What is a new RBI guideline on tokenization?

According to the new RBI guideline, tokens should be issued by authorised card networks and should be unique for every transaction. Additionally, the tokens must not reveal any sensitive information and should be stored securely by merchants and payment gateways.

What is the process of tokenization?

Tokenization involves replacing sensitive card data, such as the primary account number, with a randomly generated token. This token serves as a substitute for the actual card details during transactions. When you initiate a transaction, the token is used instead of the original card information for authorisation and settlement purposes. The actual card details are securely stored by the authorised entities involved in tokenization.

What is the last date of card tokenization by RBI?

The RBI has set a card tokenization deadline in India. As per the guidelines, all authorised payment systems operators need to enable debit card and credit card tokenization services by September 30, 2022.

Is it mandatory to tokenize your card?

While it is not mandatory to tokenize your cards, it provides an added layer of security for online transactions. Tokenization ensures that sensitive card data is not exposed during payment processes, reducing the risk of data breaches and fraud.

How to tokenize credit and debit cards?

To tokenize credit and debit cards, a business needs to partner with an authorized payment system operator or work with a trusted third-party service provider who offers tokenization services.

What happens to my saved cards from October 1, 2022?

From October 1, 2022, all saved card details on merchants' websites or mobile apps will need to be tokenized. This means that instead of storing your actual card details, a unique token will be generated and stored securely. This token will replace your card information, making it more secure and protecting it from potential data breaches.

What if I do not tokenize my card?

If you do not tokenize your card, you may face difficulties in making online payments on platforms that have implemented tokenization.

Can a token be used multiple times?

No, a token cannot be used multiple times. Each token is unique to a specific transaction and cannot be reused for any other transaction or purpose. Tokenization ensures that even if the token is intercepted or compromised, it cannot be misused by unauthorised individuals.

How to delete a generated token?

To delete a generated token, you can contact the merchant or payment service provider where the token was created and stored. They will have the necessary tools and processes to delete the token from their system securely. Deleting the token ensures that it can no longer be used for any future transactions.

What is Card Tokenisation and How Does it Work?

The recent RBI guidelines around card tokenisation have raised a number of questions and caused a great deal of confusion and uncertainty. As of July 2022, businesses and payment gateway or payment aggregators will no longer be able to save the card data of their customers. However, RBI has presented an alternative, allowing businesses to provide their customers the same saved card experience in the form of ‘tokens’.

Table of Contents

What is Credit Card Tokenisation?

Card tokenisation refers to replacing your actual card details with a unique code called a token. This token can be used for making online payments without exposing sensitive information. Card tokenisation is a way of enhancing the security and privacy of card transactions, as it lowers the threat of data breaches and fraud.

The Reserve Bank of India (RBI) has published guidelines for card tokenisation in India, which came into effect on January 01, 2022. According to these guidelines, merchants are not allowed to store customer card details on their servers and have to adopt card-on-file (CoF) tokenisation as an alternative to card storage.

CoF tokenisation means that you can save your card details on a merchant app or website, but the merchant will only store a token corresponding to the card and not the actual card number or expiry date. The token will be distinct for a combination of the card, token requestor (the entity that provides the app or website), and device (the consumer device being used by you).

Examples of Card Tokenisation

Card tokenisation is used in various sectors to enhance security and streamline payment processes. The following examples highlight the versatility and effectiveness of card tokenisation in different industries –

In e-commerce, card tokenisation allows you to save your card information for future purchases securely.
Mobile wallets utilise card tokenisation to enable quick and secure payments through smartphones.
Call centres use tokenisation to protect your data during over-the-phone transactions.

How Does Card Tokenisation Work?

Card tokenisation enhances the security of online payments by replacing card numbers with unique codes, known as tokens. When you make a payment on an online shopping portal, enter your card details and select ‘tokenisation‘. The merchant then forwards your information to their bank or card network. A token is generated and sent back to the merchant, who keeps it for future transactions.

The next time you shop on the same platform, you can select the saved token instead of entering your card details again. This is what a tokenised transaction is and its meaning. It protects your confidential information from cybercriminals. You will see the masked card details and the last 4 digits of your card number, but you must enter the CVV to complete the transaction.

Tokenisation ensures that sensitive banking details are not revealed during payments, reducing the risk of card fraud. It improves security for both businesses and customers.

How Does Credit and Debit Card Tokenisation Work?

Here is how credit and debit card tokenisation works:

Step 1: When you make a payment online or at a store using your card, the merchant or the payment app sends a request to your card network (such as Visa, Mastercard, etc.) to tokenise your card details.

