TOKENISATION
Disclaimer: Copyright infringement not intended.
Context
- From October 1, the Reserve Bank of India’s card-on-file (CoF) tokenisation norms have kicked in.
What is tokenisation?
- Tokenisation refers to the replacement of actual card details with a unique alternate code called the ‘token’, which shall be unique for a combination of card, token requester, (i.e. the entity which accepts requests from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and the device.
How did India decide to carry out tokenisation?
- In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative.
- Following a series of representations from several industry players and digital payment platforms who anticipated disruption in online transactions from January 1, 2022, the RBI extended the implementation date of card-on-file (CoF) tokenisation norms by another six months to June 30, 2022.
- The June 2022 deadline was further extended as the RBI felt that although considerable progress had been made in terms of token creation and transaction processing based on these tokens had also commenced, the concept was yet to gain traction across all categories of merchants. Subsequently, the deadline was extended till September 30, 2022.
Background
- Digital is currently one of the most convenient and favoured platforms for availing services and making purchases.
- Because of our increased frequency of making online transactions, most of us have been saving our payment information on merchant sites, which means that our payment partners have access to sensitive financial information that should otherwise be highly personal.
- In order to secure this data and protect not just customers but also merchants and banks, RBI is now prohibiting merchants from storing debit and credit card details on their servers post June 30, 2022.
- As a safer and more convenient alternative to card storage, RBI has mandated the adoption of tokenization through which one’s sensitive card information can be replaced with a non-sensitive uniquely generated code called ‘Token’.
Tokenization:
- Tokenisation is a process by which card details are replaced by a unique code or token, allowing online purchases to go through without exposing sensitive card details.
- Under tokenisation services,a unique alternate code is generated to facilitate transactions through cards.
- It is the process of substituting a 16 digit customer card number with a non-sensitive equivalent value, referred to as a token.
- This essentially means that a customer's card information will no longer be available on any Merchant, Payment Gateway, or 3rd partythat helps in the processing of digital transactions today.
- With card tokenisation, consumers no longer need to fear saving their card details.
- Cardholders will have to give an explicit consent that will be collected for tokenisation.
Why RBI wants cards to be tokenized?
- Customer’s card details are stored by merchants, and if their security measures are inadequate, this puts all the customers at risk. There have been several instances in the past where merchant websites have been hacked and debit and credit card details have been leaked. This is what the RBI wants to eliminate.
- By mandating card tokenization, the burden of security is now on payment processors and banks, not merchants.
- Thus, a tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
- Tokenization ensures standardization for card on file transactions through higher security standards which is irreversible as compared to existing reversible cryptographic standards.
How can the tokenisation be carried?
- The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
How does this card tokenisation work?
- At check-out time on an online shopping portal one has to enter card details and opt for tokenisation. The merchant forwards it to the respective bank or the card networks (VISA, Rupay, Mastercard, etc). A token is generated and sent back to the merchant, which then saves it for the customer. Now, the next time the customer comes back to shop, she has to just select this saved token at check-out time. The same masked card details and last four digits of customer’s card number will be visible. Customer needs to enter your CVV and complete the transaction.
- The customer, does not need to remember the token. The end-customer experience is not changing while making the payment.
- The implementation of the tokenisation request is carried out through the Additional Factor of Authentication (AFA) by the cardholder.This algorithmically generated token protects sensitive information and prevents card frauds as it allows you to make payments without exposing your bank details.
What are the charges that the customer needs to pay for availing this service?
- The customer need not pay any charges for availing this service.
What are the use cases (instances / scenarios) for which tokenisation has been allowed?
- Tokenisation has been allowed through mobile phones and / or tablets for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)
Can tokenisation be enabled through a smart watch or such other devices?
- The feature of tokenisation is restricted to mobile phones and / or tablets only.
Who can perform tokenisation and de-tokenisation?
- Tokenisation and de-tokenisation can be performed only by the card network authorized by RBI.
What is de-tokenisation?
- Conversion of the token back to actual card details is known as de-tokenization.
Who are the parties / stakeholders in a tokenisation transaction?
- Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.
Are the customer card details safe after tokenisation?
- Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.
Is tokenisation of card mandatory for a customer?
- No, a customer can choose whether or not to let his / her card tokenised.
Do the customers have the option to select tokenisation for a particular use case?
- Customers have the option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
How does the process of registration for a tokenisation request work?
- The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.
Can the customer set / select own limits for tokenised card transactions?
- Customers have the option to set and modify per transaction and daily transaction limits for tokenised card transactions.
Is there any limit on the number of cards that a customer can request for tokenisation?
- A customer can request for tokenisation of any number of cards. For performing a transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Can the customer select which card to be used in case he / she has more than one card tokenised?
- For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
Is there any limit on the number of devices on which a card can be tokenised?
- A customer can request for tokenisation of his / her card on any number of devices. However, as of now, this facility shall be offered through mobile phones / tablets only.
Whom shall the customer contact in case of any issues with his / her tokenised card? Where and how can he / she report loss of device?
- All complaints should be made to the card issuers. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage.
Can a card issuer refuse tokenisation of a particular card?
- Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
Does a card have different tokens for different merchants?
- One token is limited to just one card and one merchant (online portal). For instance, if one is having say, an ICICI Bank credit card tokenized on Amazon, then, this same card will have a different token on Flipkart. However, as a customer one does not need to know or remember the token linked with the card. One can tokenize multiple cards with the same merchant, or tokenize the same card with multiple merchants.
RBI also encouraged cardholders to tokenise their cards for their own safety. Till date, about 19.5 crore tokens have been created.
RBI’s latest directions
- As per the Reserve Bank of India’s latest order, all merchants must delete customer debit and credit card data on or before June 30 2022 and replace card payments with unique tokens for all online, point-of-sale and in-app transactions.
Benefits of tokenization in a nutshell
Largely designed to counter online frauds and curb digital payment breaches, tokenization comes with a slew of benefits. Some of them are:
- Enhanced safety and security:Tokens generated will be unique to a single card at a specific merchant and this will take up the overall security of making card-based transactions. It eliminates the risk of storing card details online and ensures the uncompromised convenience of storing customer’s token details on the merchant site.
- Quicker checkouts: Tokenized Mastercard will allow the convenience of quick checkouts as one doesn’t need to punch in the card number for each purchase.
- No more 'False Declines': Many times legitimate online payments using valid cards are declined on the grounds of the transaction looking like a fraud. With tokenization, this becomes a thing of the past as the usage of tokens for payments confirms security of the highest order.
- Easy card management:With tokenization, one can also keep track of all your cards and the merchants they have been tokenized with.
- No need for a physical card: With tokenization, one can store a virtual version of one’s card on a smartphone for the days one forgets to carry your wallet.
- Added benefits:Tokenization also comes with cashback benefits when secured with platforms like Amazon, PayTM, Swiggy, Flipkart and PhonePe among others.