Many merchants and e-commerce entities force customers to store debit or credit card details, which increases the risk of card data being stolen. This can be avoided now with the Reserve Bank of India allowing tokenisation of cards while making payments.
What is tokenisation?
It refers to replacement of card details with an alternative code called a ‘token’, which is unique for a combination of card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device, the RBI says. It reduces the chances of fraud arising from sharing card details. The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.
The RBI has also extended tokenisation of Card-on-File (CoF) transactions — where card details used to be stored by merchants — and directed the merchants not to store card details in their systems from January 1, 2022. A CoF transaction is one in which a cardholder has authorised a merchant to store his or her Mastercard or Visa payment details, and to bill the stored account. E-commerce companies and airlines and supermarket chains often store card details.
“With effect from January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data. Any such data stored previously will be purged,” the RBI said in a circular. The RBI had earlier barred storage of data in March 2020 but extended the deadline to December 31, 2021.
How does tokenisation work?
The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. Tokenisation has been allowed through mobile phones or tablets for all use cases and channels like contactless card transactions, payments through QR codes and apps, according to the RBI
The tokens are generated by companies like Visa and MasterCard, which act like Token Service Providers (TSPs), and they provide the tokens to mobile payment or e-commerce platforms so that they can be used during transactions instead of the customer’s credit card details.
When users enter their card details into a virtual wallet like Google Pay or PhonePe, these platforms ask one of these TSPs for a token. The TSPs will first request verification of the data from the customer’s bank. When the data has been verified, a code is generated and sent to the user’s device. Once the unique token has been generated, it remains irreversibly linked to the customer’s device and cannot be replaced. Thus, each time a customer uses his or her device to make a payment, the platform will be able to authorise the transaction by simply sharing the token, without having to reveal the customer’s true data. Tokens can be generated to safeguard payments in mobile wallets and physical or online stores like Amazon. The list of card networks authorised by RBI to operate in India is available on the following link.
Who can tokenise cards?
The RBI has permitted card issuers to act as TSPs, which will offer tokenisation services only for cards issued by or affiliated to them. “The ability to tokenise and de-tokenise card data will be with the same TSP. Tokenisation of card data will be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer,” the RBI said.
Normally, in a tokenised card transaction, the stakeholders involved are the merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. The registration for a tokenisation request is done only with explicit customer consent through AFA, and not by way of a forced, default or automatic…