In 2022, the Reserve Bank of India (RBI) directed payment aggregators, wallets and online merchants not to store any sensitive card related customer information, including full card details. The 16-digit card numbers got replaced with a ‘token’. The only way that one could conveniently make a card payment repeatedly was through a new process called ‘tokenisation’.
“Transactions using cards will remain unaffected by the card tokenisation process,” Reeju Datta, co-founder at Cashfree Payments had said. "It will make transactions more secure", he added.
Also Read MPC meet: RBI to introduce card-on-file tokenisation at bank level, says Das
“As a customer, you don’t need to remember the details of a token. The end-customer experience is not changing while making payments,” said Jagdish Kumar, senior vice president of Products and Solutions at Worldline India.
Here is a primer:
What is tokenisation of cards?
Until now, whenever you bought things from e-commerce websites or booked train or flight tickets through a travel website you had to save your debit or credit card details for ease in future transactions. You would only enter the three digit CVV number and checkout of the payment transaction within seconds. But saving card details in the current form is risky. There are instances of popular websites getting hacked by fraudsters and harvesting the saved card data.
The tokenisation rule comes into effect from October 1
Tokenisation replaced a debit or credit card’s 16-digit number with a unique token that is specific to just your card and specific for one merchant at a time. The token masks the true details of your card, so in case there is a data leak from the merchant website, the fraudster cannot misuse the card.
“Tokenization not only aids in making the payment transaction experience more secure for the end user but also aids merchants in delivering a consistent user experience and higher transaction approval rates with speed and security,” said Tanya Naik, Head of Omnichannel, Pine Labs.
Tokens can be used for online transactions, mobile point-of-sale transactions, or in-app transactions. A token contains no personal information that can be accessed and keeps changing, making it the most secure method to complete payments. You do not need your card’s token when you present your card at a physical shop at the check-out counter.
“Digital transactions are growing significantly and require safety. In the past there have been instances of data leaks from merchant websites. So, this is a precautionary step by the regulator to enhance card data security,” says Datta.
Is tokenisation mandatory?
The tokenisation rule that came into effect October 1, 2022 prohibited all merchant websites from saving card numbers, CVV or expiry date on their server for processing online transactions. Card users would either make a token before buying an item on the shopping website and save that token on the particular website (for future use) or create a token and save (for future use) at the time of payment after shopping.
However, the debit and credit card tokenisation process is not mandatory and customers can choose whether to let their cards get tokenised on a merchant’s website. In that case, a customer will have to re-enter the card details afresh for each transaction, including the 16-digit card number, expiry date and card verification value (CVV) while purchasing anything online.
Either way, your card details will not be stored on websites such as Flipkart, Amazon, Myntra and so on. You can either choose to get your card tokenised and store the token or enter your card details every time you buy something online. RBI has stated the process will add a new layer of security for card users.
How can I tokenise my card with an online Merchant?
While making a payment on an online merchant website or mobile app, enter your card details and opt for tokenisation. Your merchant forwards it to the respective bank or card network (VISA, Rupay, Mastercard, etc). You should opt for tokenisation of cards only if that website is used regularly and you want to avoid the hassle of entering the card details each time.
A token will then get generated and sent back to your merchant, who saves it. Now, the next time you come back to shop, just select this saved token at check-out time. You will see the same masked card details and last four digits of your card number. You will need to enter your CVV and complete the transaction.
Tokenisation is not mandatory, but it makes it easier to shop repeatedly.
Implementation and key challenges
Rohit Kumar, Founding Partner of TQH Consulting says, "Overall, the ecosystem seems to be more ready than before for tokenisation. While we are still seeing some payment failures in test runs, the main concern that remains is recurring payments. Many merchants worry that we’ll see a repeat of the Oct 2021 e-mandate; recurring payments will fail and customers will have to re-enter their card details every month. Not only will this lead to inconvenience for customers, it will also hit revenue for merchants."
He adds, a key concern is also the lack of authoritative information on readiness in the public domain. The RBI seems to be seeking regular updates from different players in the payments chain. It will help if it can release a status report at the earliest. This will build confidence that the forthcoming transition will be smooth.
“With implementation of tokenisation, we expect challenges in processing of purchases made through equated monthly instalments (EMIs), processing cashbacks and rewards to customers in the absence of card data,” says a spokesperson from an e-commerce website requesting anonymity.
Can a token on one merchant be used for another?
No, a token registered on one merchant cannot be used on another merchant. Each merchant will have a unique token associated with every card saved. For instance, if you have an HDFC Bank credit card tokenised on Flipkart, the same card will have a different token on Amazon.
Essentially, your card will have multiple tokens, based on the number of merchants you tokenise your card with.
How can I delete or manage the tokens generated?
If you want to remove a token you save on a merchant website, you can delete that token on the merchant’s website or app and delete the card associated with the token from your payment preferences.
Alternatively, banks also provide help in deleting tokens. For instance, SBI card customers can call on a helpline to request for deletion.
Harshil Mathur, CEO and Co-Founder of Razorpay, says that a card issuing bank will now provide a dedicated portal (on its own website) to manage tokenised cards. Your dashboard will now show you a list of your cards and where (merchants) you have tokenised them.
From this dashboard you can delete the tokenised cards from websites you do not use frequently.
Is the tokenisation service free?
Yes, tokenisation of cards is absolutely free, and can be availed by anyone. Currently, tokenisation is applicable only to domestic cards. This guideline does not cover international cards. You can request for tokenisation on any number of cards to perform a transaction.
What will happen to a token once a card is replaced or renewed or reissued or upgraded?
You need to revisit the merchant page and create a fresh token. That is because your new card (credit or debit) will come with a new number and CVV.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
