Card Tokenisation – A simple guide

DIGITAL TRANSACTIONSPERSONAL FINANCEREGULATORY

By CA Vijaykumar Puri ~ Partner, VPRP & Co LLP, Chartered Accountants

12/26/2021

black android smartphone on brown wooden table
black android smartphone on brown wooden table

There is a lot of buzz around “tokenisation” nowadays.

The word sounds complex but let us decode it in simple terms. A final verdict awaits you at the end.

The way we pay money through credit or debit cards on Amazon, Flipkart, Uber, Zomato etc, will not be the same anymore.

Current scenario

When we enter the card details for the first time, the website gives us an option to save the card details (Card number, name, expiry) for ease of future use.

Let’s face it, we all check that box for convenience. No one wants to enter the 16 digit card number and details again.

What is the need for change?

The card details are stored with the merchants and this leads to an issue – in case hackers steal your data (and data leaks are alarmingly increasing nowadays), your data is at risk.

Your money is not really at risk – the hackers cannot directly steal money from your cards since your CVV (Card Verification Value) pin is not stored in the data.

But even the details of your cards pose as a privacy threat and can be misused in combination with other data.

Welcome to tokenization!

The Reserve Bank of India brought in CoF (card on file) tokenization guidelines that mandate replacing actual card data with encrypted digital tokens to facilitate and authenticate transactions.

Tokenisation is nothing but replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card and token requestor.

A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.

Now what?

You would no longer need to (or allowed to) save the 16-digit card number and the card expiry date on the merchant website.

On the backend, the card’s CVV number will no longer be required for digital payments making the entire system safe and secure.

If you choose not to opt for tokenisation, you will have to manually enter your card details every time you transact.

How does card tokenization work?

On the end-user front, nothing changes. Users need to enter their card details and opt for tokenization while making online transactions at the check-out window of the shopping portal.

However, merchants will now need to forward the token to respective banks or the card networks. A token is produced and sent back to your merchant, which then, at that point, saves it for the end-customer. As customers, we don’t have to recall the token as the experience is not going to change for you while making digital payments.

Is the tokenization service free?

Tokenization is absolutely free for users, who can tokenize any number of cards. However, only domestic cards fall under the current guidelines.

Tokenization is not applicable to international cards as of now.

How will it benefit users?

Customers need safety and security at any place they shop. In this time where digital fraud presents dangers all through the economy, building trust and connection with clients starts with keeping their payment and other individual information safe.

Tokenization shields businesses from the negative financial impact of data theft as even if there is a breach, the merchant would not have important data that can be stolen.

Tokenization can't shield your business from an information and data breach—yet it can diminish the bad outcomes of any possible breach.

When will it come into effect?

This was initially slated to come into effect from 1 January 2022. However, the payment systems are not yet geared to accept tokens. Hence, the Reserve Bank of India has extended the date to 1 July 2022.

Final verdict

Whenever a new compliance is mandated, we fear a new headache.

But this is an exception to the rule.

The tokenization will only make it easier for end-users to transact online. No need to remember those CVVs.

There is no effort from end users for tokenization except that we need to do it for the first time. Thereafter, the token will transact automatically.

As with any new rule, the effectiveness lies in its implementation.

We can hope that tokenization will be a smooth ride and make online transactions safer, faster and reliable.

Thank you for reading!

We would love to hear your views! Get in touch.