New Delhi: In just a few months from now, payment through your credit or debit card on portals is likely to look a lot different, sending you on new loops to pay.
From 1 July 2022, to secure card transactions online, the Reserve Bank of India (RBI) has mandated all authorised card networks — like VISA, Mastercard, RuPay, American Express and Discover — to issue tokens against card details for all transactions on a particular platform. For the user’s security benefit, their card details would be masked behind the token and they would be able to transact through just that.
This process, which is voluntary in nature, is being referred to as ‘tokenisation’. It was set to begin as early as 1 January 2022, but the central bank has now pushed the deadline back by six months.
Here’s a deeper look at the various aspects of the new regulation.
What is tokenisation?
Currently, if you are shopping online, let’s say, booking a travel ticket, you are required to key in your 16-digit credit or debit card details along with your 3-4-digit card verification value (CVV) with the travel merchant.
This data is stored on the travel merchant’s website with the permission of the cardholder, and every time you go online to shop from the travel merchant’s portal, you simply feed your CVV and a one-time password linked to your mobile number.
However, this was leading to cyber crimes. Often, out of negligence, a user just gives their details on an unknown portal, leading to security vulnerabilities.
But from 1 July, the merchant would be required to issue a token against your card details — the 16-digit card number — via the card issuers. This token could then be used only on this merchant’s portal and nowhere else.
How does this help?
Since most financial transactions are online, hackers have started using keystroke logging through malicious software to access a user’s credit card details. So when a hacker sends you a dubious or suspicious link, which takes you to a payments page, it unknowingly installs malware on your system and records your card details.
With the introduction of tokens by merchants, only authorised merchants would be able to send you the payment links, which wouldn’t ask you for card details but instead display the token issued against that card, thereby preventing hackers from getting access to any of your financial details.
This token can be saved on the portal’s server.
What if the merchant’s website is hacked?
Currently, if the online site or portal you visit for routine purchases get hacked, all your financial data would get leaked. But with tokenisation, this wouldn’t happen.
Under tokenisation, the card details are converted into a unique token, specific to the card and saved with only one merchant at a time.
The RBI guidelines for the process prohibit all e-commerce platforms from saving the card number, expiry date or CVV on their servers. Hence, you can get a token issued from the bank before you buy an item, and that token can only be used for that portal.
In case you shop from different portals or use multiple cards on the same portal, you would be issued multiple tokens.
How to generate a token on a portal?
As of today, after you select an item and shift it to your shopping cart, the merchant or the portal directs you to a payments page, where you are asked to enter your card details to complete the transaction.
From 1 July, the merchants would be mandated to provide you with an option to move to tokenisation. Once you opt for this, the merchant would forward your request to the respective bank or the card network. A token would then be generated and sent back to the merchant, who would keep it saved on its website against your name.
The next time you would shop from the same merchant, you would simply need to select the token at the checkout time.
Is it mandatory to move to tokenisation?
No. The RBI has mandated the merchants to keep tokenisation as an option to make it easier for shoppers to make purchases online, free of cost.
How safe is tokenisation?
In its guidelines, the central bank has categorically said that no entity in the card transaction or the payment chain, other than the card issuer like a bank or the card network, would be allowed to store the actual card data. It has also asked all portals, merchants, or websites in India to delete the previously-stored data by 30 June 2022.
Only limited data of the cardholder, like the last four digits of the card number and cardholder’s name, would be stored with the merchant for the purpose of tracking the transactions.
The RBI has put the onus of compliance of these guidelines on the card networks and issuers.
(Edited by Amit Upadhyaya)