Tokenisation aims to replace sensitive payment credentials like 16-digit credit card numbers, names, expiration dates and codes with unique alternatives. It is used whenever recurring payments are made, or when merchants store card information to make checkouts faster.
Nitin Goel is co-founder, Sadar24
The Reserve Bank of India (RBI) has mandated tokenisation to start from October 1, replacing credit and debit card data with independent tokens that one can use online, in stores and apps. With it becoming operational from Saturday, it’s best to know how tokenisation works. By tokenising, banks and merchants will have more time to educate consumers about its benefits, and stakeholders will be able to develop the infrastructure necessary to support it.
What is it?
Tokenisation aims to replace sensitive payment credentials like 16-digit credit card numbers, names, expiration dates and codes with unique alternatives. It is used whenever recurring payments are made, or when merchants store card information to make checkouts faster. With tokenisation, the merchant doesn’t have to store the consumer’s credit card information, so the transaction is more secure.
It is unnecessary to force this service on consumers, even as it is highly recommended to protect their information that is otherwise exposed during card transactions. If one wishes to avoid having one’s card information saved with a particular merchant, one must enter the entire card number every time one makes a purchase. Tokenisation simplifies this procedure and enhances security.
Is it necessary?
The majority of online merchants store customer credit and debit card details, and this reduces friction in digital payments. However, there have been security breaches that have exposed card numbers.
After December 31, 2022, it will no longer be possible to store card details, except for card networks and card issuers. It is okay if the data is already there, but it must be deleted. The deadline for tokenisation has been extended twice, and now the deadline is September 30, 2022.
How does it work?
The functionality of tokenisation can be summarised as follows:
- Banks and card networks approve debit requests based on the customer’s information on a merchant’s site.
- Tokens replace cards on file (CoF) and save card details for completing a transaction.
- After a successful transaction, the token is replaced with card data at the back end.
- Tokens will be specific to a consumer, merchant and card combination. This code is unique and can’t be used anywhere else.
- A device-based tokenisation framework will include desktops, laptops, wearables and Internet of Things (IoT) devices.
- Tokenisation will be specific to laptops if a user uses one. If one uses it on another device, it will be useless.
Since CoF data can’t be shared between devices, the user has to enter it again. This makes transactions secure. Through tokenisation, customers can use the same token across multiple devices.
What are the options for tokenisation?
The following are some common things one has to do once tokenisation starts on Saturday:
- Customers can request tokenisation of their cards through the website or app where they want to make purchases.
- Once the merchant gets the customer’s request, it gets forwarded to the bank issuing the card or the partner bank.
- Tokens are issued based on the unique combination of card number, merchant and token requester.
Impact on customers
Today, merchant websites ask for credit card information when one shops online. Next time the customer buys from the same site, she would select the card, put in the card verification value (CVV) number and authenticate with a one-time password (OTP), saving time and hassle.
When a customer tokenises, she only has to go through one tokenisation process and all subsequent transactions will be easy. It’s a straightforward process that uses tokens. Besides making transactions easier, it keeps customer data secure and it can’t be accessed by merchants.
Tokenisation has yet to gain traction among merchants across the country since RBI announced it. There are only so many companies interested in tokenising cards. As this is a first in India, customers should also expect some initial inconvenience. It won’t affect the purchase process significantly since it’s one- time, and more clarity may come once the implementation date gets closer.
How is tokenisation safer?
Tokenised cards don’t reveal actual card information to merchants. For tracking and reconciliation, organisations can store the last four digits of the card number and the issuer’s name. To create a token, the customer has to supply an OTP-based authentication.
The majority of merchants haven’t yet embraced tokenisation despite banks like ICICI, State Bank of India and HDFC being ready. At the moment, the infrastructure to implement the new regime does not exist. Because of this, RBI had extended tokenisation’s implementation date to October 1. It’s only a matter of time, though, that we will see the actual impact of tokenisation in the Indian market.