Step 2: The card network generates a unique code called a token that replaces your actual card number. The token is different for each combination of card, merchant and device. For example, the token for your card on Amazon will be different from the token for your card on Flipkart.

Step 3: The card network sends the token back to the merchant or the payment app, along with other information, such as the expiry date and the CVV of your card.

Step 4: The merchant or the payment app uses the token to process the payment and sends it to the acquiring banking institution (the bank that handles the transactions for the merchant).

Step 5: The acquiring bank forwards the token to the issuing bank (the bank that issued your card) for authorisation.

Step 6: The issuing bank matches the token with your card details in its secure database and sends a confirmation or rejection message to the acquiring bank, which then informs the merchant or the payment app about the transaction status.

How is Card Tokenisation Different from EMV Technology?

EMV (Europay, Mastercard and Visa) technology is a global standard for secure credit and debit card transactions. It involves the use of chip-based cards with dynamic data. Instead of just a magnetic stripe, EMV cards have a tiny computer chip that creates a unique code for each transaction.

Card tokenisation and EMV technology aim to enhance electronic payment security, but they serve different purposes. While EMV technology focuses on securing the physical card using a microchip (such as purchasing clothes at an outlet using your credit card), card tokenisation protects payment data during digital transactions (such as making purchases on an e-commerce platform).

With card tokenisation, sensitive card information is replaced with a unique token that is meaningless to hackers. In contrast, EMV technology prevents fraudulent use of stolen or counterfeit cards at point-of-sale terminals. Therefore, tokenisation complements EMV technology by securing card data during online and digital transactions.

Why Tokenisation Important In India?

Saved card data, if not securely stored, is vulnerable to data breaches, which have alarmingly increased over the past decade. These breaches lead to card fraud and diminish public trust in card payments, negatively affecting online transactions. To address this, the RBI has issued guidelines on card tokenisation to enhance security and restore public confidence in digital transactions.

The implementation of card tokenisation by the RBI is crucial for both businesses and customers in India. Tokenisation ensures that intercepted card tokens are useless to hackers, reducing security risks for merchants and standardising security protocols. By mandating tokenisation, the RBI protects businesses from financial losses due to digital fraud and safeguards customers’ sensitive information, enabling the digital economy to grow securely and seamlessly.

Also Read: Decoding Card-on-File Tokenisation: All you need to know

What will be the impact of tokenisation on your customers?

Around 30% conversions on cards happen through saved cards. Additionally, as much as 32% of failed transactions are never reattempted. By saving card details businesses have been ensuring;

A seamless checkout experience for their customers, leading to lower drop offs
Elimination of failed transactions due to inputting of incorrect card details

Cardholders have long enjoyed the convenience of a saved-cards checkout, however, they are also wary of saving card details on third-party websites. While they might trust a few websites or payment gateways with such sensitive information, in most scenarios they do not feel comfortable saving their card details, and they shouldn’t! This fear is grounded in the reality of data breaches and credit card frauds that have plagued us for more than a decade now.

With card tokenisation consumers no longer need to fear saving their card details. There will be no change in the cardholder experience, except for an AFA, or consent that will be collected for tokenisation.

Why Should Businesses Invest in Card Tokenisation?

1. Safe PCI Compliance and Security

Card tokenisation provides businesses with a secure method of storing and transmitting customer payment information. By replacing sensitive card data with unique tokens, businesses can significantly reduce the risk of data breaches and fraud.

Tokenisation ensures that the actual card details are never stored on the merchant’s servers, making it an effective measure for achieving Payment Card Industry (PCI) compliance.

2. Ease of One-Click Payments and Recurring Billing

With card tokenisation, businesses can offer customers a convenient and seamless payment experience. Once your card is tokenized, you can make one-click payments without repeatedly entering your card details.

Additionally, tokenisation allows hassle-free recurring billing, such as monthly subscriptions or instalment payments.

3. Enhancing Customer Experience

By implementing card tokenisation, businesses can enhance customer experience by providing a secure and frictionless payment process. You no longer have to worry about the security of your card information while making online purchases. This leads to increased trust and loyalty towards the business.

4. Variety of Payment Solutions and Options

Tokenisation enables businesses to accept various payment methods beyond just credit and debit cards. It supports alternative payment options such as e-wallets, UPI, mobile banking solutions, and more. The availability of multiple payment solutions can attract a broader range of customers and cater to their individual preferences.

Benefits of Card Tokenisation

1. Enhanced security

Card tokenisation replaces sensitive card information with a unique token, reducing the risk of data breaches and fraud.

