The RBI has issued a final circular making card (CC/DC) tokenization mandatory from January 1, 2022. When buying a product online, we are often forced to store our credit or debit card details on the ecommerce platform. To ensure safety of this- RBI issued the guidelines for tokenisation.
What is Card Tokenization?
Card tokenization is a process of substituting sensitive customer data (such as card number, CVV, etc.) with an algorithmically generated token (encrypted) by a token service provider, which could be the card issuer or payment networks. The token flows through the payment system in a secured way without disclosing the customer details or allowing the payment intermediaries (merchants, payment aggregators) to store customer data. This is mainly to ensure customer data safety/security and curb rising instances of fraud/hacks. Any previously stored data (card-on-file) by merchants/payment gateways will have to be erased.
Here’s what happens when a customer uses his card and transacts on a tokenisation-based authentication server:
- A credit/debit card is used at a POS machine or on an e-commerce market place
- The credit card number is transferred to the tokenisation system
- The tokenisation system generates 16 random characters, also called as ‘token’, to replace the original credit card number
- The tokenisation system returns the newly generated 16 digit random characters to the e-commerce site to replace the customer’s credit card number in the system.
For instance, card number (example): 5931 9212 3933 3391, will be replaced to token number: 4321 2365 4545 2111.
Types of Tokenization
Card-on-File Tokenization or PCI Tokenization-
With this kind of Tokenization, the card number or UPI handle can be saved when you opt in during your payment online for recurring payments. E.g. your favorite marketplaces/OTT subscriptions where you do not enter your payment credentials every time. With this, you can carry out card-not-present transactions. Such tokenization can be carried out by the merchant, payment aggregators, payment gateways or networks like Visa and Mastercard to meet the PCI DSS guidelines. All tokenization options may not be present in all regions, example in India there are restrictions imposed by RBI on the entities which can store/tokenize the payment credentials.
Globally popular OTT platforms and marketplaces like Netflix or Amazon could tokenize your sensitive data. In any case, will still be able to see the last 4 digits of your card, butany other party will only see the tokenized digits. While globally merchants or marketplaces use their proprietary token mechanism with gradual adoption towards network based tokenization.
Device Tokenization-
Device tokenization is still at a nascent stage in India yet, waiting for mass adoption. This tokenization is carried out by network providers while the token is saved on the mobile device e.g. Samsung Pay, Apple Pay, Android Pay etc. using NFC or SE technology.
Why Is RBI Enforcing Tokenization?
The central bank said that many entities involved in the card payment transaction chain store actual card details (also known as Card-on-File (CoF)) of its users.
In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.
In the recent past, there were incidents where card data stored by some merchants has been compromised/leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
How It Helps?
Tokenization as a security enhancement measure is used in many countries, including North America, Asia and selectively in India also. HDFCB, ICICI and SBIC already have the card tokenization system in place for online transactions, while few players have device-based tokenization (SBIC with Samsung) for contactless NFC payments. Instead of creating/using own token generating engine, using the payment networks’ (Visa/Mastercard) engine will be far more cost-efficient and technologically advanced and will have merchant acceptability.
Card tokenization is mainly for online transactions, for which, effective January 1, 2022, customers will have to key-in the card number for the first time (as the stored number will be erased) and complete the transaction via a two-factor authentication. At the back-end, a token would be generated by the merchant with the card issuer/network partner, based on which the transaction will be completed. Next time the customer will see the card payment option with the last four digits of the card and the payment will be completed smoothly as used to happen earlier. However, operational details are still not out, including validity, number of tokens per merchant, refreshment rate, etc.
Impact
Mandatory tokenization of cards and resultant customer inconvenience in the initial phase may deter cardholders from making low-value online card payments and may push them to other payment modes such as UPI and wallets. However, it would alleviate security concerns in online transactions; thus, it will be a long-term positive for the card industry. That said, card companies will have to engage and educate customers while ensuring a smooth tokenization process to protect their share in the payments business.