Credit and debit card users will have to 'tokenise' their details online to conduct transactions by September 30, as per guidelines by The Reserve Bank of India (RBI). Post this deadline, online portals and merchants will be required to purge 'card-on-file' (CoF) data and card users will either have to tokenise their card details or enter it manually every time they wish to transact.
As per these guidelines, merchants (like Swiggy, Zomato, Uber, Flipkart and Amazon) can no longer store CoF data, which they have been storing till now to facilitate card transactions. Only card networks (like Visa, Mastercard, RuPay or American Express) and the issuing authority (like a bank) can store data of these cards.
These guidelines were issued in September last year. While it was supposed to come into effect from January 1 this year, the deadline has been extended thrice.
Since last year, merchants have been nudging their customers to tokenise their cards with them. In June, the RBI again recommended that users tokenise their cards with their merchant websites.
Here's all you need to know about the process.
1. What is a 'token'?
A token represents card data on merchant websites.
Usually, for a card transaction to take place, the following details are needed:
- A 16 (or 15) digit card number
- The CVV number
- The expiry date
- The cardholder's name
Once the card details have been 'tokenised', the merchant website will call the token for the card data, rather than the card data itself. These tokens will be random digits and will be unique for a combination of the card data, merchant and token requestor (like the app or device that processes the payment).
Therefore, across multiple merchants, a single card may have multiple tokens associated with it.
Further, tokenisation is not automatic and needs express user consent.
"Registration of card on token requestor's app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc", says the RBI guidelines.
Without tokenisation, users would have to enter their card details manually every time they are conducting transactions online. Tokenisation is possible even post the deadline of September 30. The transaction just won't be seamless and will require this extra step every time.
2. Why is tokenisation important?
Tokens based on card data can be only used by the appropriate merchant for which the token was created in the first place.
In case of a leak or breach at any of the merchants, the token would be less prone to misuse than the actual data of the credit or debit card itself.
Further, in its June circular, the RBI has said that there are several jurisdictions around the world who do not use Additional-Factor-Of-Authentication (AFA) (like Verified by Visa or Mastercard Secure) to verify their transactions. Leaked credit card data could also be used in these jurisdictions.
3. How do transactions change under tokenisation?
Currently, all relevant card data is stored directly with the merchant. For a transaction to go through, a user would have to additionally enter the CVV number (usually on the back of a card) and provide an extra code through AFA.
After tokenisation, the same process follows. Except, rather than the merchant processing the data themselves, they are sharing the token associated with the card with the card network. Users would still have enter a CVV number and provide an AFA code.
Most merchants have said that no visible change would come to user experience post tokenisation, and the transaction process would remain the same.
4. Where is tokenisation applicable?
Tokenisation is applicable across merchants and devices. When the idea of tokenisation was first mentioned by the RBI in 2019, it was only applicable to mobile and tablet devices. However, in August last year, it was later extended to smartwatches, laptops and computers and all 'internet of things' devices.
Users would have to tokenise their card details across each merchant individually.
Fresh tokenisation is also applicable to cards that have been reissued or renewed.
5. How do I tokenise my card details?
Tokenisation depends on the merchant-readiness and varies across merchants. Each merchant usually has a dedicated section on their website or app to help users tokenise their cards.
For example, merchants like Swiggy and Uber are prompting their customers to agree to tokenise their cards just before a transaction as well as from the payments page where the collective payment details of a user are stored.
All users have to do is click on checkbox, or a similar action conveying their consent, to tokenise their card. For the process to go through, the merchant may charge a nominal amount (₹1 - ₹2) which they are immediate refunding. Usually, such merchants will seek user consent to save their card details under "latest RBI guidelines" or some similarly worded taxonomy to keep the card details saved with them.
Merchants are using something called a "secure card" features, or a feature that is similarly worded to tokenise or validate cards with them. Once tokenised, merchants are prominently displaying when cards have been secured successfully.
Cardholders should consult the appropriate merchant on how to tokenise their cards with them.