CARD ON FILE TOKENIZATION (CoFT)

With reference to the recent guidelines issued by Reserve Bank of India (RBI) on Card Tokenization; w.e.f 1st July 2022 - clear card number, CVV and Expiry date and any other sensitive information related to cards cannot be stored by merchants for processing online transactions.

Tokenization is a method of replacing sensitive customer card data with encrypted codes known as "token". The token is much safer, as the actual card details are not shared with the merchant during transaction processing. In order to enhance the customer experience and facilitating the use of digital payment products in a more safe and secure manner, ‘Card tokenization’ has been introduced.

CSB Bank has also complied on the Card On File Tokenization Process for all it’s RuPay and VISA Debit Cards.

So, secure your CSB Debit Card, following the below mentioned steps :

Visit your online merchant's website/app
Choose the products/services you want to purchase
Select CSB Bank Debit Card at checkout and enter your CSB Bank Card details
Select ‘Securely Save/Verify your Card’
After successful authentication, your card will get secured and you can pay conveniently without entering your card details every time.

1. What is Tokenization?

Tokenization is the process of replacing sensitive data, such as credit/debit/prepaid card numbers, with unique identification data while retaining all the essential information about the data. It is a replacement of actual or clear card number with an alternate code called the “Token”. This shall be unique for a combination of card, token requestor (i.e., the entity which accepts request from the customer for Tokenization of a card and passes it on to the card network to issue a corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).

2. Benefits of Tokenization?

Card-on-File (CoF) tokenization provides two key benefits – consumer & ecosystem security and an enhanced checkout experience. A Tokenized card transaction is considered safer as the actual card details are not shared / stored with the merchants to perform the transaction.

3. How and where the Tokenized Cards get used?

Card provisioning is done wherein consumer enrolls their account with a digital payment service provider (such as an online retailer or mobile wallet) by providing their primary account number (PAN), security code, and other account information.
Card gets added at site/app with successful consumer verification i.e., OTP and in the backend token credentials gets generated.
After Tokenization Process is completed, tokenized card details will be used in place of the actual card number for future online purchases initiated or instructed by the card holder.

4. Steps for getting ahead with CSB Debit Card Tokenization?

The card holder can get the card Tokenized by initiating a request on the website/app provided by the merchant.
The token requestor / merchant will forward the request directly to the issuing Bank which issued the applicable Debit Card - RuPay/VISA, with the consent of the card issuing Bank.
The entity receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant.

5. On which type of Cards Tokenization guideline is applicable?

As on 1st July 2022, all CSB Debit Cards have to be Tokenized

6. Is Tokenization applicable for International Card on File transactions?

No. Tokenization is only applicable only for Domestic transactions.

7. How can I manage my Tokenized cards?

Customer can reach out to bank’s Customer Care Team at 1800 266 9090 for support on token management for their tokenized cards.

8. Will Card Tokenization impact on POS transactions that the card holder performs at merchant outlets?

No. Tokenization is only required for carrying out the online transactions

9. What are the charges that the card holder needs to pay for availing this service?

The facility is free of charge and customer need not pay anything for availing the service of Tokenizing the card.

10. Who can perform Tokenization and de-Tokenization?

Tokenization and De-Tokenization can be performed only by the card issuing Bank or Visa / Mastercard / RuPay / Diners who are referred as authorized card networks.

11. Are the customer’s card details safe after Tokenization?

Actual Card data, token and other relevant details are stored in a secure encrypted mode by the card issuing Bank and / or authorized card networks. Token requestor / merchants cannot store full card number or any other card detail.

12. How does the process of registration for a Tokenization request work?

The registration for a Tokenization request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.

13. Is there any limit on the number of cards that a customer can request for Tokenization?

A customer can request for Tokenization of any number of cards to perform a transaction.

14. Can the customer select which card to be used in case he / she has more than one card Tokenized?

For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor / merchant.

15. How will the customer see the card details on the merchant page?

Customer will see the last 4 digits of the card on the merchant page

16. What will happen to the token once the customer’s card gets replaced or renewed or reissued or upgraded?

Customer needs to re-visit the merchant page and create a fresh token.
Alternatively, they may also reach out to bank’s Customer Care Team for related support.

17. Will the card Tokenization need to be done at every merchant?

Yes. A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants, then tokens must be created at all the merchants.

18. What is Card De-Tokenization?

Conversion of the token back to actual card details is known as de-tokenization.

19. Can a card issuer refuse tokenization of a particular card?

Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.

20. Who are the parties / stakeholders in a Card Tokenization transaction?

Normally, in a tokenized card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer, and customer. However, an entity, other than those indicated, may also participate in the transaction.

21. Is Card Tokenization mandatory for a customer?

No, a customer can choose whether or not to let his / her card Tokenized. If not Tokenized, starting 1st July 2022, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.

For any queries or issues, you may contact our customer care at 1800 266 9090 or write us at customercare@csb.co.in