Tokens and tokenization are terms that have been used often, recently. The Reserve Bank of India brought in CoF (card on file) tokenization guidelines that mandate replacing actual card data with encrypted digital tokens to facilitate and authenticate transactions.
Therefore, starting from January 1, 2022, the use of one’s credit or debit cards while shopping on any online platform such as Flipkart, Amazon, Myntra, Nayka etc., will change. One will not have to save one’s 16-digit card number along with the card’s expiry date on the website. As per RBI’s new rules, the only way one will be conveniently making a card payment repeatedly is through the process called ‘tokenisation.’
But what is CoF Tokenization?
Tokenization is a process that replaces sensitive information with a unique set of characters.
Shailesh Paul – Head, Merchant Sales, Acquiring and CyberSource, India and South Asia at Visa says, “When applied to payments, tokenization essentially means that the 16-digital card number is replaced by a unique code or ‘token’ – useful for mobile or online transactions. This devaluation of sensitive data that tokenization facilitates, helps to mitigate any risks of security breaches.”
In March 2020, the RBI said that payment aggregators and their onboarded merchants must not save the card details of users. Therefore, the RBI has allowed card issuers to offer card tokenization services as Token Service Providers (TSPs). This will be facilitated through consumer consent and will require an ‘Additional Factor of Authentication (AFA)’. With tokenization, the entities involved in the transaction do not have to memorise what the card entails on either end since it is converted into a unique ‘token’ that facilitates the payment.
The deadline to align with this mandate is January 1st 2022. Till then, any previous data that has been stored also needs to be deleted.
How Tokenization will benefit consumers at large to adopt digital payments?
Industry experts say tokenization does not affect the payment process or customer experience directly but adds another layer of security to the transactions. It assures that an individual’s sensitive details remain with them while they transact, thereby nullifying all risks associated with the vulnerability of data.
Paul says, “Tokenization is a step further in addressing the need to not only strengthen but also protect the Indian Digital Payment sector. It is an affirmation to customers that their transactions are protected since their sensitive details are replaced with a code that is unique for a specific combination of card, token requestor and the merchant involved in the transaction.” This means that one’s details remain out of the radar of scams and frauds. It provides the user with a secure and convenient payment experience.
Note that tokenization does not affect the way you transact. Everything that you do towards making a digital transaction will remain the same. The only addition is the protection that tokenization provides. Industry experts say it also eliminates the need for customers to update their existing card details upon expiry. Paul points out, “With CoF Tokenization, customers may consent to a merchant storing a token instead of a card number, which provides both security and convenience. Customers will not experience any change to the checkout or transaction experience.”
He further adds, “Customers who opt for tokenization can complete transactions without having to input their card details every time they make a transaction. Overall, it is a step up towards consumer convenience and preventing cases of fraud.”
Impact of the deadline of December 31, 2021
Experts say merchants are a crucial part of the transaction chain. “As tokenization comes about, they will have to make an effort to deploy tokenization for their customers. This is a complex task, requiring consent and co-operation from different players who are at varying levels of readiness. There is no change in the processes of chargebacks, disputes and the like, during the migration phase or post-implementation,” says Paul.
Having said that, RBI has mandated tokenization for merchants, not customers. An individual will still be able to choose whether or not they want their cards to be tokenized. Should a customer choose to not tokenize their card, they will have to enter their full card details, CVV and other details every time they make an online or mobile transaction, which will make the process tedious and lengthy. It is so because RBI has also mandated that all card details that had been saved with merchants up until now, have to be deleted.