The recent RBI guidelines around card tokenisation have raised a number of questions and caused a great deal of confusion and uncertainty. As of July 2022, businesses and payment gateway or payment aggregators will no longer be able to save the card data of their customers. However, RBI has presented an alternative, allowing businesses to provide their customers the same saved card experience in the form of ‘tokens’.
Table of Contents
What is Credit Card Tokenisation?
Card tokenisation refers to replacing your actual card details with a unique code called a token. This token can be used for making online payments without exposing sensitive information. Card tokenisation is a way of enhancing the security and privacy of card transactions, as it lowers the threat of data breaches and fraud.
The Reserve Bank of India (RBI) has published guidelines for card tokenisation in India, which came into effect on January 01, 2022. According to these guidelines, merchants are not allowed to store customer card details on their servers and have to adopt card-on-file (CoF) tokenisation as an alternative to card storage.
CoF tokenisation means that you can save your card details on a merchant app or website, but the merchant will only store a token corresponding to the card and not the actual card number or expiry date. The token will be distinct for a combination of the card, token requestor (the entity that provides the app or website), and device (the consumer device being used by you).
Related Read: Payment Aggregator vs Payment Gateway
Examples of Card Tokenisation
Card tokenisation is used in various sectors to enhance security and streamline payment processes. The following examples highlight the versatility and effectiveness of card tokenisation in different industries –
- In e-commerce, card tokenisation allows you to save your card information for future purchases securely.
- Mobile wallets utilise card tokenisation to enable quick and secure payments through smartphones.
- Call centres use tokenisation to protect your data during over-the-phone transactions.
How Does Card Tokenisation Work?
Card tokenisation enhances the security of online payments by replacing card numbers with unique codes, known as tokens. When you make a payment on an online shopping portal, enter your card details and select ‘tokenisation‘. The merchant then forwards your information to their bank or card network. A token is generated and sent back to the merchant, who keeps it for future transactions.
The next time you shop on the same platform, you can select the saved token instead of entering your card details again. This is what a tokenised transaction is and its meaning. It protects your confidential information from cybercriminals. You will see the masked card details and the last 4 digits of your card number, but you must enter the CVV to complete the transaction.
Tokenisation ensures that sensitive banking details are not revealed during payments, reducing the risk of card fraud. It improves security for both businesses and customers.
How Does Credit and Debit Card Tokenisation Work?
Here is how credit and debit card tokenisation works:
Step 1: When you make a payment online or at a store using your card, the merchant or the payment app sends a request to your card network (such as Visa, Mastercard, etc.) to tokenise your card details.
Step 2: The card network generates a unique code called a token that replaces your actual card number. The token is different for each combination of card, merchant and device. For example, the token for your card on Amazon will be different from the token for your card on Flipkart.
Step 3: The card network sends the token back to the merchant or the payment app, along with other information, such as the expiry date and the CVV of your card.
Step 4: The merchant or the payment app uses the token to process the payment and sends it to the acquiring banking institution (the bank that handles the transactions for the merchant).
Step 5: The acquiring bank forwards the token to the issuing bank (the bank that issued your card) for authorisation.
Step 6: The issuing bank matches the token with your card details in its secure database and sends a confirmation or rejection message to the acquiring bank, which then informs the merchant or the payment app about the transaction status.
How is Card Tokenisation Different from EMV Technology?
EMV (Europay, Mastercard and Visa) technology is a global standard for secure credit and debit card transactions. It involves the use of chip-based cards with dynamic data. Instead of just a magnetic stripe, EMV cards have a tiny computer chip that creates a unique code for each transaction.
Card tokenisation and EMV technology aim to enhance electronic payment security, but they serve different purposes. While EMV technology focuses on securing the physical card using a microchip (such as purchasing clothes at an outlet using your credit card), card tokenisation protects payment data during digital transactions (such as making purchases on an e-commerce platform).
With card tokenisation, sensitive card information is replaced with a unique token that is meaningless to hackers. In contrast, EMV technology prevents fraudulent use of stolen or counterfeit cards at point-of-sale terminals. Therefore, tokenisation complements EMV technology by securing card data during online and digital transactions.
Why Tokenisation Important In India?
Saved card data, if not securely stored, is vulnerable to data breaches, which have alarmingly increased over the past decade. These breaches lead to card fraud and diminish public trust in card payments, negatively affecting online transactions. To address this, the RBI has issued guidelines on card tokenisation to enhance security and restore public confidence in digital transactions.
The implementation of card tokenisation by the RBI is crucial for both businesses and customers in India. Tokenisation ensures that intercepted card tokens are useless to hackers, reducing security risks for merchants and standardising security protocols. By mandating tokenisation, the RBI protects businesses from financial losses due to digital fraud and safeguards customers’ sensitive information, enabling the digital economy to grow securely and seamlessly.
Also Read: Decoding Card-on-File Tokenisation: All you need to know
What will be the impact of tokenisation on your customers?
Around 30% conversions on cards happen through saved cards. Additionally, as much as 32% of failed transactions are never reattempted. By saving card details businesses have been ensuring;
- A seamless checkout experience for their customers, leading to lower drop offs
- Elimination of failed transactions due to inputting of incorrect card details
Cardholders have long enjoyed the convenience of a saved-cards checkout, however, they are also wary of saving card details on third-party websites. While they might trust a few websites or payment gateways with such sensitive information, in most scenarios they do not feel comfortable saving their card details, and they shouldn’t! This fear is grounded in the reality of data breaches and credit card frauds that have plagued us for more than a decade now.
With card tokenisation consumers no longer need to fear saving their card details. There will be no change in the cardholder experience, except for an AFA, or consent that will be collected for tokenisation.
Why Should Businesses Invest in Card Tokenisation?
