General Studies Paper 3 (Indian Economy)
Question:- 88. What is card-on-file tokenisation? Explain the rationale behind the introduction of tokenisation system in India. Answer in 150 words.
Oct 11, 2022


(Definition + first part of the question and hence, intro paragraph can be long)

Tokenization is defined as the process of replacing a credit or debit card’s 16-digit number on the plastic card with a unique alternate card number, or ‘Token’ which shall be unique for a combination of card, token requestor and device. Tokens can be used for online transactions, mobile point-of-sale transactions or in-app transactions. This token contains no personal information that can be directly accessed and keeps changing making it the most secure method to complete payments.

As per the RBI guidelines on Tokenisation permitting Card-on-File Tokenisation (CoFT) Services, merchants will not be allowed to store customer’s crucial details like card number, CVV and expiry date for processing online transactions. Any existing details that were saved by merchants will be deleted.


BODY PARAGRAPH (The rationale)

India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore. Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic. However, many hacking incidents have been reported from many parts of the country. Such events leave the common people vulnerable at the hands of culprits which eye on their hard earned money. A lack of general awareness and adequate digital literacy has led to increase in such crimes.

The Reserve Bank of India’s card-on-file (CoF) tokenisation norms aim at improving safety and security of card transactions. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks.

The token requestor cannot store Primary Account Number (PAN), or any other card details. Card networks are also mandated to get the token requester certified for safety and security that conform to international best practices/globally accepted standards.

“With card tokenisation, a card and merchant specific token is generated. Going forward that token can be used for all online transactions with that merchant. This will ensure enhanced security. In case of any data breach or hacking attempt at the merchant’s end, the customer’s card details will be protected.

Hence, tokenisation lends greater credibility to seamless and secure payments experience.



While RBI’s intent is to protect consumer interest, the challenge on ground pertains to implementation. Nevertheless, with COFT guidelines in place, RBI has strengthened its role as the responsible protector of citizens’ financial rights. This will enhance consumer trust in digital payments in the long run.