The recent RBI guidelines around card tokenisation have raised a number of questions and caused a great deal of confusion and uncertainty. As of July 2022, businesses and payment gateway or payment aggregators will no longer be able to save the card data of their customers. However, RBI has presented an alternative, allowing businesses to provide their customers the same saved card experience in the form of ‘tokens’.
Table of Contents
What is Card Tokenisation?
Card tokenisation refers to replacing your actual card details with a unique code called a token. This token can be used for making online payments without exposing sensitive information. Card tokenisation is a way of enhancing the security and privacy of card transactions, as it lowers the threat of data breaches and fraud.
The Reserve Bank of India (RBI) has published guidelines for card tokenisation in India, which came into effect on January 01, 2022. According to these guidelines, merchants are not allowed to store customer card details on their servers and have to adopt card-on-file (CoF) tokenisation as an alternative to card storage.
CoF tokenisation means that you can save your card details on a merchant app or website, but the merchant will only store a token corresponding to the card and not the actual card number or expiry date. The token will be distinct for a combination of the card, token requestor (the entity that provides the app or website), and device (the consumer device being used by you).
How Does Card Tokenisation Work?
Card tokenisation enhances the security of online payments by replacing card numbers with unique codes, known as tokens. When you make a payment on an online shopping portal, enter your card details and select ‘tokenisation’. The merchant then forwards your information to their bank or card network. A token is generated and sent back to the merchant, who keeps it for future transactions.
The next time you shop on the same platform, you can select the saved token instead of entering your card details again. This is what a tokenised transaction is and its meaning. It protects your confidential information from cybercriminals. You will see the masked card details and the last 4 digits of your card number, but you must enter the CVV to complete the transaction.
Tokenisation ensures that sensitive banking details are not revealed during payments, reducing the risk of card fraud. It improves security for both businesses and customers.
How Does Credit and Debit Card Tokenisation Work?
Here is how credit and debit card tokenisation works:
Step 1: When you make a payment online or at a store using your card, the merchant or the payment app sends a request to your card network (such as Visa, Mastercard, etc.) to tokenise your card details.
Step 2: The card network generates a unique code called a token that replaces your actual card number. The token is different for each combination of card, merchant and device. For example, the token for your card on Amazon will be different from the token for your card on Flipkart.
Step 3: The card network sends the token back to the merchant or the payment app, along with other information, such as the expiry date and the CVV of your card.
Step 4: The merchant or the payment app uses the token to process the payment and sends it to the acquiring banking institution (the bank that handles the transactions for the merchant).
Step 5: The acquiring bank forwards the token to the issuing bank (the bank that issued your card) for authorisation.
Step 6: The issuing bank matches the token with your card details in its secure database and sends a confirmation or rejection message to the acquiring bank, which then informs the merchant or the payment app about the transaction status.
How is Card Tokenisation Different from EMV Technology?
EMV (Europay, Mastercard and Visa) technology is a global standard for secure credit and debit card transactions. It involves the use of chip-based cards with dynamic data. Instead of just a magnetic stripe, EMV cards have a tiny computer chip that creates a unique code for each transaction.
Card tokenisation and EMV technology aim to enhance electronic payment security, but they serve different purposes. While EMV technology focuses on securing the physical card using a microchip (such as purchasing clothes at an outlet using your credit card), card tokenisation protects payment data during digital transactions (such as making purchases on an e-commerce platform).
With card tokenisation, sensitive card information is replaced with a unique token that is meaningless to hackers. In contrast, EMV technology prevents fraudulent use of stolen or counterfeit cards at point-of-sale terminals. Therefore, tokenisation complements EMV technology by securing card data during online and digital transactions.
Examples of Card Tokenisation
Card tokenisation is used in various sectors to enhance security and streamline payment processes. The following examples highlight the versatility and effectiveness of card tokenisation in different industries –
- In e-commerce, card tokenisation allows you to save your card information for future purchases securely.
- Mobile wallets utilise card tokenisation to enable quick and secure payments through smartphones.
- Call centres use tokenisation to protect your data during over-the-phone transactions.
Why Tokenisation Important?
Saved card data, if not securely stored, can be vulnerable to data breaches. There has been an alarming increase in the number of data breaches over the last decade. These data breaches directly lead to instances of card fraud, resulting in dwindling public trust in cards as a payment method.
This negative perception around card payments also casts a shadow over online transactions as a whole. This is why the RBI has stepped in to issue guidelines on card tokenisation and nip any negative sentiments in the bud.
These guidelines focus on improving the security and safety around card transactions, thus restoring public confidence in online transactions, and safeguarding cardholders’ interest to ensure that the digital economy can grow unhindered.
By mandating the tokenisation of card data, RBI has allowed businesses to continue offering their customers a seamless checkout experience while ensuring maximum security.
