India has an estimated 98.5 crore credit and debit cards, which are used for about 1.5 crore daily transactions worth Rs 4,000 crore, according to data available from a Confederation of Indian Industry (CII) seminar. As per the annual report of the Reserve Bank of India (RBI), in 2020–21, the value of the Indian digital payments industry stood at Rs 14,14,85,173 crore.
Digital payments have triggered and sustained economic growth, especially through the difficult times of the COVID-19 pandemic. The pandemic proved to be a catalyst in making e-commerce a booming industry in the country. This, in turn, has given an immense push to digital means of payment including credit and debit cards. However, there have been concerns with respect to the safety of the card details of the customers as online merchants store the card details of the customers on their servers to make it more convenient for their customers to pay. Taking these concerns into account, in September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. According to PayPal, a CoF or stored credentials is information a merchant, its agent, a payment facilitator, or a staged digital wallet operator stores about a cardholder to process future transactions. Following representations from industry players and digital payments platforms, the RBI has extended the implementation date of tokenisation norms by six months to June 30, 2022.
How the System Works Currently
Currently, while shopping online, say, purchasing items on an e-commerce platform like Amazon or Flipkart, to make the payment using credit or debit card, one needs to enter the 16-digit credit or debit card details along with the 3-4-digit card verification value (CVV). This data is stored on the e-commerce platform website with the permission of the cardholder, and every time you go online to shop from the platform, you simply need to enter the CVV of your credit or debit card (because the rest of the card details have already been saved on with the merchant with your consent) and a one-time password (OTP) linked to your mobile number. This practise of online merchants storing the card details of customers, however, is fraught with risks. This practice makes the customers vulnerable to cybercrimes as the card details may be compromised and misused.
However, storing credit or debit card details on merchant platforms such as Amazon, Flipkart, Zomato, etc., made it convenient for customers to carry out online purchases as they did not need to enter their complete card details every time they wanted to make a purchase.
What is CoF Tokenisation all about
According to the RBI, tokenisation refers to replacement of actual credit and debit card details with an alternate code called the ‘token’ which shall be unique for a combination of card, token requestor (i.e., the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network such as Visa, Mastercard, RuPay to issue a corresponding token) and device (which can be the customer’s phone or computer). This encrypted digital token also consists of 16 digits, just like the numbers on most credit or debit cards. Once generated, the tokenised card details will be used in place of an actual card number for online transactions initiated by the cardholder. Customers do not have to pay for the service of tokenising their cards. Tokens can be used for online transactions, mobile point-of-sale transactions, or in-app transactions.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during a transaction being processed.
However, tokenisation of card is not mandatory for a customer as one can choose whether or not to let one’s card tokenised. Customers who choose not to opt for the tokenisation facility will have to enter their name, 16-digit card number, expiry date of the card, and CVV each time they make a purchase online.
How Tokenisation will work
The card holder can get his credit and debit card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. The token issued will be a proxy to the card number and will be sent by the card network back to the merchant. The customer need not pay any charges for availing this service. Now, each time the person wants to make an online transaction, his payment will be processed using the token. To take an example, if a credit or debit card is used for making payment for a transaction at an e-commerce platform or at a point of sale (POS) machine, the credit or debit card number is transferred to the tokenisation system which would generate a 16-digit random characters (called a token) to replace the original credit or debit card details. Now, the system returns the newly generated 16-digit random characters to the e-commerce platform to replace the customer’s credit or debit card number in the system.
All the merchants and e-commerce firms will have to delete all the details of their customers’ saved cards available on their servers and mandate the adoption of card-on-file tokenisation as an alternative to card storage. It applies to domestic online purchases. All merchants will need to use encrypted tokens for online transactions—and this should be achieved through tokenisation.
The RBI will, thus, ensure that sensitive details such as card numbers are wiped off merchant sites and replaced by random numbers. Once cards are tokenised, card data would remain only in the records of banks and the card companies.
Impact of Tokenisation Initiative
According to industry experts, tokenisation does not alter the payment process or customer experience directly but just adds another layer of security to the transactions undertaken. By ensuring that an individual’s card details remain protected while they transact, tokenisation nullifies all the risks associated with the vulnerability of personal data to fraud. In essence, tokenisation would not only strengthen but also protect the Indian digital payment sector. It would seek to provide an affirmation to customers that their online transactions are protected since their sensitive details are replaced with a code that is unique. It will provide the user with a secure and convenient payment experience.
It is to be noted that tokenisation would not affect the way one does an online transaction. One’s risks get reduced when one shares the details of one’s debit or credit card in the form of a token.
According to SBI chairman Dinesh Khara, the new mandate involves integration of the systems between banks and merchants. On a cautionary note, if online players and merchants are not able to implement the necessary changes at their backend, an estimated five million customers who have stored their card details for online transactions on various platforms could be impacted. Also, lack of readiness on the part of digital payment firms and merchant bodies to comply with the new mandate could cause major disruptions and loss of revenue, especially for merchants. This could also reverse consumer habits towards cash-based payments.
Way Forward
While the tokenisation initiative by the RBI is primarily driven by the intent to protect consumer interest, the challenge on ground pertains to smooth implementation. The central bank has put the guidelines in place to ensure that the consumers’ money is safe, but it should also ensure that the transition to the new regime is smooth.
According to the CII, for the implementation of tokenisation initiative to be seamless and non-disruptive, the following three steps have to be completed:
Token provisioning The consumer’s card number should be easily convertible into a token. That would require the card network (i.e., Visa, Mastercard, RuPay, etc., bank, processor and merchant of the customer) to be ready with the relevant infrastructure in place.
Token processing Based on the provisioned token in lieu of credit or debit card, consumers should be able to complete their transaction successfully using the token.
Scale-up for multiple use cases The consumer should also be able to use the token for actions such as refunds, EMIs, recurring payments, offers, promotions, guest checkouts, etc. The back-end infrastructure should be able to successfully manage all of this.
© Spectrum Books Pvt Ltd.