In a bid to ensure security of card data, the Reserve Bank of India (RBI) has enhanced the scope of tokenisation and permitted card issuers to act as token service providers.

Under tokenisation services, a unique alternative code is generated to facilitate transactions through cards.

The RBI on Tuesday extended the device-based tokenisation to card-on-file tokenisation services, a move that will bar the merchants from storing actual card data.

Card-on-file refers to card information stored by payment gateway and merchants to process future transactions.

“...card issuers have been permitted to offer card tokenisation services as token service providers. The tokenisation of card data shall be done with explicit customer consent requiring additional factor of authentication,” the RBI said in a statement while extending device-based tokenisation framework to CoFT services. It said the decision will reinforce the safety and security of card data while continuing the convenience in card transactions.

The RBI said many entities in the payment transaction chain store actual card details citing the convenience and comfort factor for users while undertaking card transactions online.

Some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.