Nasscom makes recommendations to RBI on Card-on-File tokenisation

Providing a tiered timeline to merchants for compliance and allowing them to store the first few digits of a card (BIN range) to ascertain the network, issuer, card type, are among the key suggestions made by industry body National Association of Software and Services Companies to the Reserve Bank of India on facilitating compliance with Card-on-File Tokenisation (CoFT). 

"The RBI circular dated September 07, 2021, allows storing limited data – last four digits of actual card number and card issuer’s name – for transaction tracking and reconciliation purposes. Merchants require first few digits of a card (BIN range) to ascertain the network, issuer, card type for several purposes. Given that BIN ranges are information available publicly and cannot uniquely identify a card, storing of the BIN range does not impinge on the customer security," Nasscom said Thursday, detailing its submission to the RBI. 

BIN ranges are required to identify if EMI is supported by a card network or not. BIN ranges also help in identifying routing of a transaction. 

The ranges also help in fraud detection. Further, most offers run against specific cards by specific banks have an aggregation requirement i.e., 2-3 times per card for a given duration or one time per card per merchant etc. 

For such use cases, a unique identifier (card hash) or BIN is required to apply offer validations, view offers against a specific card, and for processing cashback. Without an option to store BIN number, these offers will cease to exist.

In March 2020, the Reserve Bank of India (RBI) released “Guidelines on Regulation of Payment Aggregators and Payment Gateways” under S. 10(2) of the Payment Systems and Settlement Act, 2007. The Guidelines recognise Payment Aggregators (PAs) and Payment Gateways (PGs) as intermediaries playing a crucial role in facilitating payments in the digital space and ensure that consumers are protected in online space.

Of these,two clauses require PAs and merchants to not store card credentials within their databases or servers. With merchants and PAs not allowed to store card data, there were several industry concerns including – card data security, fraud risks, impact on customer service and product innovation. 

To address the concerns, the industry had made suggestions to the RBI including considering card-on-file tokenisation (CoFT) as a viable alternative to card-on-file (CoF) in a graded manner. 

Nasscom has further suggested that the RBI provide a tiered timeline for compliance to merchants, so they can build on issuer banks and card networks as they are ready with their integrated solutions. 

It has also suggested "RBI monitored compliance to ensure that the regulated entities adhere to the timeline and the transition to CoFT does not adversely disrupt the ecosystem like e-mandate on recurring transactions".