFT) - Enabling Tokenisation through Card Issuing Banks
1. The card tokenisation services are being currently provided by card issuers and card networks in terms of Reserve Bank of India circulars DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on "Tokenisation - Card transactions", CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 on "Tokenisation - Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services" and CO.DPSS.POLC.No.S-567/02-14-003/2022-23 dated June 24, 2022 on "Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]".
2. As announced in the Statement on Development and Regulatory Policies dated
October 6, 2023, it has been decided to enable CoFT directly through card
issuing banks / institutions also. This will provide cardholders with an
additional choice to tokenise their cards for multiple merchant sites through a
single process. Detailed requirements for the same are listed in the Annex.
3. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
Yours faithfully,
(Gunveer Singh)
Chief General Manager-in-Charge
Annex
(CO.DPSS.POLC.No.S-919/02-14-003/2023-24 dated December 20, 2023)
CoFT through card issuers - Requirements
1. Generation of CoF Tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels.
2. CoFT generation shall be done only on explicit customer consent, and with AFA validation. If the cardholder selects multiple merchants for which to tokenise his/her card, AFA validation may be combined for all these merchants.
3. The tokens thus generated shall be made available on the merchant's payment page, in the cardholder's account with the merchant.
4. The cardholder may tokenise the card at any time of his convenience, either on receipt of the new card or later.
5. The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services. The cardholders shall select the merchants with whom he/she wishes to maintain tokens. (Alternatively - "The cardholder can make his selection from the list").
6. The card token so issued may be either by the card network or the issuer
or both.
7. All other provisions of RBI circulars dated January 8, 2019, August 25, 2021, September 7, 2021 and July 28, 2022 shall remain applicable.