Tokenisation

Unless there is anything in the subject or context inconsistent therewith, the capitalised terms listed below shall have the following meanings:

1. “Bank” shall mean Utkarsh Small Finance Bank Limited.
2. “Cardmember” shall mean the person to whom the Bank has issued a Debit Card.
3. “Debit Card” shall mean a debit card issued by the Bank to a Cardmember.
4. “Debit Card Ts and Cs” shall mean the terms and conditions of the Bank applicable to the Debit Card.
5. “Identified Device” shall mean a mobile phone, tablet or such other devices as may be permitted by the Bank with which the Tokenised Card is registered.
6. “MITC” shall mean the most important terms and conditions applicable to the Debit Card.
7. “Token Requestor” shall mean the entity that owns and operates the Token Requestor Application.
8. “Token Requestor Application(s)” shall mean the mobile application(s) through which a request can be initiated for Tokenisation of the Debit Card.
9. “Tokenisation” shall mean the replacement of actual card details with an unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and the Identified device.
10. “Tokenised Card” shall mean the digital version of the Debit Card stored in the Token Requestor Application on the Identified Device of the relevant Cardmember pursuant to Tokenisation.
11. “Tokenised Card Transaction” shall mean the transaction effected by using the Tokenised Card for making payment to any other person.

The Cardmember hereby acknowledges and agrees that:

1. The Cardmember may initiate a request to the card networks for Tokenisation of the Debit Card through any of the Token Requestor Applications in accordance with the applicable law including, without limitation, the circulars and notifications issued by the Reserve Bank of India in relation to tokenisation of cards, from time to time.
2. The Cardmember may initiate Tokenisation of the Debit Card and store the same digitally (i.e. Tokenised Card) in the Token Requestor Application for making payments through the Identified Device of the Cardmember only if the Debit Card is eligible for Tokenisation as per the policies of the Bank, as amended or modified from time to time.
3. The Bank may, in its sole discretion, allow or deny Tokenisation of the Debit Card on any of the Token Requestor Application and such decision of the Bank shall be final and binding on the Cardmember.
4. Debit Card and the Tokenised Card constitute one card with same card account and all terms and conditions applicable to the Debit Card including, without limitation, the Cardmember Agreement and the MITCs shall mutatis mutandis apply to the Tokenised Card including, without limitation, the limits available in respect of the Debit Card.
5. The use of the Tokenised Cards shall be subject to certain transaction limits (whether in value or number of transaction) imposed, from time to time, by the Bank in terms of the applicable law or its internal policies and procedure, at its sole discretion.
6. The Cardmember shall provide all the requisite consents required by the Token Requestor on the Token Requestor Application for sharing of any information with any person (including, without limitation, the Bank) of the Cardmember and/ or the Tokenised Card for all purposes relevant to the Tokenisation and/ or in respect of the Tokenised Card Transactions.

1. The Cardmember must immediately notify the Bank through the 24-hour call centre if the Identified Device is misplaced, damaged, lost or stolen or if the Cardmember suspects that the Tokenised Card is being used without the Cardmember’s permission and the process set out in the Cardmember Agreement and the MITCs of the Debit Card Ts and Cs (in respect of the Debit Card) for loss/ theft/ misuse of the Tokenised Card shall mutatis mutandis apply in this regard. In the event that the Tokenised Card is hotlisted due to card damage, loss or theft and such Tokenised Card is blocked as per the extant process in the Cardmember Agreement and the MITCs of the Debit Card Ts and Cs (in respect of the Debit Card), the token generated with respect to the Tokenised Card shall also be blocked automatically. Once an Identified Device is reported lost, the Tokenised Card thereon should not, under any circumstance be used if the Identified Device is found by the Cardmember subsequently.
2. The Bank shall not be liable or responsible for any transaction incurred on the card account using the Tokenised Card prior to time of reporting of the loss of the Identified Device and the Cardmember will be solely liable for the same.
3. The Cardmember shall be solely liable for all losses in case of misuse of the Tokenised Card by someone who obtained access to the Identified Device/ Tokenised Card with the consent of the Cardmember.

1. The Cardmember shall take appropriate security measures in relation to the Identified Devices and the Tokenised Card including, without limitation, the following measures:
   1. Ensuring that no person has unauthorised access to the Identified Device/Tokenised.
   2. Safeguarding the Identified Device and the Token Requestor Application and keep them under the personal control of the Cardmember at all times.
   3. Ensuring that the password and/ or the credentials utilised to access the Identified Device and/ or the Token Requestor Application are not shared or disclosed to any other person.
2. All the rules, regulations, criteria, terms of usage, charges and other items mentioned in Cardmember Agreement, MITC and the Debit Card Ts and Cs shall be applicable and binding on the Cardmember.
3. The Cardmember shall be fully and solely responsible for any disclosure of the details of the Debit Card Tokenised Card details, password/ security credentials to access the Identified Device/ Token Requestor Application, personal identification number or other security details relating to the Identified Device/Tokenised Card, even if such disclosure is accidental or unauthorised. Bank shall not be responsible or liable for any consequences arising from the loss of ID or disclosure of information (whether authorized or unauthorized) related to Tokenised Card, its password, OTP, or other security credentials), or personal information.
4. The Cardmember acknowledges and agrees that the Bank shall not be responsible if any person including, without limitation, any merchant/ retailer/ platform/ website refuses to accept the Tokenised Card of the Cardmember.
5. The Cardmember hereby agrees that the Cardmember is aware of the various risks (including, without limitation, fraudulent usage of Tokenised Card and loss of the Identified Device) associated with Tokenisation of the Debit Card and usage of the Tokenised Card. The Cardmember hereby agrees and undertakes to assume and bear all the risks involved in respect of Tokenised Card and usage of the same and the Bank shall not be responsible in any manner for the same and shall also not be liable for any claims, loss, damage, cost or expense and liability arising therefrom or in connection therewith.

