To protect the interest of the debit and credit card users for online transactions against fraud, cyber theft and other malpractices, RBI has recently tightened the norms of tokenization which is likely to take effect from January 1 2022. According to the recent circular, no entity in the card transaction or payment chain (other than card issuers or card networks) shall store the actual card (debit or credit or other cards) data. Any such data stored previously shall be purged. Also, for transaction tracking purposes, entities can store limited data such as the last four digits of the actual card number and card issuer’s name. 

But what is card tokenisation? And how does it impact individual users? Read on to find out more!

What is tokenisation of cards?

Whenever you make a payment or transact online, you, as a credit or debit card user, would have to enter your sixteen-digit card number, expiration details and CVV, followed by OTP confirmation. In some cases, these card details are already stored, and in some cases, you would have to enter the details manually. While the transactions are secure, they are still open to cyber threats. This is where tokenisation comes into play. 

Tokenisation refers to the replacement of actual card details with an alternate code known as ‘token’. It is a unique code with random numbers that are not expected to be stolen or reused. So even if there is a data breach, the customer’s account details are generally considered secure, and the tokens are useless to cybercriminals. 

Card-on-File transactions will also be tokenised. CoF transactions are those transactions where the cardholder has already authorised a merchant to store details. 

How does it work?

  • Every token issued will be unique for each combination of cards, the e-commerce/online merchant, the card network and the device. We still don’t have much clarity on how these tokens will be issued to us.
  • The flow of the token request will be as follows:
  1. You, as the cardholder, will initiate the request on the e-commerce merchant app that will forward the tokenisation request to the card network.
  2. Depending on the device being used, the online merchant and your card combination, that card network will issue a token.
  3. The token will be given to the e-commerce merchant you are transacting on instead of your card details.
  • Merchants have been barred from saving card details of users from January 1, 2022, onwards. 
  • If the user does not opt for tokenization of their cards, they will have to enter the whole 16-digit card number every time they transact online. 
  • RBI’s end goal is to keep the online transaction space free from fraud.
  • Companies like Visa and MasterCard generate tokens. These companies operate like token service providers (TSP).

Tokenisation of cards by RBI – Impact on users

  • The direct impact on users concerns the safety of card details. Saved card details on merchant websites have led to many online frauds and online theft. If you, as a user, don’t opt for the tokenisation system, you will have to enter all your card details every time you transact online.
  • If the card tokenisation system in India is as convenient as a one-click transaction, we need to watch once we fully know how this will work.
  • One-click transaction happens when the card details are saved, and the user just has to enter a CVV helping in the quick completion of the transaction.
  • The RBI tokenisation framework is extended beyond mobile phones and tablets to include desktops, wristwatches, bands, other wearable devices, and internet of things devices. So, this means, from wherever the customer makes any kind of card-based transaction, tokens (16-digit random numbers) can be used to substitute the actual card details.