Also Read: Decoding Card-on-File Tokenisation: All you need to know
Importance of Card Tokenisation in India
The RBI’s implementation of card tokenisation holds significant importance for both businesses and customers in India. With the rise of digital fraud and vulnerabilities associated with storing sensitive card data, tokenisation provides a secure solution. The token for your card is useless to hackers even if intercepted. This alleviates security burdens for merchants, standardises security protocols, and enhances the security of your card information saved on various platforms.
By enforcing tokenisation, the RBI aims to protect businesses from financial losses due to digital fraud while safeguarding customers’ sensitive information.
What will be the impact of tokenisation on your customers?
Around 30% conversions on cards happen through saved cards. Additionally, as much as 32% of failed transactions are never reattempted. By saving card details businesses have been ensuring;
- A seamless checkout experience for their customers, leading to lower drop offs
- Elimination of failed transactions due to inputting of incorrect card details
Cardholders have long enjoyed the convenience of a saved-cards checkout, however, they are also wary of saving card details on third-party websites. While they might trust a few websites or payment gateways with such sensitive information, in most scenarios they do not feel comfortable saving their card details, and they shouldn’t! This fear is grounded in the reality of data breaches and credit card frauds that have plagued us for more than a decade now.
With card tokenisation consumers no longer need to fear saving their card details. There will be no change in the cardholder experience, except for an AFA, or consent that will be collected for tokenisation.
Why Should Businesses Invest in Card Tokenisation?
1. Safe PCI Compliance and Security
Card tokenisation provides businesses with a secure method of storing and transmitting customer payment information. By replacing sensitive card data with unique tokens, businesses can significantly reduce the risk of data breaches and fraud.
Tokenisation ensures that the actual card details are never stored on the merchant’s servers, making it an effective measure for achieving Payment Card Industry (PCI) compliance.
2. Ease of One-Click Payments and Recurring Billing
With card tokenisation, businesses can offer customers a convenient and seamless payment experience. Once your card is tokenized, you can make one-click payments without repeatedly entering your card details.
Additionally, tokenisation allows hassle-free recurring billing, such as monthly subscriptions or instalment payments.
3. Enhancing Customer Experience
By implementing card tokenisation, businesses can enhance customer experience by providing a secure and frictionless payment process. You no longer have to worry about the security of your card information while making online purchases. This leads to increased trust and loyalty towards the business.
4. Variety of Payment Solutions and Options
Tokenisation enables businesses to accept various payment methods beyond just credit and debit cards. It supports alternative payment options such as e-wallets, UPI, mobile banking solutions, and more. The availability of multiple payment solutions can attract a broader range of customers and cater to their individual preferences.
Benefits of Card Tokenisation
Enhanced security
Card tokenisation replaces sensitive card information with a unique token, reducing the risk of data breaches and fraud.
Simplified compliance
Tokenisation helps businesses meet the RBI’s guidelines for implementing secure digital payment methods.
Streamlined transactions
Tokenized transactions are faster and more convenient, thus improving the overall customer experience.
Ease of recurring payments
Tokenized cards can be used for recurring payments without sharing card details repeatedly.
Increased customer trust
By safeguarding card information, businesses can build customer trust and loyalty.
What about the cards that are already saved?
RBI guidelines stipulate that businesses and payment processors will need to delete all saved cards by or before June 30th, 2022.
The good news is that businesses can start tokenising cards right away with Razorpay TokenHQ, India’s first multi-network tokenisation solution.
Once you have integrated with TokenHQ, you can use every subsequent transaction to collect consent for tokenisation from your customers. This consent can be combined with the transaction itself.
Thus, if a customer makes a transaction using a saved card, the same transaction can also be used to collect consent for tokenisation in the form of an AFA. The faster you integrate with TokenHQ, the more likely you are to retain a vast majority of the cards already saved at checkout. Once the deadline for card tokenisation arrives, you will be adequately prepared.
Common Myths About Card Tokenisation
1. Tokenisation will be complex and difficult to implement:
Businesses that are on standard and custom checkout will have to make zero changes on their end. Razorpay TokenHQ will be auto-enabled for you, so sit back and relax, while we do all the heavy lifting!
For businesses on S2S checkout, you can easily integrate with our developer-friendly REST APIs.
2. “If I adopt Razorpay TokenHQ, I will have to use the Razorpay PG”
Untrue! We are flexible across multiple payment gateways, so you don’t have to change your existing payment flows.
3. Tokenisation will be expensive for businesses:
TokenHQ will be a free upgrade for all standard and customer checkout businesses. However, we will charge a small fee for transactions made through saved cards for S2S businesses.
Do you want to know how you can implement card tokenisation for your business? Please reach out to: card-tokenisation@razorpay.com for more information, or get in touch with your respective Account Manager if you are already a Razorpay merchant.
