Moneycontrol PRO

Explained: How tokenisation, which kicks off on July 1, will make your credit and debit cards safer

Stolen credit and debit card details stored on shopping portals can result in misuse of cards. That changes when India implements card tokenisation on July 1

June 23, 2022 / 12:05 PM IST

Come July 1, online shopping using your credit and debit cards will become safer.

The Reserve Bank of India (RBI) has directed payment aggregators, wallets and online merchants not to store any sensitive card related customer information, including full card details. The 16-digit card numbers will get replaced with a ‘token’. The only way that you can conveniently make a card payment repeatedly is through a new process called ‘tokenisation’.

“Transactions using cards will remain unaffected by the card tokenisation process,” says Reeju Datta, Co-founder at Cashfree Payments. It will make transactions more secure, he adds.

“As a customer, you don’t need to remember the details of a token. The end-customer experience is not changing while making payments,” says Jagdish Kumar, VP Products and Solutions, Digital Commerce, at Worldline India.

Here is a primer:


What is tokenisation of cards?

Until now, whenever you bought things from e-commerce websites or booked train or flight tickets through a travel website you had to save your debit or credit card details for ease in future transactions. You would only enter the three digit CVV number and checkout of the payment transaction within seconds. But saving card details in the current form is risky. There are instances of popular websites getting hacked by fraudsters and harvesting the saved card data.

Now, tokenisation will replace a debit or credit card’s 16-digit number with a unique token that is specific to just your card and specific for one merchant at a time. The token masks the true details of your card, so in case there is a data leak from the merchant website, the fraudster cannot misuse the card.

Tokens can be used for online transactions, mobile point-of-sale transactions, or in-app transactions. A token contains no personal information that can be accessed and keeps changing, making it the most secure method to complete payments. You do not need your card’s token when you present your card at a physical shop at the check-out counter.

“Digital transactions are growing significantly and require safety. In the past there have been instances of data leaks from merchant websites. So, this is a precautionary step by the regulator to enhance card data security,” says Datta.


Is tokenisation mandatory?

The tokenisation rule that comes into effect July 1 prohibits all merchant websites from saving your card numbers, CVV or expiry date on their server for processing online transactions. Card users should either make a token before buying an item on the shopping website and save that token on the particular website (for future use) or create a token and save (for future use) at the time of payment after shopping.

However, the debit and credit card tokenisation process is not mandatory and customers can choose whether to let their cards get tokenised on a merchant’s website. In that case, a customer will have to re-enter the card details afresh for each transaction, including the 16-digit card number, expiry date and card verification value (CVV) while purchasing anything online.

Either way, your card details will not be stored on websites such as Flipkart, Amazon, Myntra and so on. You can either choose to get your card tokenised and store the token or enter your card details every time you buy something online.

The countrywide adoption of card tokenisation was extended by six months from January 1 to July 1, 2022 by the RBI to ensure a smooth transition from the current process. On June 8, following the monetary policy committee meeting, RBI Deputy Governor T Rabi Sankar said in a press conference that the payments ecosystem is “by and large prepared” to implement tokenisation for card-based transactions ahead of the June 30 deadline for new norms.

How can I tokenise my card with an online Merchant?

While making a payment on an online merchant website or mobile app, enter your card details and opt for tokenisation. Your merchant forwards it to the respective bank or card network (VISA, Rupay, Mastercard, etc). You should opt for tokenisation of cards only if that website is used regularly and you want to avoid the hassle of entering the card details each time.

A token will then get generated and sent back to your merchant, who saves it. Now, the next time you come back to shop, just select this saved token at check-out time. You will see the same masked card details and last four digits of your card number. You will need to enter your CVV and complete the transaction.

Tokenisation is not mandatory, but it makes it easier to shop repeatedly.

Implementation and key challenges

RBI Deputy Governor Sankar said all card networks, including Visa, RuPay and Mastercard, are offering tokenisation and have created 16 crore tokens until now. Some merchants, including Swiggy, Cred, Uber, MakeMyTrip, etc. have gone live, and are allowing customers to tokenise their cards. Several leading e-commerce websites are in the final stages of integrating the tokenisation process and are expected to start tokenising cards soon.

“With implementation of tokenisation, we expect challenges in processing of purchases made through equated monthly instalments (EMIs), processing cashbacks and rewards to customers in the absence of card data,” says a spokesperson from an e-commerce website requesting anonymity.

On these new challenges, RBI Deputy Governor Sankar said: “The ecosystem is working on a few collateral issues that have come to the RBI's notice, which we will adjust as we go. There are new issues that crop up every time you shift a regime.”

Can a token on one merchant be used for another?

No, a token registered on one merchant cannot be used on another merchant. Each merchant will have a unique token associated with every card saved. For instance, if you have an HDFC Bank credit card tokenised on Flipkart, the same card will have a different token on Amazon.

Essentially, your card will have multiple tokens, based on the number of merchants you tokenise your card with.

How can I delete or manage the tokens generated?

If you want to remove a token you save on a merchant website, you can delete that token on the merchant’s website or app and delete the card associated with the token from your payment preferences.

Alternatively, banks also provide help in deleting tokens. For instance, SBI card customers can call on a helpline to request for deletion.

Harshil Mathur, CEO and Co-Founder of Razorpay, says that a card issuing bank will now provide a dedicated portal (on its own website) to manage tokenised cards. Your dashboard will now show you a list of your cards and where (merchants) you have tokenised them.

From this dashboard you can delete the tokenised cards from websites you do not use frequently.

Is the tokenisation service free?

Yes, tokenisation of cards is absolutely free, and can be availed by anyone. Currently, tokenisation is applicable only to domestic cards. This guideline does not cover international cards. You can request for tokenisation on any number of cards to perform a transaction.

What will happen to a token once a card is replaced or renewed or reissued or upgraded?

You need to revisit the merchant page and create a fresh token. That is because your new card (credit or debit) will come with a new number and CVV.
Hiral Thanawala is a personal finance journalist with 9 years of reporting experience. Based in Mumbai, he covers financial planning, banking and fintech segments from personal finance team for Moneycontrol.
first published: Jun 23, 2022 12:05 pm
ISO 27001 - BSI Assurance Mark