According to guidelines of the Reserve Bank of India (RBI) that kick in from January 1, 2022, consumers will either have to 'tokenise' their credit and debit card details on the merchant websites that they transact with, or enter the card details manually every time they transact. These guidelines were issued in September by the RBI to improve transactional security.
As per these guidelines, card details cannot be stored on a third party merchant portal (like Flipkart, Amazon, Myntra, Swiggy, Zomato etc.), but only by the issuing authority (like a bank) and/or the card network (like Visa, RuPay, American Express and Mastercard). Once implemented, all existing card data on these merchant sites either need to be tokenised or deleted.
Prominent e-commerce websites and online stores that keep credit card information with them have already begun nudging their customers to tokenise their card details with them.
Though these guidelines will come into effect from January 1, 2022, some news reports suggest that the RBI is considering an extension for the same.
Here are 5 things you need to know about tokenisation, what it means and how to go about securing your card on these websites.
1. What is tokenisation?
Tokenisation is a way to secure card information that is stored on merchant websites.
Currently, for any online transaction through a debit or credit card, the following details are required for :
- A 16 (or 15) digit credit card number
- An expiry date
- The name of the holder of the card
- The CVV number on the back
Under the new mandate, all these details will instead will be stored as a 'token' of random digits. These tokens will be unique for a combination of the card details, the token requestor (which is the third-party app or device that processes payments) and the merchant, according to the RBI.
Therefore, a single card may have multiple tokens associated with it across multiple merchants.
It also must be noted that tokenisation is not automatic and needs the express consent of the concerned user.
"Registration of card on token requestor's app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc", says the RBI guidelines.
Should a consumer not choose to tokenise their details with a merchant, they will have to manually enter the above-mentioned details for every card transaction.
2. What changes will take place by this mandate?
As per the RBI's guidelines, nobody except issuers of cards and the card network can directly store card details.
"With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged", says the guidelines.
However for compliance, transaction tracking or reconciliation, entities are permitted to store the last four digits of the card number.
3. How does tokenisation alter the data stored with the merchant?
At present, all the relevant credit card data is stored with the merchant. To complete a typical transaction using debit or credit cards, a user has to enter the CVV number, followed by a one-time-password or additional password by the the card network (Verified by Visa, Mastercard Secure etc.), which is called Additional-Factor-Of-Authentication (AFA)
Post tokenisation, only a token of such data will be stored by the merchant and will be shared with the card network at the time of transaction. The additional verification by the card network through AFA will still be applicable.
Once tokenised, the payment processes are not expected to be very different from the current user experience.
4. Where is tokenisation applicable?
Tokenisation needs to be done across merchants and devices. Initially, in 2019, when the concept of tokenisation was first spelt out, the RBI mandated tokenisation for transactions through mobile phone and tablet devices, but in August this year extended it for transactions through consumer devices like smart watches, laptops, desktops, all sorts of wearables and internet-of-things (IoT) devices.
This also means that consumers would have to tokenise their cards with the merchants that they choose individually.
Fresh tokenisation is also applicable to existing credit cards which will be potentially re-issued or renewed.
5. How can I tokenise my cards right now?
The tokenisation process depends on merchant readiness and is merchant-specific. Most merchants are laying the instructions on how to tokenise cards on their website.
Some merchants like Swiggy, Zomato and Cred are conducting a transaction of a nominal amount (₹1 - ₹2) to secure the card, which they are immediately refunding. Such transactions need to be verified by AFA.
A merchant like Amazon is offering users the option to tokenise their cards mid-payment.
A "secure card" feature, or a feature with similar terminology is being offered by merchants in the section of their app or website that has payment information for a user. Once secure, merchants are prominently displaying the fact that a particular card has been secured with them.
Users of credit or debit cards should directly consult the merchant concerned for tokenising their cards.
The RBI's guidelines on tokenisation can be found here.
Also Read: RBI Announces UPI For Feature Phones & On-Device Wallets For Payments
