Hyderabad: When you buy something online, you share your credit card or debit card information with the e-commerce platform. This highly sensitive data, which is now stored by the platform, are vulnerable to data theft or leakage. In an effort to make card transactions more secure, India’s central bank, the Reserve Bank of India, has been encouraging cardholders to tokenize their cards.
Simply put, tokenization is the process of substitution. It replaces sensitive data with unique identification numbers that retain all the essential information about the data without compromising its security
RBI Tokenization Regulations
Reserve Bank of India (RBI) issued a notification in September 2021. According to it, no entity in the card transaction or payment chain can store data from June 30, 2022, other than the card issuers and card networks. From June 30, 2022, onwards, payment aggregators (such as Stripe) have to use network tokens for payment processing instead of the actual credit or debit card number. The goal of this regulation is to prevent online fraud by keeping customers' critical financial information secure from card data breaches and restricting malicious actors from stealing funds from individuals and organizations.
What is tokenization?
Tokenisation is replacing the debit or credit card details with a token issued by the operating bank. That means, now while paying for something online, a user will not punch in the 16 digits engraved on his or her card. The banks will issue a non-sensitive equivalent token for the transactions. With this, customers' card information will no longer be available on any merchant, Payment Gateway, or a third-party platform. The process will also mask names on the card, expiry dates, and CVV codes.
What are the new guidelines by the RBI?
- Payment aggregators (such as Stripe) have to use network tokens to refer to the card details and process payments instead of the actual credit or debit card number.
- Collect cardholder consent to store the card details and use them for recurring payments.
- Perform 3D Secure authentication and other RBI e-mandate -related requirements before saving the card details.
- Give the customers an option to delete their tokens from their merchant platform.
How would it work?
From October 1, the tokens generated for transactions will be irreversible and unique. With this, no one can breach the security layers and decode the payment process to procure card details.
As per RBI, the new system will bring down the number of chargebacks, disputes, and fraud, and would help the consumers, merchants, and banks.
Are the customer card details safe after tokenisation?
Actual card data, tokens, and other relevant details are stored in a secure mode by authorized card networks. A token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conforms to international best practices/ globally accepted standards.
Why is the RBI switching to tokenisation?
As we mentioned, card details and user data are often stored on payment or merchant gateways. It is this data storage on websites that could make the customer's data vulnerable to online phishing and fraud.
Tokenisation is considered to be a safer alternative, as the actual card details are not available to a merchant during a transaction. The customer's card details are only stored with the bank and the authorized card network.
Debit credit card holders: Steps to tokenise
Visit an e-commerce website to purchase products.
- Select the preferred card options as the payment method
- Enter all the required details carefully.
- Tap on the option that states 'secure your card as per RBI guidelines on the website to generate a token and store it according to the RBI guidelines.
- You will receive a one-time password (OTP)
- Enter OTP on the bank page and the card details will be sent for the token generation and transaction authorization.
- The token will be sent to the merchant and he will save it in place of the personal card details.
- The next time you visit the same e-commerce platform or merchant website, the last four digits of the saved card will be displayed. This indicates that the debit card or credit card has been tokenized.
A customer can choose whether or not to let his / her card be tokenized. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.
Is it mandatory to tokenize your cards?
. No, as of August 01, the government has not made it mandatory for consumers to adopt tokenization.
. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.
.As per RBI’s directive, by September 30, 2022, all stakeholders are advised to be ready for handling tokenized transactions, implement alternate mechanisms and create public awareness about the process of creating tokens and using them to undertake transactions.
