Thu, 30 Jun 2022 09:34 PM IST
The Reserve Bank of India (RBI) earlier this week deferred the deadline of June 30 for the tokenization of debit and credit cards by another three months. The Central bank has declared that the framework for its implementation is being finalized following due consultation with all stakeholders so as to avoid any inconvenience or disruption for end users, merchants and payment aggregators, among others.
The framework makes it sacrosanct for all merchants and payment aggregators etc to delete all card details and replace them with tokens. However, a few industry players have flagged some issues with regard to guest checkout transactions, which the RBI has acknowledged and resolved through due diligence involving all stakeholders.
What is Tokenization?
Tokenization replaces the sensitive data of your cards - Card Number, Expiry Date, CVV - with a unique identification symbol at the payment gateway. This means that the aforementioned data need to be stored securely just, preventing fraud and instances of cheating. With minimum data, small and midsize businesses can continue with e-commerce and digital payments while your details remain safe and secure.
According to the Payment Card Industry Council, 'tokenization is the process by which the primary account number is replaced with a surrogate value called a token'. The encrypted information is sent to the payment processor, which stores the original sensitive information in a token vault in the vendor’s payment gateway, to be accessed when needed. At this stage, the information can be verified as well.
We further spoke with different stakeholders to find out how the move is expected to benefit the beneficiaries as well as the financial institutions. According to Balaji Jagannathan, Co-Founder and Director of Paycorp.io, which provides automated recurring payment solutions and has a direct interface with as many as six Indian banks, tokenization delivers both security and convenience to card users, card issuers and acquirers.
“Starting June 2022, eCommerce servers are not allowed to store their customers' card information. Instead, customers can store the card information with designated tokenization providers and obtain a unique token for their card. This token is unique to the card information and to eCommerce portal. The eCommerce portal will then take only the card token from the customer and resolve it with the token provider. As you can see, the card information is no more shared or saved anywhere, thus eliminating all possible leakage of card data. Financial institutions can now feel safe that the cards issued by them are less prone to hacking,” he said.
When asked why card users should feel safe with the tokenization process, Balaji Jagannathan added that since there is no need to share card information on every eCommerce portal and use tokens instead, card users experience fewer or no false declines due to wrong card detail even as the check-out time would also reduce significantly. Further elaborating upon the readiness of technology, he added.
“The card tokenization has been in the works for quite a while before the June deadline. So the technology for card tokenization is already in place. However, all eCommerce portals need to integrate their systems with token providers, failing which they will be forced to seek the entire card detail from the customer each time, causing inconvenience and poor shopping experience to their customers.”
The tokenization of cards has primarily been envisioned as a move to tackle instances of online frauds, cyber-attacks and data leakage, thereby providing an extra layer of security for digital transactions. But doubts continue to linger over how the move might impact those at the bottom of the pyramid, such as beneficiaries living in rural areas having little access to information.
Referring to them aptly as the most vulnerable segment with regard to financial inclusivity, Muthoot Microfin CEO Sadaf Sayeed said, “This is a step in the right direction, RBI wants to protect the card users from any type of digital fraud/data theft. With penetration of debit card increasing in rural areas/bottom of pyramid, it is imperative that RBI protects the interest of the most vulnerable segment. Most of these customers are first time users, they might not realize the sensitivity of the card data. Hence, tokenization is the best way to protect data for digital transactions happening in rural space or with customers who are comparatively less aware.”
While September 30, 2022, is the new deadline for tokenization policy, the customers as of now have the option of transacting by manually entering debit and credit card details, i.e. usual guest checkout process. Even as opting for token creation is optional for card users as of now, the RBI has announced that more than 19.5 crore tokens have already been created by card users across the country.