In the current era of increasing digital payments and recent occurrence of data leaks from merchant websites, customer Card details gets compromised. In addition, customers are becoming aware and concerned about safety of their personal details. Therefore, RBI, as a precautionary step, has mandated tokenisation to enhance Card Data security.
As per RBI mandate starting 1st October 2022, actual card number, CVV and Expiry Date and any other sensitive information related to cards cannot be stored by merchants or payment aggregators/gateways for processing online transactions.
What is tokenisation?
Tokenisation refers to replacement of actual or clear card number with an alternate code called the“Token.” This shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).
What is de-tokenisation?
Conversion of the token back to actual card details is known as de-tokenisation
Who can perform tokenisation and de-tokenisation?
Tokenisation and de-tokenisation can be performed only by the authorised Card Networks like Mastercard/Rupay and Card Issuing Banks respectively.
What are the charges that the customer need to pay for availing this service?
The customer need not pay any charges for availing this service.
Who are the parties / stakeholders in a tokenisation transaction?
Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.
Are the Customer Card details safe after tokenisation?
Actual card data, token and other relevant details are stored in a secure mode by the authorized Card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card details. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.
How does the process of registration for a tokenisation request work?
The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.
Where will these Tokens get used?
Once created, the Tokenised card details will be used in place of an actual card number for future online purchases initiated or instructed by the card holder.
What are the benefits of tokenisation?
The chances of fraud arising from sharing card details are minimised as online merchants will only store unique codes and not the actual card numbers.Card data can be stored only by the card networks and Card-issuing Banks.
How can the tokenisation be carried?
- Step1 - The Card holder can get the Card tokenised by initiating a request on the website/app provided by the token requestor and any such similar facility provided by the merchant.
- Step2 - The token requestor / merchant will forward the request directly to the Bank which issued the applicable Debit Card or to Visa / Mastercard / American Express, with the consent of the card issuing Bank.
- Step3 - The party receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant.
When Tokenisation guideline is applicable for Debit Cards issued by the Bank?
Tokenisation guideline is applicable for Debit Cards starting 1st October 2022.
Can the customer select which card to be used in case he / she has more than one Card tokenised?
For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app/merchant.
How can I manage my tokenised Cards?
Customer can call 24*7 Call Centre to place the request to manage tokenized Debit Cards.
Will tokenisation have any impact on the POS transactions that the card holder does at merchant outlets?
No, tokenisation is only required for conducting the online transactions.
Is tokenisation of card mandatory for a customer?
No, a customer can choose whether to let his / her card tokenised. If not Tokenised, starting 1st October 2022, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.
Once tokenised, how will the customer see the card details on the merchant page?
The customer will see the last four digits of the card on the merchant page.
What will happen to the token once the customer’s card gets replaced, renewed, reissued, or upgraded?
The customer should again visit the merchant page and create a fresh token or can upgrade the existing token with the New Card by placing the request .
What happens when your cards are tokenised?
- Every time you check out from an e-commerce portal, the merchant forwards the purchase details to the respective bank or card networks (Rupay & Mastercard).
- A token is then generated and sent back to your merchant, and your merchant might save that token for you based on your choice.
- You can select this saved token when you check out the next time you shop from that e-commerce portal.
- The end-customer experience does not change under this mechanism. Your card details will be masked, and only the last four digits of your card will be visible.
Will the Card tokenisation need to be done at every merchant?
A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants, then tokens must be created at all the merchants. If the card holder is having three different cards, then is the card holder expected to create 3 different tokens at the same merchant.As mentioned earlier, token must be unique for a combination of card and merchant.
Whom shall the customer contact in case of any issues with his / her tokenised Card?
All complaints should be made to the card issuers.
For how many merchants will a token generated on a card be valid?
One token is valid only for one card and one merchant. So, if you tokenize your Debit Card for one e-commerce site, the same card will have a different token on another site. This is to prevent fraud. Besides, you can request tokenization on any number of cards for performing a transaction.
What if a merchant's portal is hacked?
Previously, when the online shopping portals were hacked, all your details would get leaked. But under the tokenisation process, you will get a token issued by a bank before you make a purchase from an e-commerce portal. That token will be valid only for that particular e-commerce portal. As a result, even if the e-commerce portal gets hacked, your data is safe as unique tokens have replaced it.
Where can more information on RBI instructions on tokenisation be found?
The circular issued by RBI on tokenisation is available on the RBI website at the path https://m.rbi.org.in/scripts/FAQView.aspx?Id=129 . These FAQs are issued by the Bank for information and general guidance purposes only. Bank will not be held responsible for actions taken and / or decisions made on the basis of the same. For clarifications or interpretations, if any, one may be guided by the relevant circulars and notifications issued from time to time by the Reserve Bank of India.