From Saturday (October 1), the Reserve Bank of India’s card-on-file (CoF) tokenisation norms have kicked in, which aim at improved safety and security of card transactions.
Now, for any purchases done online or through mobile apps, merchants, payment aggregators and payment gateways will not be able to save crucial customer credit and debit card details such as three-digit CVV and expiry date.
After multiple extensions, the RBI decided not to give any further relaxation in implementing these norms.
The RBI’s Deputy Governor T Rabi Sankar said on Friday that many extensions were given to the system for a comfortable switchover.
“We just wanted to make sure that the customer’s safety doesn’t get compromised because of problems faced in the implementation of tokenisation. The feedback we have from all stakeholders is that it is perfectly ready and the system can go on,” he said.
Close to 35 crore tokens have already been created. In September alone, 40 per cent of transactions, valuing around Rs 63 crore, were done using tokens, Sankar said.
What is tokenisation?
Tokenisation refers to the replacement of actual card details with a unique alternate code called the ‘token’, which shall be unique for a combination of card, token requester, (i.e. the entity which accepts requests from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and the device.
How did India decide to carry out tokenisation?
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative.
Following a series of representations from several industry players and digital payment platforms who anticipated disruption in online transactions from January 1, 2022, the RBI extended the implementation date of card-on-file (CoF) tokenisation norms by another six months to June 30, 2022.
The June 2022 deadline was further extended as the RBI felt that although considerable progress had been made in terms of token creation and transaction processing based on these tokens had also commenced, the concept was yet to gain traction across all categories of merchants. Subsequently, the deadline was extended till September 30, 2022.
Deputy Governor Sankar said that ever since the regulation on tokenisation was issued, the central bank was constantly talking to all stakeholders to ensure that the transition to the tokenisation framework was smooth.
“There are a few participants who may not be ready, but that would probably be because of their unwillingness to comply. And we don’t believe that we should hold back efforts to ensure customer protection because of such laggards,” he said, adding that these players may take some more time but they will eventually join the framework.
But how will tokenisation work?
A debit or credit card holder can get the card tokenised by initiating a request on the app provided by the token requester. The token requester will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requester, and the device.
“In case of an online transaction, instead of card details, a unique token will be stored on the server. The merchant or transaction platform sends out a message to Visa or Mastercard or a payment gateway, who asks for a token against that card number and will then pass it on to the bank for allowing the transaction,” NTT DATA Payment Services India CEO Dewang Neralla said.
The customer will not be charged for availing the tokenisation service.
Earlier, the facility for card tokenisation was available only for mobile phones and tablets of interested card holders. Subsequently, with an uptick in tokenisation volume, the RBI decided to extend the scope of tokenisation to include consumer devices – laptops, desktops, wearables (wrist watches, bands, etc.) and Internet of Things (IoT) devices.
Who can offer tokenisation services?
Tokenisation can be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. RBI has emphasised that the integrity of the token generation process has to be ensured at all times.
What do customers gain from tokenisation?
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks.
The token requestor cannot store Primary Account Number (PAN), or any other card details. Card networks are also mandated to get the token requester certified for safety and security that conform to international best practices/globally accepted standards.
“With card tokenisation, a card and merchant specific token is generated. Going forward that token can be used for all online transactions with that merchant. This will ensure enhanced security. In case of any data breach or hacking attempt at the merchant’s end, the customer’s card details will be protected,” said Sanjeev Moghe, president & head – cards & payments, Axis Bank.
Worldline India’s senior vice president – products and solutions Jagdish Kumar believes that tokenisation lends greater credibility to seamless and secure payments experience.
What is the size of the industry?
During 2021-22, payment transactions carried out through credit cards increased by 27 per cent to 223.99 crore in volume terms and 54.3 per cent to 9.72 lakh in value terms, as per the RBI’s annual report for 2021-22.
Though the RBI provides total credit and debit card transaction data in terms of value and volumes, it does not provide separate numbers for online and offline transactions.
“What is relevant will be the number of cards issued. When you look at the debit and credit card transactions data (provided by RBI), they have not given a bifurcation between online and offline. Tokensation is required wherever you are storing your card details for recurring payments,” NTT DATA Payment Services India’s Neralla said.
However, the number of debit and credit cards in the system can give some idea of the tokenisation industry, experts feel.
Till end July 2022, while the number of credit cards issued stood at around 8 crore, debit cards in the system were 92.81 crore, recent RBI data showed.