Card on File Tokenisation on Debit/ Credit cards ( COFT)


As per the RBI guidelines on Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services, w.e.f. 1st October, 2022, merchants will not be allowed to store your card number, CVV and expiry date for processing online transactions. Any existing details that were saved by merchants will be deleted.

  • What is Tokenisation?

 Tokenisation is a process by which card details are replaced by a unique token or code , allowing online purchases to go through without exposing the sensitive details.

  • What is the new guideline on COFT tokenisation & what will be the impact?

W.e.f. 1st October, 2022, merchants will not be allowed to store your card numbers, CVV and expiry date for processing online transactions unless the card number is tokenised. Any existing details that were saved by merchants will be deleted. To ensure ease of online payments, we encourage you to tokenise your Debit Card(s) and/or Credit Card(s) details at your preferred website / apps soon.

  • How to Tokenize your Debit/ Credit cards?

Steps to tokenize your card on merchant platform if not already saved-

  • Visit merchant website or app
  • During checkout enter card details
  • Click on the check box to secure your card
  • Complete the transaction with OTP to tokenize your card

Steps to tokenize your existing saved cards on merchant platform-

  • Visit merchant website or app
  • During checkout, click on secure your card as per RBI guidelines
  • Complete Rs.2 refundable transaction with OTP to tokenize your card

Benefits for you

  • Improvements in consumer and ecosystem security and an enhanced checkout experience. Additionally, these new guidelines help to enhance consumer trust in e-commerce payment & ensure a seamless transaction experience.
  • Provides an enhanced customer experience by facilitating faster checkout while shopping at their favourite merchant apps.
Frequently Asked Questions

1.    What is a token? And how safe is it?

With respect to online merchants, a token is a 16-digit number unique for a combination of card, token requestor and merchant. Through tokenization your actual card details are replaced with token credentials which can be used only with the intended merchant. Also, each token requestor (Website/App/Merchants) is certified for safety & security as per international best practices / globally accepted standards.

2.    Is this applicable on all cards?

Yes. The regulation is applicable to all Debit & Credit cards.

3.    How will the transactions be processed without card number?

Once the card is tokenised and the token details are stored at a merchant, these token details will be used to initiate online payments instead of actual card number to process transactions. You will be able to identify your card number with the last 4 digits and bank name and complete online card payments as you do currently with an OTP.

4.    What are the charges that the customer needs to pay for availing this service?

The customer need not pay any charges for availing this service.

5.    Do I have an option to tokenize the card directly with the Bank?

No, you will have to raise token requests through the merchant portal or app.

6.    Do I have to tokenize my card on all merchants?

Yes, you will have to generate unique token for every merchant of your choice

7.    What if I don’t want to tokenize my card?

If you do not want to tokenize your card/s, you can continue making purchases by entering the full card details for all your transactions. As per the guidelines, card details will not be saved by the merchant.

8.    Do I need to Tokenize my card for offline purchases?

Tokenization is not required for transactions done with a physical card at offline stores.

9.    How will I identify which card corresponds to which token?            

The last 4 digits of your card will be shown on merchant app / website along with the bank name. Cardholder can identify the card basis the same.

10.    What happens if I replace or renew my card?

If your existing card is replaced or renewed, the tokens created on the existing card will expire. You will have to visit the merchant page and create a fresh token by following the instructions available on the merchants’ page. This is to ensure that tokens are not stored with merchants beyond the expiry date of the card.

11.    Is there a limit on the number of transactions I can do from a tokenised card?

No, there is no limit to the number of transactions that can be done from a tokenised card.

12.    Do I have to tokenise both my primary and add-on cards?           

Tokenisation is applicable per card per merchant. Hence, if you wish to tokenise your add-on cards, you will need to generate tokens for them on the merchant website/app.

13.     How will COFT affect recurring mandates registered using cards?

Customers may note that in case of recurring mandates already registered using cards, the tokenisation of the stored card will be done in line with extant instructions on card tokenisation; and that e-mandate will continue to be processed as before.

14.     What would happen to customer’s actual card data stored with the online stores after the guideline is implemented?

 After 1st October 2022, the actual card data would be deleted from the database of the merchants & the payment aggregators.

15.    Is Tokenisation applicable for International Card on File transactions?

No. Tokenisation is applicable only for Domestic transactions.

16.    What is the difference between suspending & deleting a token?

With both, suspend or delete, a cardholder will not be able to perform any purchase transaction. However, when the token is suspended, it can be moved back to active status to reinitiate purchases, while deleting a token is of permanent nature and the cardholder would need to tokenise again to save payment credentials with the respective merchant.