The Reserve Bank of India (RBI) recently said no entity in the card transaction or payment chain, apart from the card issuers and card networks, will be allowed to store sensitive user data from January 1, 2022.
Instead, in transactions card data will be converted to tokens.
What is tokenisation?
In the case of digital transactions, “tokenisation refers to replacement of actual card details with an alternative code called the ‘token’, which uniquely combines card, device, token requestor etc,” said Mandar Agashe, founder, vice-chairman, and managing director, Sarvatra Technologies.
Credit card tokens are created to protect sensitive data of customers by substituting it with a series of algorithmically generated numbers and letters.
“Merchants, payment gateways cannot have this data, only an issuer and a network provider are allowed now,” explained Sanjeev Moghe, executive vice-president and head of cards and payments at Axis Bank.
How will merchant sites work without card data?
Generally, this is how it works: When the bank and card network receive a debit request from a payment gateway, they approve based on the customer’s input on the merchant site.
Agashe explained that it is not the card on file (CoF), or saved card details, that is used to complete a transaction, a token is used instead.
At the back-end, the token will be replaced with card data, for the transaction to go through.
“You can’t just use the token anywhere.
"It is specific for that consumer, that merchant, and that card,” said Agashe.
How does this enhance the security of online transactions?
Information like credit card number, address, account number, can be easily misused if it falls into the wrong hands.
However, with tokenisation, merchants can move data between networks without actually exposing such information.
For what kind of transactions will tokenisation apply?
“Tokenisation will be available for all ‘Card Not Present’ transactions, or online transactions,” said Ravi Buttula, head of merchant acquiring solutions at Wibmo.
According to the RBI’s norms, tokenisation has to be done based on customer consent, to be validated through an additional factor authentication.
The same bank and card network can do the tokenisation, or even de-tokenise the details based on customer request.
What else has the RBI said?
The central bank has also permitted enhancements to the existing card tokenisation system.
The device-based tokenisation framework has been extended and will include consumer devices such as laptops, desktops, wearables (wrist watches, bands, etc.), and Internet of Things (IoT) devices.
“If you are using the card on a laptop, then tokenisation will be specific for that laptop.
"If you use it on another device, it will not work.
"In short, CoF data will not work on another device, the data will need to be entered again.
"This makes it very secure. In such a case you will have to do device binding,” said Agashe.
Device binding is linking the same token to multiple devices.
How will customers be impacted?
At present, while shopping online your card data is stored on the merchant website, and the next time you simply choose the card, enter the CVV number and authenticate the transaction with a one-time password.
According to a previous RBI guideline, the merchant website will not be allowed to store the card data from January 1.
Which means you would have had to type out the details for every transaction.
Moghe says, “With tokenisation, the customer will have to do a one-time tokenisation and the subsequent transaction will be as easy as current ones”. He added that it's very simple to tokenise the first time.
“It’s as simple as currently using a new card number on a website. You need to provide the card number, expiry date, CVV, etc,” he said.
Photograph: Francis Mascarenhas/Reuters