The coming disruption over card tokenization

istock
istock

Summary

A new regulatory framework expected to kick in from 1 January 2022 will change how you transact online

After a changed set of rules on auto-debit transactions on cards, another new regulatory framework expected to kick in from 1 January next year will change how you transact online using debit and credit cards.

The Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer data on cards such as card number, expiry date and CVV saved on their end and instead use encrypted tokens to carry transactions. This system is called card tokenization.

When a card is tokenized, its number is replaced with an algorithmically generated token. So, when a merchant wants to initiate a transaction on a customer’s card, they will use this token, which is a set of random numbers, in place of the actual card details.

Tokenization as a concept is not new in India, said Shailesh Paul, head, merchant sales and acquiring and CyberSource, India and South Asia, Visa. “There are two types of approved tokenization. One is device tokenization, which was approved by RBI in 2019, under which, say if I have an NFC (near field communication) powered smartphone, I can embed a token in it and use it for tap and pay transactions." Wearables, laptops and desktops are also included under this framework.

“The second type is card-on-file (CoF) tokenization, which applies to e-commerce transactions," said Paul. RBI included CoF data in tokenization rules in September.

 

Mint 
View Full Image
Mint 

 

What will change under card tokenization?

To understand how payment flow changes under the CoF tokenization system, let us first understand how a card transaction is carried out currently. When you make a purchase on, say an e-commerce website using your card, the latter picks up your card details and its acquiring bank initiates the transaction by sending the details to the card network (Visa, Mastercard, Rupay, etc). The card network, in turn, sends them to the card issuer bank or company requesting payment approval.

Essentially, your card details travel through three stakeholders in the payment flow and the merchant, with your consent, could also save your card details on his/her end for future repeat transactions.

Under CoF tokenization, your card number is replaced with an encrypted token in the very first step. During a purchase, the merchant, after getting your consent, will request the card network to generate a token against your card. This token will flow through the entire payment chain.

What cardholders need to do

Payments experience for a customer doesn’t change drastically under this framework.

The customer needs to set up a one-time tokenization for each card and every merchant he/she transact with. The process is fairly simple (see graphic).

From January onwards, when you make the first payment to any merchant, you will need to give him/her your consent with an additional factor of authentication (AFA) to tokenize your card. Once done, you will complete the payment as usual by keying in your card’s CVV and a one-time-password (OTP). This token will be saved on the merchant’s end for subsequent transactions, just like you save your card details.

“The only action required of a customer is to approve the first-time request from every merchant," said Paul.

It must be noted that each stakeholder in the payment process needs to comply with tokenization guidelines for transactions to successfully go through. “Even after tokenization is complete, the transaction may fail if a stakeholder has not integrated the required technology to accept or read tokenized cards," said Ravi Battula, head merchant acquiring solutions – Wibmo.

In this case, you can use alternative mode of payment such as net banking or UPI to complete transactions.

How will it benefit users?

RBI has mandated card tokenization with an aim to strengthen the security of card data.

One obvious benefit is that it will prevent data theft. “Since tokenization converts sensitive card data into random string of unique characters, it not only protects consumers but also banks and merchants from data breaches," said Manas Mishra, chief product officer, PayU India.

Rahul Tyagi, co-founder, Safe Security, pointed that this move will help prevent a fraud that has gained ground recently. “Lately, a lot of fake e-commerce websites have popped up who mandate customers to share their credit or debit card details to make the purchase. They sell cheap merchandise ranging from ₹50 to ₹100 to lure customers and even deliver the products to 50-100 customers to establish genuineness of the platform. After a month of operations, they misuse the elicited card details to commit fraud. With cards tokenized, such crimes cannot be committed."

Apart from security, card tokenization will give more control to consumers over payments, said Battula.

“Most cardholders easily save their card details across 4-5 merchants and in some cases forget about them. Under tokenization, customers can go to the card issuer’s website to check where all their card is saved as a token and revoke any of the token if they want to. As a result, cancelling subscriptions will also get easy."

Card rewards and benefits may get impacted

Rewards and benefits offered on card transactions may get impacted. For instance, if an e-commerce website is offering a 10% discount on, say a HDFC debit card, under the tokenization system the merchant can’t know which card is issued by HDFC Bank to give the discount.

Battula said such disruptions are expected initially because the transaction is initiated at the merchant’s end. However, there’s clarity awaited on this front from the regulator and banks.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
more

MINT SPECIALS