Background

The Reserve Bank of India (RBI) in March 2020 came up with new rules to enhance the security of online transactions made using debit and credit cards. The central bank believed that saving customer information is not the right thing as this can be misused by malicious elements. Hence, RBI advised that ‘no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data, and any such data stored previously will be removed'.

The central bank came up with the concept of Tokens which can be used for online transactions, contactless transactions, QR codes, etc. The method was supposed to be effective from January 1, 2022, which was extended till July 1, 2022. Now, RBI has instructed to delete all previously stored data by October 1, 2022. RBI has granted the relaxation in order to facilitate a smooth transition to a different payment system.

What is Tokenisation?

What is a Token?

A Token is a piece of data that stands in for another, more valuable piece of information. Tokens have virtually no value on their own they are only useful because they represent something, such as credit / debit, account number, etc.

Before talking about tokenisation, let us discuss how transactions are being done on online platforms currently. Once a person does any online transaction, the e-commerce platform asks whether we wish to save card details; to avoid re-entering a 16-digit card number, we often save our card details, at least in frequently used e-commerce sites like Amazon, Big Basket, etc. It provides us with the comfort of just entering the CVV and OTP in succeeding transactions. RBI believes that online platforms saving card details create avenues for fraudsters to misuse customers’ information. Therefore, RBI came up with the concept of tokenisation.

Tokenisation is the process of converting original or actual data, such as debit / credit card number, into random numbers / characters called tokens, which acts as a pointer or identifier to original data. In the tokenisation process, we have a token vault, which acts as a database in which the relation between original data and tokens is stored using encryption.

Once tokenisation is implemented, customers can opt for tokenisation of their credit / debit cards. Their card details will be converted to unique tokens, and for every merchant, a different unique token will be generated. That means one will get one set token for, say, Amazon, an entirely different token for Big Basket and so on. None of the tokens generated for different merchants will be the same. These tokens can be saved for recurring payments or transactions as earlier done.

Tokenisation can be done on contactless card transactions and payment through QR codes, apps, etc. Tokenised transactions will be safer as actual card details are not shared with the merchant. The important point here is that if any fraudster / hacker gets access to these tokens, they will not be able to know the original data / information. The process of tokenisation will be performed by the authorised card network, which has to ensure that a proper mechanism should be in place so that actual data cannot be retrieved using tokens.
 
 
To read more, please subscribe.