From July 30 this year, all credit and debit card details that have been saved on various merchant websites will be deleted as per the RBI mandate. This move is targeted at mitigating risks related to data theft or loss. Once this move is implemented, card users will have to enter complete card details every time that they want to make a payment. Alternatively, they can opt for tokenization. So, what is tokenization and how does it work?
Here is all you need to know about tokenization and how it will impact you.
What is tokenization?
- related to digital transactions.
- a process replacing storage of card details with a token that is a unique combination of card, device, token requestor, etc
The credit card tokens that will be created as part of the tokenization process will help in protecting sensitive information of customers. This is because it will substitute the data with a series of algorithmically generated numbers and letters. Merchants and payment gateways will not be allowed access to this data. The data can only be accessed by the issuer and network provider for maximum safety.
In September 2021, the RBI announced the prohibition on merchants storing customer card information on servers to come into effect from January 01, 2022. As an alternative to saving card data, the central bank asked merchants to adopt card-on-file (CoF) tokenization.
However, the implementation of these norms has been pushed out by six months to come into effect from June 30, 2022.
How will tokenization ensure security of online transactions?
In today’s digital age, sensitive information such as credit card number, account number, user address, etc. can be stolen online and misused further. By adopting tokenization, merchants will be able to move data across networks without compromising on the safety of sensitive customer information.
Categories of transactions that will be covered under tokenization
Tokenization will apply to:
- all transactions that have ‘Card Not Present’ or
- online transactions.
This can be implemented as per customer consent received by the merchant. Once implemented, it has to be validated using an additional factor authentication. The bank and card network that implement the tokenization on behalf of the customer can also de-tokenize the details upon receiving customer requests.
How does tokenization work?
Let’s understand the functionality of tokenization:
- When a bank and card network receive a request for debit through a payment gateway, an approval will be given as per the inputs provided by the customer on the merchant site.
- Instead of the card on file (CoF) or saving of card details, a token is used for completing a transaction.
- The token is replaced with card data at the back-end for a successful transaction.
- The token in this case will be specific to a consumer, merchant, and card combination. Since it is unique, it cannot be used for any other purposes.
Although tokenization was planned to be part of a device-based framework, it will be further extended to include consumer devices like desktops, laptops, wearables and Internet of Things (IoT) devices.
If a user will make use of his/her card on a laptop, tokenization will be specific to the laptop. If used on another device, the token will not be useful. Thus, since CoF data does not work on another device, the user will have to enter the data again. This ensures security of transactions. Tokenization may also allow device binding, which will let customers use the same token across multiple devices.
How will customers be impacted by tokenization?
In the current scenario, online shopping requires buyers to save their card data on many merchant websites. Thus, while buying from the same merchant site the next time, customers can save time and hassle in the payment process as they can simply select the card, provide the card’s CVV number and further authenticate the transaction using a onetime password.
Once tokenization comes into effect, a customer will have to go through a onetime process of tokenization and all subsequent transactions can be made easy. The process is going to be very simple and involve the usage of a token. Apart from ease of transactions, it will ensure that customer data remains safe and cannot be accessed from merchant sites.
How can a customer opt for tokenization?
Once tokenization comes into effect from June 30, some of the common steps that will have to be followed for adopting the same are:
- Customers can get their card tokenized by making a request on the website or app that he/she wants to use for making purchases.
- The merchant will then forward the customer request to the partner bank or card issuing bank.
- The token issuer will then issue a token that is based on the unique combination of card number, merchant, and the token requestor.
Factors to look out for in tokenization
From the time of the announcement of tokenization by RBI, it has not seen any traction from all merchants across the nation. Very few have shown their interest explicitly in tokenizing cards.
Since this will be a first in the country, customers must also expect some level of inconvenience in re-registering credit or debit card details. However, since it will be a onetime process and more clarity may follow once the implementation date comes closer, experts do not expect the purchase process to be significantly impacted.
Although most of the country’s leading banks like ICICI, SBI, HDFC, etc. have shown preparedness to shift to tokenization, most merchants have shown resistance. Their argument is that the necessary infrastructure is currently not present to adopt the new regime. This is the reason why RBI pushed out the implementation date of tokenization to June 30th 2022. It is now a wait and watch game to see whether the acceptance and actioning of the same will go as expected.
From a customer perspective, the process of tokenization will not involve any charges.
Tokenization of card transactions will involve the token requestor, merchant, card payment network, issuer and customer.
No, tokenization will not be mandatory for card users since they can choose whether to opt for it or no. (source – RBI )
No, there will be no limit on the number of devices that a customer can use tokenization on. In the initial stages of its implementation, however, it will only be available through mobiles and tablets.
Post implementation, customers can address any of their tokenization specific queries to relevant card issuers.