On Jan. 08, the central bank put in place stricter guidelines for tokenisation, a feature that helps mask sensitive private data used during online transactions on debit and credit cards or via mobile wallets.
During a transaction, instead of revealing the card details, such as the 16-digit account number, expiration date, and CVV (card verification value), a temporary token (set of numbers) is used as a substitute which ensures greater safety.
Even though certain companies were offering this service, it isn’t prevalent. Having rules in place will allow more firms to offer tokenisation and will also ensure uniformity. With no guidelines in place, even customers were hesitant to opt for it.
The move comes at a time when rapidly growing online transactions in India are expected to reach nearly $1 trillion (Rs70.34 lakh crore) annually by 2025. Steps like tokenisation are expected to provide further impetus.
“With tokenisation, the payment industry will be able to reassure customers about security and privacy of their sensitive data. This will also play a significant role in controlling fraudulent transactions on payment networks which in turn bring in more trust of consumers leading to growth in digital transactions,” said Vinay Kalantri, founder and managing director of tmw (The Mobile Wallet).
At present, the central bank has allowed tokenisaton services only on mobile phone and tablets. The number of options is expected to increase depending on the experience.
Here’s a look what the tokenisation service means and how it is likely to work:
Tokenisation is a process in which card details are masked by issuing a “token.” Thereafter, instead of the actual information on the card, this token is used to perform transactions in contact-less mode at point of sale (POS) terminals, quick response(QR) code payments, etc.
It is considered to be better than the existing card features such as encryption (which can be breached by hackers by using a decryption key), as instead of revealing the same 16-digit card number at multiple places, a unique token is generated every time to complete the transactions.
Since customers use various apps to place online orders—Indians use up to 24 apps on their phone every day, to buy everything ranging from groceries to jewellery to furniture—their card details are exposed on various platforms, making them more susceptible to fraud.
Instead, the customer can request for a token to be generated at the time of making the payment on the app. For this process to be completed, one has to enter their primary account number (PAN), security code, and other payment information. Then, a token is generated which is shared with the merchant and the customer and is used to complete the transactions.
For quicker transactions, customers usually end up checking the “save card detail” option on the payments page, making them vulnerable to data theft. The token method allows payments to be processed without exposing any such confidential details.
“Tokenisation is the foundational aspect of taking payment security and safety to the next level by devaluing data and replacing payment credentials with tokens,” said TR Ramachandran, group country manager for India & South Asia at VISA.
The RBI has asked firms to ensure that customer details can’t be fished out through tokens, and has also insisted on global security standards.
Companies have also been warned not to force customers towards tokenisation, ensuring their explicit consent through additional authentication and not default or automatic selection.