As per Reserve Bank of India mandate effective October 1 2022, actual card number, CVV and expiry date and any other sensitive information related to cards cannot be stored by merchants or payment aggregators/gateways for processing online transactions. Users need to get their credit/debit cards tokenised.
Tokenisation refers to replacement of an actual or credit/debit card number with an alternate code called the “Token”. Once created, these Tokenised card details will be used in place of an actual card number for future online purchases initiated or instructed by the card holder. A tokenised card transaction is considered safer as the actual card details are not shared/stored with the merchants to perform the transaction.
Is the Tokenisation guideline applicable for both credit and debit cards
Yes. Starting October 1 2022, both debit and credit cards have to be Tokenised. The customer need not pay any charges for availing the service of Tokenising the card, it is absolutely free.
What are the benefits of tokenisation
Actual card data, token and other relevant details are stored in a secure encrypted mode by the card issuing Bank and / or authorised card networks. Token requestor/merchants cannot store full card number or any other card detail.
How can the tokenisation be carried
Step 1: The card holder can get the card tokenised by initiating a request on any e-commerce website/app he wants to make the transaction on.
Step 2: The token website/app will forward the request directly to the Bank which issued the applicable credit card or to Visa/Mastercard/American Express, with the consent of the card issuing Bank.
Step 3: The party receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant. This means that once tokenised, the customer will see the last 4 digits of the card on the merchant page.
Will the card tokenisation need to be done at every merchant
Yes. A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants (ecommerce website/apps), then tokens must be created at all the merchants. Also, the customers needs to get this process done for all the cards he/she holds. As mentioned earlier, token is unique for a combination of card and merchant. A customer can request for tokenisation of any number of cards as he wants to perform a transaction.
How can users manage their tokenised cards
Bank will provide a portal to the card holders to view and manage the tokenised cards. Card holders can view/delete tokens for the respective cards through this portal. Customers can also call the Phone Banking service to place a request to manage tokenized cards
Will tokenisation have any impact on the POS transactions that the card holder does at merchant outlets
No. Tokenisation is only required for carrying out the online transactions.
Who can perform tokenisation and de-tokenisation?
Tokenisation and de-tokenisation can be performed only by the card issuing Bank or Visa/Mastercard/American Express who are referred to as authorised card networks.
How the process of registration for a tokenisation request work
The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced/ default/automatic selection of check box, radio button, etc. Customers will also be given the choice of selecting the use case and setting-up limits.