Buy Now Sign in
Service
Recommendations
Knowledge
Tools
Quizzes
Ask
Buy Now Sign in
Banking
Explainer: Tokenisation of Debit, Credit Cards by 30th September
MAS Team | 02 September 2022
Share
1
In order to enhance the digital payment experience and add an extra layer of security, Reserve Bank of India (RBI) has made it mandatory for all credit and debit card data used in online, point-of-sale, and in-app transactions to be replaced with unique tokens by 30th September. 
 
Under RBI's tokenisation initiative, all companies are required to delete cardholders' all existing information and replace it with a unique 'token'.RBI extended the tokenisation deadline by three months starting July. This extended time period may be used to create public awareness about the process of creating tokens and in facilitating the stakeholders to be ready for handling such transactions. 
 
According to the RBI, “Tokenisation refers to the replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).
 
Currently, card data like card numbers, expiry dates, etc. can be stored by an entity involved in an online card transaction to render convenience. But it should be noted that saving such crucial information increases the risk of card data being stolen or misused. 
 
Earlier RBI said, "Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data." 
 
Banking experts explained that credit card data such as number, CVV and card expiry date is stored on the databases of web services for ease of payments. But this data faces info-security risks. It was observed that data stored on some websites have been breached and leaked into the public domain. Once that happens, cards may be fraudulently used, and their owners may suffer financial losses. Hence, the RBI issued directives that no entity except card issuers or networks will be allowed to store debit or credit card details. Data already stored needs to be erased. 
 
Many incidents have occurred in the recent past where users' credit/debit card data stored by merchants has been compromised/leaked and sometimes even sold on the dark web or similar platforms. This stolen information could be used to carry out frauds.
 
Tokenisation aims to put a stop to such frauds as the merchant entities will only have a unique and randomly generated token code instead of the cardholders' actual information.
 
As no card data is being saved anywhere except by the card network and issuer, chances of card data being lost or stolen is reduced. You also have the option to view the list of merchants with whom you have registered a token and de-register any such token in future via your issuer's app or internet banking. So, if you do not intend to shop on a site later or do not wish a recurring payment associated with your account to be renewed, you can delete the associated token. In case your card is renewed or replaced, you will have to explicitly consent to link it with the merchants with whom you had registered the card earlier. All this adds up to additional security.
 
What are the problems you could face from 1st October?
 
Stopping of auto bill payments
 
With the card data deleted from the merchant database on September 30, 2022, your standing instructions to pay bills etc will become void and auto bill payments will stop.
 
Entering card details while paying
 
With auto bill pay facilities stopped, you have to remember the dates of bill payments and manually enter all the details of a card every time you make a payment online. However, deletion of card details from the merchant databases will make your cards more secure.
 
To avoid the hassles of remembering bill dates, amounts and entering card details every time you make payments online, you have to visit the official websites of the merchants and re-enter the card details in tokenised format.
 
Following are some of the frequently asked questions about card tokenisation:
 
What is tokenisation? 
 
As per the RBI, tokenisation refers to the replacement of actual card details with an alternate code called the "token". 
 
What is the benefit of tokenisation? 
 
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during the processing of the transaction. 
 
How can the tokenisation be carried? 
 
The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. 
 
Who can perform tokenisation? 
 
Tokenisation can be performed only by the authorised card network and the list of authorised entities is available on the RBI website. 
 
What are the charges that the customer needs to pay for availing of this service? 
 
The customer need not pay any charges for availing of this service. 
 
What are the use cases (instances/scenarios) for which tokenisation has been allowed? 
 
Tokenisation has been allowed through mobile phones and/or tablets for all use cases/channels (e.g., contactless card transactions, payments through QR codes, apps etc.) 
 
Is tokenisation of a card mandatory for a customer?
 
No, a customer can choose whether or not to let his / her card tokenised.
 
Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.
 
How to create a token for debit, credit cards
 
Once the new norms are implemented, the card-holder has to go through a one-time registration process for every card, at every online merchant's website they intend to use the card by entering its details and providing consent to create a token during checkout. A token will be generated for a particular card at a single website.
 
Steps to generate the tokens:
 
  • Go to any e-commerce merchant website or application and start a transaction.
  • During the check-out, enter the details of the credit/debit card along with additional details.
  • Secure the card and tokenise it per RBI's latest guidelines by selecting the 'secure your card as per RBI guidelines' or 'secure your card' option.
 
  • Authorise the token's creation by using the bank-provided one-time password (OTP) sent to the registered mobile phone or email to complete the transaction.
  • After creating the token, the data of one's card will be replaced with the above-mentioned token.
  • To help one recognise their card while making a transaction, the last four digits of the saved card will be displayed when they revisit the same website or application for any future transaction, representing that the card has been tokenised.
 
While the practice is not mandatory, it is highly recommended as an essential service that every consumer should avail in order to protect his data which is otherwise exposed while undertaking a card transaction. However if a consumer does not wish to save the card with a merchant then the consumer has to enter the entire card data every time during the check out for that particular merchant which can become inconvenient. Therefore tokenisation adds security as well as convenience to consumers
 
Comments
Dear Investor,
In case of any grievance / complaint :
  • Please contact Compliance Officer Shraddha Mhatre at [email protected] and Phone No. - 91-22-35131664.
  • You may also approach CEO Debashis Basu at email- id [email protected] and Phone No. - 91-22-35131664.
To continue
Please With