The Reserve Bank of India (RBI) has mandated all credit and debit card information used for online, point-of-sale, and in-app transactions to be replaced with independent tokens and extended the deadline for the task from September 30 to October 1. Although there's over a month left to get used to the tokenization process, it's high time for consumers to understand it.
What Is Tokenization?
The tokenization process is set to replace sensitive payment credentials, such as 16-digit plastic card numbers, names, expiry dates, and codes, with a unique alternate card number or token, as instructed by the RBI.
“Tokenization is used for recurring payments or in cases, where merchants have stored the card details for providing a faster checkout experience. It’s a very simple process to tokenize your card,” says Dewang Neralla, CEO (chief executive officer) NTT Data Payment Services India, an end-to-end payment service provider.
How To Tokenize Your Cards?
The next time you want to use your debit or credit card to make any purchase online or with a merchant, your card details are usually saved with the merchant. In case their security measures are not good, it puts all customers at risk. Due to any reason, if the merchant’s website gets hacked and debit and credit card details are leaked, customers will get into trouble. RBI wants to fix exactly this issue by making card tokenization compulsory; the onus of card security now lies on banks and processors, and not on merchants.
The following process needs to be done with every merchant for each transaction separately.
- To purchase any products or services and to initiate a transaction, a customer visits an e-commerce or merchant’s website
- Then select the preferred card options as the payment method and enter all details
- In case the website wants the customer to store the card details for a faster checkout experience, there will be an option ‘secure your card as per RBI guidelines’. A customer must opt for this option to securely generate a token and have it stored as per RBI guidelines.
- To complete the transaction, a customer will receive a one-time password (OTP) on the mobile device or email from the card issuer company.
- Once the OTP is entered on the bank page, the card details are sent for token generation as well as transaction authorization.
- Generated token is sent back to the merchant, who then stores the token against the customer identification data e.g., mobile number or email address.
- When a customer visits the same e-commerce or merchant website, the last four digits of the saved card are shown, which helps them to recognize during the transaction. This means that a customer’s card has been tokenized.
- A new token is generated for every merchant website where the card details are required to be stored.
Is It Mandatory To Tokenize Your Cards?
Currently, it is not mandatory to tokenize your cards. A customer can choose whether to or not to tokenize his/her card. A customer can continue to transact as before by entering card details manually at the time of initiating the transaction if he/she does not wish to create a token.
Things To Keep In Mind For Card Tokenization
Tokenization is a major reform that would go a long way in enhancing the security of online transactions. “Once tokenization is implemented, a customer must follow the one-time registration process carefully based on their own decision to whether to store the card or not for every card--whether it's for any subscription payments or even just plain card storage, at every e-commerce or merchant’s website,” says Neralla.