As the use of digital payments has increased, the Reserve Bank of India (RBI) in 2019 allowed card networks to tokenize card transactions in order to continue improving the security and safety of card transactions. Tokenization is the process of replacing original card details with an alternative code called a "token" that should be unique and provides an additional degree of protection for customer credit card details. Since the actual card data are not given to the merchant during transaction processing, tokenized card transactions are regarded to be safer. The Reserve Bank of India made clear on Friday that it would not postpone the deadline of October 1 for the successful execution of tokenization of card-based payments. As a result of the announcement, no online retailers or payment gateways will be permitted to save any credit card information of the customers on their digital platform.
Tanya Naik, Head of Omnichannel, Pine Labs said “With the rising adoption of digital payments, it is encouraging to see the regulator taking steps to enhance the payments security. Tokenization not only aids in making the payment transaction experience more secure for the end user but also aids merchants in delivering a consistent user experience and higher transaction approval rates with speed and security. Plural, was one of the first online payment platforms in India to have adhered to this mandate and implemented card tokenization. Plural has to date processed over 70% of online volumes including EMI via tokens. At Plural, we are keen to solve for omnichannel merchants such as hotels, travel and endless aisle in retail and tokenization helps provide for a seamless experience."
“With the increasing adoption of digital payments, it is important to safeguard customers’ data while still enabling seamless transactions. The Reserve Bank of India’s mandate for card-on-file tokenization has put the focus on building a robust ecosystem to benefit consumers with more secure transactions and merchants with better transaction approval rates. In India, tokenization is a fundamental shift that requires all the stakeholders in the payments ecosystem – acquirers, issuers, card networks, banks, and fintechs, among others – to do their part to help ensure a secure digital payment environment,” said Rishi Chhabra, Country Head and General Manager, India and Sri Lanka, Fiserv.
RBI says “Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).”
By initiating a request on the platform made available by the token requestor or entity, the cardholder can have their card tokenized. A token matching to the card details, the token requestor, and the device will be issued by the card network, such as Mastercard, Visa, RuPay, or American Express, with the approval of the card issuer. Tokenization is the term to bear in mind when it comes to adding more security to your online card payments. According to the RBI, this procedure involves giving each payment method a special token that is unique to it. The customer is not required to pay any fees in order to use this service for tokenization and de-tokenization, which is only possible through authorized card networks. RBI says “Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.”
RBI says “Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.”
It indicates that online retailers won't be able to save your credit card information from tomorrow as they have previously. Any number of cards can be requested to be tokenized by a user. The customer may use any card registered with the token requestor app to complete a transaction, and they are also free to set and change daily and per-transaction quotas for tokenized card transactions, as per RBI.
HDFC Bank has mentioned on its website that “You would have observed that websites and apps offered options to customers to save their card details. It made payment quick and easy. Effective 1st October 2022, merchants cannot save/store customers card numbers, CVV and Expiration date, and any other sensitive card information. It is as per the RBI rule to offer enhanced card security. Secure/Tokenise my Card refers to replacement of actual or clear card number with an alternate code called the “Token” at online websites/apps.”
Your card information will be invalidated before October 1, 2022, if you had already saved it on any retailer websites or applications. Since you will need to enter your entire card information each time you make a purchase, card tokenization is not mandatory. However, following successful tokenization and once your card is tokenized, you will be able to authenticate your card on the merchant page by entering the last four digits of the card, which is the only information that will be maintained on record by the merchant and not the whole card details as it was in trend before.
RBI says “The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.”
“The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc,” says HDFC Bank.
SBI Card has mentioned on its website that “RBI has directed the payment aggregators, wallets and online merchants (entities in card transaction/payment chain other than card issuers/card networks) not to store any sensitive card related customer information including full card details. Hence, the card numbers can be replaced with ‘token’ as mentioned above. This RBI mandate would come into effect from 1st October 2022. Please be assured that this will not hamper your credit card experience but will make your credit card transactions more secure.”
“As the card details will not be saved from 1st October 2022 you will need to tokenise your card on the corresponding Merchant website or app. You can then continue to make payments without entering your card details again on that Merchant if you have generated a token. If you do not tokenise your card, then you would have to manually enter your full card details for making transactions” says SBI Card.
“As per the regulatory guidelines of RBI, with effect from 01st October, 2022, Banks introduce tokenization facility for all the card users of both Debit and Credit card holders of RuPay/VISA/Master card to enhance online transaction security. Under Tokenisation facility, neither the Payment Aggregators (PAs) nor the Merchants can store customer card credentials within their data base w.e.f. October 01, 2022. All the Payment Aggregators (PAs)/Payment Gateway acquirers should replace the stored card on file with tokens and the basic purpose of tokenisation is to enhance security for digital transactions” said Union Bank of India on its website.
“Tokenisation is a backend process of replacing Credit/ Debit/ Prepaid Card details with a unique set of characters or a 'token'. This will secure payments and enable future transactions without exposing any sensitive card details. You can tokenize your saved cards, depending on merchants. Merchants may either provide the option to save the card using tokenisation while you are transacting or will prompt you post login on their website/ app to save your cards using AFA (Additional factor authentication, eg: OTP),” said Kotak Mahindra Bank on its website.
Tokenization, which replaces confidential customer data like card numbers, CVVs, etc. with computationally encrypted tokens produced by the card issuer or the payment network (Visa, MasterCard, Rupay), would increase security and further improve the country's digital payments ecosystem. Tokenization will speed up customers' digital shopping experiences while also boosting security and lowering hassle in the checkout process as there will be no longer required to repeatedly enter your card information since once a token has been issued, it may be used for any subsequent payments on the online merchant app or website.
Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.