Increasing risk of cybercrime, phishing etc. make people on edge of risking their financial lives while using Debit & Credit Card. Many merchants and e-commerce force customers to store debit or credit card details, which increase the risk of card data being stolen. So, to avoid this kind of cyber fraud, Reserve Bank of India is allowing tokenisation of cards while making payments.
What is Tokenisation?
Tokenisation refers to replacement of card details with an alternative code called ‘token’ which is unique for a combination of card, token requestor. Requestor means the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token and the device. The token is used to perform contactless card transactions at point-of-sale (POS) terminals and QR code payments. The RBI extended the device based tokenisation to card-on-file tokenisation (COFT) service, that bring change to traditional card transaction system as this will prevent merchant to store actual data. No charges should be recovered from the customer for availing this service, says RBI in its recent notification.
How does to Tokenisation Work?
According to RBI, Any cardholder who wants to get the card tokenised has to request on the app provided by the token requestor, then the token requestor will forward the request made by card holder to the card network with consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. Tokenisation has been allowed through mobile phones and tablets for all use cases and channels like contactless and ceard transactions, payments through QR code and apps.
Companies like Visa and MasterCard will generate tokens, and they act like Token Service Providers (TSPs). They provide the tokens to mobile payment or e-commerce platforms so that they can be used during transactions instead of customer’s credit or debit card details.
Token is a safeguard for using payments in mobile wallets and physical or online stores like Amazon. When card users enter their card details in to a virtual wallet like Googlepay or Phonepay, these platforms ask one of these TSPs for a token. The TSPs will first verify the data from the customer’s bank and after verification, a unique code is generated which they sent to the user’s device. This unique code remains irreversibly linked to the customer’s device and cannot be replaced. Therefore, each time a customer uses his or her device to make a payment, the platform will be able to authorize the transaction by sharing the token without disclosing the customer’s true data.
Who can Tokenise cards?
The RBI has permitted card issuers to act as TSPs. The list of card network authorised by RBI to operate in India is available on the Link https://m= rbi.org in//scripts /publicationsview.apx): 12043.
The permitted TSPs will offer tokenisation services only for cards issued by or affiliated to them. The RBI said, “The ability to tokenise and de-tokensie card data will be with the same TSPs. Tokenisation of card data will be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer.”
In tokenised card transactions, the merchant, the merchant’s acquirer, card payment network, token requestor, issuer, and customer are involved. The registration for a tokenis ation request is done only with customer consent through AFA, and not by way of any force. Customers will also be given the choice of selecting the use case and setting up limits. Customers can set and modify per transaction and daily transaction limits for tokensied card transactions.
What happens after Tokenisation?
The token requestor cannot store the card number, or any other card details. However, for transaction tracking and reconciliations, entities can store limited data-last four digits of actual card number and card issuer’s name – in compliance with applicable standards.
Reason behind RBI’s move for Tokenisation
The first and foremost reason is to safeguard of customer’s data while undertaking card transactions online, some merchants force their customers to store card details. Availability of such details with a large number of merchants can increase the risk of card data being stolen. Stolen data can be used to perpetrate frauds. Hence, RBI took this move to safeguard debit or credit card details.
With effect from January 1, 2022, No entity in the card transaction or payment chain other than the card issuers and card networks, can store the actual card data. Earlier the RBI had barred storage of data in March 2020, but extended the deadline to December 31, 2021. Any such data stored previously will be purged, the RBI said in the circular.
Those who want to go back to the traditional method of transaction and payment can go back to actual card data detail is known as de-tokenisation.
Tokenisation or De-tokenisation is not mandatory for any customers. Any customers can use these service any point of time after making initial request of tokensiation for any number of cards. Customers have the option to register/de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc. A customer can request for tokenisation of his/her card on any number of devices. However, as of now, this facility shall be offered through mobile phones/tablets only.
The circular issued by RBI on tokenisation is available on the RBI website at the path https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11449&fn=9&Mode=0