The CardOnFile payment flows described on this page apply if you are processing transactions via local acquiring in India. Reach out to your Account Manager or our Support Team to evaluate if and how you can process locally with Adyen.
The information on this page applies to merchants processing CardOnFile payments locally in India.
From 30 September 2022, you must comply with the regulations allowing only authorised card networks to tokenize cards.
You can accept CardOnFile payments for one-off payments where a shopper can either store their payment details or pay in your website or app using their saved payment details. These payments use the CardOnFile recurring processing model.
Impact on CardOnFile transactions
To comply with the regulations and ensure continuity of service in India, Adyen has developed a network tokenization solution. This solution entails creating tokens with the networks (network tokens), instead of creating tokens with Adyen in the backend.
Your existing integration remains as is, with some additional requirements:
- You must update the shopper journey to ensure that the shopper gives explicit consent for their card to be tokenized.
- You may have to update your user interface to show shoppers a list of their tokenized cards. You must provide shoppers an option to delete these tokens. If a token is deleted, you should use the /disable endpoint to ensure the token is deleted in all downstream systems.
- If a shopper deletes a token on the issuer’s end, a notification with
eventCodeDISABLE_RECURRING is sent to your configured endpoints. If you receive this notification you must ensure that the token is deleted from your systems.
Getting shopper consent
The RBI regulations specify that tokenization of card data can only be done with explicit shopper consent, and additional factor authentication validation by the card issuer.
Adyen recommends that you seek independent legal counsel to make sure you are compliant with this part of the regulation.
We advise that you follow these recommendations:
- Shopper consent must be explicit. The message displayed to the shopper should explicitly indicate that consent is being given for tokenization of card information.
- Additional factor authentication, specifically 3D Secure 1, must be done for the transaction where tokenization consent is given and the token is created.
- Provide an FAQ on tokenization to shoppers explaining the underlying concept and the benefits. The FAQ should say how you use tokenized card information.
Prepare for tokenization changes
In order to create network tokens in the backend and to meet the additional requirements of the tokenization regulations, certain backend configurations need to be made on Adyen’s end. Reach out to your Account Manager or our Support Team for assistance.
Based on our current understanding, all the tokens created between merchants and Adyen before network tokenization came into effect should be deleted. We recommend that you use the /disable endpoint to delete all such tokens on Adyen’s end as well as deleting them from your system. This will ensure that the data on your systems and Adyen's systems is consistent.
From 30 September 2022 Adyen will block processing of transactions with any tokens that are not network tokens.