Card on File Tokenization (CoFT): Benefits, Risks and Implications for Consumers and Merchants

Your favorite streaming platform, online shopping app, electricity bills, broadband bills, miscellaneous online expenditure- what do they all have in common?

As a 21st century user, chances are that you must rely heavily on digital payments, including credit/debit card-based payments across platforms and needs. So, it is only logical that the recent shift to tokenization that the Reserve Bank of India (RBI) has mandated as the card storage policy norm for merchants is of concern to you.

What is Card on File Tokenization (CoFT)?

First things first, what is tokenization?

As frequent consumers of certain apps and merchants, we often find ourselves saving card details like the 16-digit card no, expiry date and name of the card holder which leaves us just the task of entering CVV and OTP on the go for each transaction. As convenient as that may have been, the central banker in India realized that this also left consumers vulnerable to theft and security breaches. To insure against this risk while also doing away with the hassle of re-entering card details for every transaction, the RBI in September 2021 came up with a directive for tokenization of cards. That is, for all merchants like e-commerce websites and streaming platforms as well as aggregators (like RazorPay, Instamojo, etc.) card details of consumers would be replaced by a unique token number.

How can Card on File Tokenization (CoFT) help?

For instance, if you used the same debit card for purchases on e-commerce websites or ordering food, each platform you use the card on will get assigned a unique token number. In essence, even merchants like your food delivery app or online shopping platform will not have access to the full card number, let alone passing them along to malicious sites or hackers. Besides, since this relationship between tokens and card related data would be saved in vaults owned by card networks and not available to any third party each time you transact the prospect of fraud would be significantly minimized.

The concept of card-on-file to which this idea of tokenization has been added on to is equally interesting. Broadly it is the process of collecting and storing payment credentials of cards, which has implications for several consumer processes like recurring payments, one-click ordering, in-app payments, etc. Hence, in effect card on file has been in place much longer before tokenization came into the picture. Think of each subscription service that saved your card details and renewed itself each month without you having to manually transact and pay your bills each month.

So far so good.

Card on File Tokenization (CoFT) deadline

One may then wonder what is the recent uproar all about. The RBI had imposed a deadline for December 31st, 2021 for the imposition of these revised card data storage norms, but on the request of merchants and businesses affected by these rules the implementation of these norms have been extended by 6 months, till June 30th, 2022. The Merchant Payment Alliance of India and Alliance of Digital India Foundation, the flagbearers of this movement have voiced their concerns over a lot of issues regarding the implementation of such norms and the inadequate levels of preparedness among merchants and businesses. In a joint statement released to the press, they highlighted how each of the three players in the system- banks, intermediary payment systems, and merchants- would be affected by such a move. Some of the most pressing issues include that banks and card networks are not fully equipped with functional APIs (application programming interface- the software that allows two applications to talk to each other. For instance, your Google Pay wallet that transfers money to your Ola account to pay for the rides you take), revenue losses for merchants, etc.

How do CoFT new rules impact consumers?

Whenever this rule is implemented, you will first have to re-enter your card details freshly on every site you use. The merchant will then offer you the option of tokenizing the card, the details of which will be forwarded to your card network (MasterCard, Visa, etc.). A unique token will be generated for each website/platform/merchant you wish to make transactions on, and from there on things would continue to remain the same. Each time you wish to transact on the platform your token will be retrieved and you will only have to enter details like CVV and OTP to proceed. However, customers who do not have the tokenization facility will have to enter these details for every transaction, and do it for each card if they have multiple ones- making it very cumbersome.

How do CoFT impact merchants, suppliers and aggregators?

If you make up the group of suppliers of goods and services or merchants that avail card on file facilities, there are a few pros and cons of this move worth considering.

On the positive side of it, enhanced data security and privacy eliminates the risks and costs associated with cyberattacks and espionage. Suppliers’ oblivion of real card numbers would make you a less than lucrative prospect for attacks. Besides, the cost of data storage also stands to be considerably cut down as the introduction of tokens would shrink the need for suppliers to pay hefty amounts for storing card and other extensive details on the cloud, POS machines or internal systems. Tokenization can also simplify a merchant’s efforts for validating data compliance norms by reducing the number of components for which Payment Card Industry Data Security Standard (PCI DSS) requirements apply.

On the other hand, however, there are also some reasons for concern in the short term. As pointed out by Sijo Kuruvilla George, Director of the Alliance of Digital India Foundation, suppliers stand to lose out on account of inadequate preparation by banks and card networks to establish and test stable application programming interface (APIs- software that allows applications to communicate. For instance, your Google Pay account that lets you pay for your Uber ride is connected by a robust API). In effect, with reduction in ease of transacting it is expected that consumers will reduce their volume of card-based transactions and switch to cash or UPI or other methods. Besides, businesses could also expect fall in sales as transaction times increase, cart abandonment rises and other such phenomena is observed. At the ‘Digital Payments and the India Media Consumer’ conference organized by the Confederation of Indian Industry (CII), this figure of loss in revenue was pegged to be somewhere around 20-4-% of existing revenues. The digital payments industry in India is valued at Rs 14,14,85,173 crore as per RBI’s annual report for 2020-21. In that India has an estimated 98.5 crore cards which are used for about 1.5 crore daily transactions worth Rs 4,000 crore. Perhaps this justifies the extension granted for implementing the new rules.

However, as these rules come into effect on June 30th, 2022 another challenge before merchants and aggregators will be to devise alternate mechanisms to keep the process of recurring payments continue smoothly. Activities like recurring e-mandates, equated monthly installment (EMI) payments, or any post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty program, etc.) that requires storage of card details to automatically renew itself are very likely to be affected.

Which banks use CoFT system?

As it stands now, even while merchants and aggregators are not adequately geared up right now, banks like HDFC, ICICI and SBI Cards already have the card tokenization system in place for online transactions. Few of them even have device-based tokenization mechanism in place (like SBI Cards with Samsung) that employs near field communication technology for facilitating contactless payments. Several other banks are believed to have initiated the process and are ready to integrate it with the new system. Mastercard and Google have announced the rollout of tokenization that will enable Google Pay users to transact using their Mastercard credit and debit cards.

What remains to be seen is how the three parties- banks, merchants, and aggregators (or intermediary payment systems) will ensure that all three steps for successful tokenization are carried out- token provisioning (card number should be easily convertible to a token), processing (customers are actually able to carry out transactions using token numbers instead of cards), and scaling-up (ensuring another hassle-free way for recurring transactions to continue even in the token system).