2. Simplified compliance

Tokenisation helps businesses meet the RBI’s guidelines for implementing secure digital payment methods.

3. Streamlined transactions

Tokenized transactions are faster and more convenient, thus improving the overall customer experience.

4. Ease of recurring payments

Tokenized cards can be used for recurring payments without sharing card details repeatedly.

5. Increased customer trust

By safeguarding card information, businesses can build customer trust and loyalty.

What about the cards that are already saved?

RBI guidelines stipulate that businesses and payment processors will need to delete all saved cards by or before June 30th, 2022.

The good news is that businesses can start tokenising cards right away with Razorpay TokenHQ, India’s first multi-network tokenisation solution.

Once you have integrated with TokenHQ, you can use every subsequent transaction to collect consent for tokenisation from your customers. This consent can be combined with the transaction itself.

Thus, if a customer makes a transaction using a saved card, the same transaction can also be used to collect consent for tokenisation in the form of an AFA. The faster you integrate with TokenHQ, the more likely you are to retain a vast majority of the cards already saved at checkout. Once the deadline for card tokenisation arrives, you will be adequately prepared.

Common Myths About Card Tokenisation

1. Tokenisation will be complex and difficult to implement:

Businesses that are on standard and custom checkout will have to make zero changes on their end. Razorpay TokenHQ will be auto-enabled for you, so sit back and relax, while we do all the heavy lifting!

For businesses on S2S checkout, you can easily integrate with our developer-friendly REST APIs.

2. “If I adopt Razorpay TokenHQ, I will have to use the Razorpay PG”

Untrue! We are flexible across multiple payment gateways, so you don’t have to change your existing payment flows.

3. Tokenisation will be expensive for businesses:

TokenHQ will be a free upgrade for all standard and customer checkout businesses. However, we will charge a small fee for transactions made through saved cards for S2S businesses.

Do you want to know how you can implement card tokenisation for your business? Please reach out to: card-tokenisation@razorpay.com for more information, or get in touch with your respective Account Manager if you are already a Razorpay merchant.

Frequently Asked Questions (FAQs)

1. What is a new RBI guideline on tokenisation?

The RBI has mandated that payment aggregators, wallets, and online merchants (entities involved in the card transaction/payment chain other than card issuers or networks) must not store any sensitive card-related customer information, including full card details. Instead, card numbers must be replaced with ‘tokens’. This directive, effective from 1st October 2022, will not hinder your credit card experience but will enhance the security of your credit card transactions.

2. What is the process of tokenisation?

Tokenization is a process in which sensitive data, such as a credit or debit card number, is replaced with a unique identifier known as a token. This token is a random string of characters that has no meaningful value on its own and cannot be reverse-engineered to obtain the original card details.

The process involves:

Initiation: A transaction is initiated using the card details.
Request: The card details are sent to the tokenization system.
Generation: The system generates a token corresponding to the card details.
Storage: The token is stored securely and linked to the original card details in a token vault.
Usage: The token can then be used in place of the actual card number for transactions, providing security against data breaches as the actual card details are not exposed.

3. What is the last date of card tokenisation by RBI?

As per the Reserve Bank of India’s guidelines, the deadline for card tokenization was extended to September 30, 2022. This extension was provided to ensure that all stakeholders had adequate time to comply with the new regulations and to ensure a seamless transition to the tokenization system.

4. Is card tokenization mandatory in India?

Yes, card tokenization is mandatory in India. The Reserve Bank of India (RBI) has made it mandatory for merchants to use tokenization services for card transactions. This move is aimed at enhancing the security of online transactions by ensuring that actual card details are not stored by merchants, thereby reducing the risk of data breaches and fraud.

5. How do I check my debit card tokenization?

To check the tokenization status of your debit card, you can follow these steps:

Bank’s Mobile App or Website: Log in to your bank’s mobile app or website.
Navigate to Card Services: Find the section related to card services or security settings.
Check Tokenization Status: Look for an option that shows the status of card tokenization. This might be under a section like “Manage Tokens” or “Tokenization Status.”
Contact Customer Support: If you cannot find the information online, contact your bank’s customer support for assistance.

6. What is the difference between credit card tokenization and encryption?

Key Differences	Tokenization	Encryption
Functionality	Replaces data with a token	Scrambles data
Reversibility	Cannot be reversed without the token vault	Can be decrypted with the correct key
Use Cases	Used for payment processing	Used for broader data protection

Card Tokenisation: How Does Credit and Debit Card Tokenisation Work?

Write A Comment Cancel Reply