1. The Cardmember shall follow the instructions of/ terms and conditions agreed with the Token Requestor to suspend/ stop/ delete/ terminate/close the Tokenised Card and not use the features thereof any longer.The Cardmember hereby acknowledges and agrees that the termination of the Tokenised Card will not terminate, suspend, close or in any other manner affect the Debit Card/ in plastic/ physical card/ digital form or any payment or other obligations arising therefrom.
2.  
3. The Bank shall also have the right to suspend, restrict or terminate the Tokenised Card, at any time without providing any reasons in relation to the same.
4. Upon termination of the Debit Card Ts and Cs or suspension or termination of the Debit Card, the Cardmember shall not be entitled to use the Tokenised Card in respect of such Debit Card. The Cardmember shall immediately remove such Tokenised Card from the Token Requestor Application/ Identified Device. Unless and until the Cardmember removes such terminated or suspended Debit Card/Tokenised Card from the Token Requestor Application/Identified Device, the Cardmember shall be solely responsible in the event of any transactions done through such terminated or suspended Debit Card, whether or not such transactions are authorised by such Cardmember.

Tokenisation refers to replacement of actual or clear card number with an alternate code called the“Token.” This shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).

Conversion of the token back to actual card details is known as de-tokenisation

Tokenisation and de-tokenisation can be performed only by the authorised Card Networks like Mastercard/Rupay and Card Issuing Banks respectively.

The customer need not pay any charges for availing this service.

Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an entity, other than those indicated, may also participate in the transaction.

Actual card data, token and other relevant details are stored in a secure mode by the authorized Card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card details. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.

The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.

Once created, the Tokenised card details will be used in place of an actual card number for future online purchases initiated or instructed by the card holder.

The chances of fraud arising from sharing card details are minimised as online merchants will only store unique codes and not the actual card numbers.Card data can be stored only by the card networks and Card-issuing Banks.

1. Step1 - The Card holder can get the Card tokenised by initiating a request on the website/app provided by the token requestor and any such similar facility provided by the merchant.
2. Step2 - The token requestor / merchant will forward the request directly to the Bank which issued the applicable Debit Card or to Visa / Mastercard / American Express, with the consent of the card issuing Bank.
3. Step3 - The party receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant.

Tokenisation guideline is applicable for Debit Cards starting 1st October 2022.

For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app/merchant.

Customer can call 24*7 Call Centre to place the request to manage tokenized Debit Cards.

No, tokenisation is only required for conducting the online transactions.

No, a customer can choose whether to let his / her card tokenised. If not Tokenised, starting 1st October 2022, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.

The customer will see the last four digits of the card on the merchant page.

The customer should again visit the merchant page and create a fresh token or can upgrade the existing token with the New Card by placing the request .

1. Every time you check out from an e-commerce portal, the merchant forwards the purchase details to the respective bank or card networks (Rupay & Mastercard).
2. A token is then generated and sent back to your merchant, and your merchant might save that token for you based on your choice.
3. You can select this saved token when you check out the next time you shop from that e-commerce portal.
4. The end-customer experience does not change under this mechanism. Your card details will be masked, and only the last four digits of your card will be visible.

A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants, then tokens must be created at all the merchants. If the card holder is having three different cards, then is the card holder expected to create 3 different tokens at the same merchant.As mentioned earlier, token must be unique for a combination of card and merchant.

All complaints should be made to the card issuers.

One token is valid only for one card and one merchant. So, if you tokenize your Debit Card for one e-commerce site, the same card will have a different token on another site. This is to prevent fraud. Besides, you can request tokenization on any number of cards for performing a transaction.

Previously, when the online shopping portals were hacked, all your details would get leaked. But under the tokenisation process, you will get a token issued by a bank before you make a purchase from an e-commerce portal. That token will be valid only for that particular e-commerce portal. As a result, even if the e-commerce portal gets hacked, your data is safe as unique tokens have replaced it.

The circular issued by RBI on tokenisation is available on the RBI website at the path https://m.rbi.org.in/scripts/FAQView.aspx?Id=129 . These FAQs are issued by the Bank for information and general guidance purposes only. Bank will not be held responsible for actions taken and / or decisions made on the basis of the same. For clarifications or interpretations, if any, one may be guided by the relevant circulars and notifications issued from time to time by the Reserve Bank of India.