1. Safe PCI Compliance and Security
Card tokenisation provides businesses with a secure method of storing and transmitting customer payment information. By replacing sensitive card data with unique tokens, businesses can significantly reduce the risk of data breaches and fraud.
Tokenisation ensures that the actual card details are never stored on the merchant’s servers, making it an effective measure for achieving Payment Card Industry (PCI) compliance.
2. Ease of One-Click Payments and Recurring Billing
With card tokenisation, businesses can offer customers a convenient and seamless payment experience. Once your card is tokenized, you can make one-click payments without repeatedly entering your card details.
Additionally, tokenisation allows hassle-free recurring billing, such as monthly subscriptions or instalment payments.
3. Enhancing Customer Experience
By implementing card tokenisation, businesses can enhance customer experience by providing a secure and frictionless payment process. You no longer have to worry about the security of your card information while making online purchases. This leads to increased trust and loyalty towards the business.
4. Variety of Payment Solutions and Options
Tokenisation enables businesses to accept various payment methods beyond just credit and debit cards. It supports alternative payment options such as e-wallets, UPI, mobile banking solutions, and more. The availability of multiple payment solutions can attract a broader range of customers and cater to their individual preferences.
Benefits of Card Tokenisation
1. Enhanced security
Card tokenisation replaces sensitive card information with a unique token, reducing the risk of data breaches and fraud.
2. Simplified compliance
Tokenisation helps businesses meet the RBI’s guidelines for implementing secure digital payment methods.
3. Streamlined transactions
Tokenized transactions are faster and more convenient, thus improving the overall customer experience.
4. Ease of recurring payments
Tokenized cards can be used for recurring payments without sharing card details repeatedly.
5. Increased customer trust
By safeguarding card information, businesses can build customer trust and loyalty.
What about the cards that are already saved?
RBI guidelines stipulate that businesses and payment processors will need to delete all saved cards by or before June 30th, 2022.
The good news is that businesses can start tokenising cards right away with Razorpay TokenHQ, India’s first multi-network tokenisation solution.
Once you have integrated with TokenHQ, you can use every subsequent transaction to collect consent for tokenisation from your customers. This consent can be combined with the transaction itself.
Thus, if a customer makes a transaction using a saved card, the same transaction can also be used to collect consent for tokenisation in the form of an AFA. The faster you integrate with TokenHQ, the more likely you are to retain a vast majority of the cards already saved at checkout. Once the deadline for card tokenisation arrives, you will be adequately prepared.
Common Myths About Card Tokenisation
1. Tokenisation will be complex and difficult to implement:
Businesses that are on standard and custom checkout will have to make zero changes on their end. Razorpay TokenHQ will be auto-enabled for you, so sit back and relax, while we do all the heavy lifting!
For businesses on S2S checkout, you can easily integrate with our developer-friendly REST APIs.
2. “If I adopt Razorpay TokenHQ, I will have to use the Razorpay PG”
Untrue! We are flexible across multiple payment gateways, so you don’t have to change your existing payment flows.
3. Tokenisation will be expensive for businesses:
TokenHQ will be a free upgrade for all standard and customer checkout businesses. However, we will charge a small fee for transactions made through saved cards for S2S businesses.
Do you want to know how you can implement card tokenisation for your business? Please reach out to: card-tokenisation@razorpay.com for more information, or get in touch with your respective Account Manager if you are already a Razorpay merchant.
Frequently Asked Questions (FAQs)
1. What is a new RBI guideline on tokenisation?
The RBI has mandated that payment aggregators, wallets, and online merchants (entities involved in the card transaction/payment chain other than card issuers or networks) must not store any sensitive card-related customer information, including full card details. Instead, card numbers must be replaced with ‘tokens’. This directive, effective from 1st October 2022, will not hinder your credit card experience but will enhance the security of your credit card transactions.
2. What is the process of tokenisation?
Tokenization is a process in which sensitive data, such as a credit or debit card number, is replaced with a unique identifier known as a token. This token is a random string of characters that has no meaningful value on its own and cannot be reverse-engineered to obtain the original card details.
The process involves:
- Initiation: A transaction is initiated using the card details.
- Request: The card details are sent to the tokenization system.
- Generation: The system generates a token corresponding to the card details.
- Storage: The token is stored securely and linked to the original card details in a token vault.
- Usage: The token can then be used in place of the actual card number for transactions, providing security against data breaches as the actual card details are not exposed.
3. What is the last date of card tokenisation by RBI?
As per the Reserve Bank of India’s guidelines, the deadline for card tokenization was extended to September 30, 2022. This extension was provided to ensure that all stakeholders had adequate time to comply with the new regulations and to ensure a seamless transition to the tokenization system.
4. Is card tokenization mandatory in India?
Yes, card tokenization is mandatory in India. The Reserve Bank of India (RBI) has made it mandatory for merchants to use tokenization services for card transactions. This move is aimed at enhancing the security of online transactions by ensuring that actual card details are not stored by merchants, thereby reducing the risk of data breaches and fraud.
5. How do I check my debit card tokenization?
To check the tokenization status of your debit card, you can follow these steps:
- Bank’s Mobile App or Website: Log in to your bank’s mobile app or website.
- Navigate to Card Services: Find the section related to card services or security settings.
- Check Tokenization Status: Look for an option that shows the status of card tokenization. This might be under a section like “Manage Tokens” or “Tokenization Status.”
- Contact Customer Support: If you cannot find the information online, contact your bank’s customer support for assistance.
6. What is the difference between credit card tokenization and encryption?
Key Differences | Tokenization | Encryption |
Functionality | Replaces data with a token | Scrambles data |
Reversibility | Cannot be reversed without the token vault | Can be decrypted with the correct key |
Use Cases | Used for payment processing | Used for broader data protection |