The Reserve Bank of India (RBI) has taken a major step towards secure and frictionless digital payments by enabling card-on-file tokenisation (CoFT) directly through card issuing banks and institutions. This empowers cardholders with greater control and convenience while significantly enhancing data security.
Previously, tokenisation, replacing sensitive card details with unique “tokens” for online transactions, was only available through merchants. This often meant mandatory card storage on merchant platforms, raising concerns about data vulnerability.
The RBI’s new initiative addresses these concerns:
- Cardholders can now choose: They can opt for tokenisation directly through their bank’s mobile or internet banking, at their own convenience.
- Explicit consent and secure verification: Tokenisation requires explicit customer consent and follows additional authentication protocols for enhanced security.
- Selective tokenisation: Cardholders can choose which merchants to save tokens with, further minimizing data exposure.
- Multiple token options: Tokens can be issued by either the card network, the issuer, or both, offering flexibility and redundancy.
This move builds on the RBI’s 2021 directive prohibiting merchants and payment aggregators from storing card data. With over 56 crore tokens already created and facilitating transactions worth over ₹5 lakh crore, CoFT is proving its effectiveness in securing digital payments while maintaining ease of use.
The RBI’s direct tokenisation initiative marks a significant shift in empowering cardholders and strengthening the security of India’s digital payment ecosystem.