Digital payment solution provider Visa on May 5, 2023 announced the introduction of CVV-free online transactions for domestic tokenised credentials in India. The move is in accordance with Reserve Bank of India’s (RBI) guidelines on tokenisation, Visa said in a press release.
Tokenisation is a process that replaces a card’s 16-digit number with a unique alternate card number or ‘Token’, which can be used for online transactions, mobile point-of-sale (POS) transactions, or in-app transactions.
With online transactions increasing in frequency, many individuals have been saving their payment information on merchant sites. This led payment partners getting access to sensitive financial information that should otherwise be highly personal. To secure this data of customers, and to protect against data breach at merchants and banks’ end, RBI has prohibited merchants from storing debit and credit card details on their servers after June 30, 2022.
By requiring card tokenisation, the burden of security now falls on payment processors and banks, not on merchants. Tokenised card transactions are, therefore, considered more secure, as the actual card details are not shared with merchants during transaction processing.
How Tokenisation Works?
When checking out of a shopping cart of an online shopping portal, customers will be required to enter their card details for payments. Here, a customer can opt for tokenisation for the first time, and merchants will forward the details to the respective banks or card networks (Visa, Rupay, Mastercard, etc.). A token is generated and sent back to the merchant, who will keep it for the customer.
Customers can use the saved token for their next purchase without having to remember it. The end customer experience remains unchanged, and they will see the same masked card details and the last four digits of their card number. To complete the transaction, customers must enter the CVV.
Visa has now eliminated the need for collecting the CVV (Cardholder Verification Value) as well repeatedly, by introducing CVV-free online transactions across the merchant ecosystem. However it has to be entered the first time when one opts for tokenisation.
The move aims to make domestic card-not-present (CNP) tokenised transactions faster while ensuring safer and secure transactions for its consumers.
Says Ramakrishnan Gopalan, head – products, India and South Asia, Visa: “With the accelerated use of tokens, merchants who use tokenisation for transactions on Visa cards, need not collect the CVV2 anymore for domestic online transactions originating on tokenised credentials, as this is already taken care of when the card was first tokenised. We are confident this move will unlock positive and smooth payment experiences for consumers on their online domestic transactions.”
CVV2 is the three-digit number on the back of a physical debit or credit card, and collecting CVV2 remains mandatory during initial token provisioning. Going forward, merchants and acquirers can stop collecting CVV2 during subsequent token-based domestic CNP transactions for evolved, safe, and secured payments.
Tokenisation Implementation In India
Since the implementation of RBI’s guidelines in October 2022, tokenisation has seen rapid adoption across the online ecosystem, and token transactions have constituted a majority of domestic CNP transactions in India. Visa, which claims to be the first network to provide Card-on-File tokenisation services in India, has issued over 250 million tokens in India as of March 2023.