RBI on tokenising cards to create a secure payment system in India

By Puja Sharma

The RBI prohibited merchants from storing card information on their servers beginning January 1, 2022, and mandated the use of card-on-file (CoF) tokenisation as an alternative to card storage. The policy applies to domestic purchases made online.

Tokenisation is the process of replacing credit and debit card details with a code, called a token, that is unique to the card, token requestor, and device. Because card details are not shared with merchants during transaction processing, tokenised card transactions are considered safer. When ordering online, customers who don’t have the tokenization option will have to key in their name, 16-digit card number, expiration date, and CVV every time.

Consumers are at risk if retailers do not follow adequate security procedures since they retain card information. If retailers’ security procedures are weak, all consumers are at risk. The data of both debit and credit cards were stolen from merchant websites in several prior hacking incidents. The RBI intends to improve security with card tokenization.

It could be a difficult process and hurt the transaction value, especially when done through stored cards. The card number, name, expiration date, and three-digit CVV are required every time an online payment is made with a debit or credit card. This information is encrypted and masked by the platforms used by the merchant. Credit and debit card tokenisation is a procedure that replaces sensitive information with a placeholder, a randomly generated, one-of-a-kind token, from the company’s internal network. It is used to access, retrieve, and maintain a customer’s credit and debit card information to provide a higher level of security for both the customer and the business.

Using an additional authentication factor (AFA) will require explicit customer consent. A merchant would ask for your consent to tokenise your card. Once the consent is given, the merchant sends a tokenisation request to the card network, which then creates a token as a proxy to the card number and sends it back to the merchant. Once your card is tokenized, you will only be able to see the last four digits of your card, and if your card is replaced, renewed, reissued, or upgraded, you will have to create a new token for each transaction.

Vishwas Patel, Executive Director, Infibeam Avenues Ltd and Chairman, Payments Council of India (PCI), on RBI announcement on tokenisation said, “PCI has been in discussions with its Members and it has been observed that while the overall industry was striving and committed to meet the timeline, certain issues had emerged in the final roll out. Solutions required to resolve the issues were being actively worked on but were to be primarily resolved by the networks, Issuers, and Acquirers within the ecosystem.”

The timeline to implement the fixes was very close to 30-Jun-2022 and hence the industry perceives a risk to the overall readiness for a smooth transition to the tokenisation framework. “Hence this extension of three months by RBI will provide breathing space for all parties involved to comply with the tokenization norms. It will surely help in a smoother transition. Hence, we welcome this extension and assure that all parties will co-ordinate more and deliver on RBI’s expectations.” he added.