Technology for MSMEs: Card tokenisation forayed into India with Samsung's launch of its Samsung Pay service, which had tokenisation as one of its security layers, back in March 2017 for its device customers to make payments at PoS terminals.
Technology for MSMEs: As India’s digital payments ecosystem continues to advance in technology from cards to the internet and mobile banking to wallets, UPI, point-of-sale (PoS), and now tokenisation of online card transactions; merchants or retailers — a majority of which are MSMEs — have been central to this evolution. Before explaining how would tokenisation benefit merchants, let’s understand tokenisation as a concept.
For the uninitiated, tokenisation is simply about replacing card details of a customer with an alternate code known as token unique for every card, token requestor — entity such as merchant accepting customer request for tokenisation and sharing it with the respective card networks like Visa, MasterCard, Rupay, etc., to issue the token.
How does it work? Card networks have banks and customers on the issuing side and banks and payment gateways or aggregators like CCAvenue or BillDesk on the acquiring side. Acquiring side works with merchants and retailers. When payment gateways or banks on the acquiring side want to process a transaction, they send it to the card network. The network then checks with the bank on the issuing side for the credit availability in the customer’s account for debiting it and transferring the money to the acquiring side. This end-to-end transaction usually takes less than a second.
Here, tokenisation request is initiated by the cardholder on, let’s say the app of the token requestor or merchant who then sends the request to the card network. The network issues the token after the bank or card issuer’s consent. The Reserve Bank of India (RBI) had earlier restricted tokenisation to mobile phones and tablets but expanded it in August this year to laptops, desktops, wearables Internet of Things (IoT) devices, and more.
In September, RBI had extended the scope of tokenisation from device-based to customer’s card credentials, also known as Card-on-File (CoF) tokenisation service. The central bank had also allowed card issuers or banks to offer tokenisation services with explicit customer consent requiring Additional Factor of Authentication (AFA). Earlier only card networks were allowed.
The reason for the two enhancements cited by the RBI was the risk to the safety of card data. “Many entities involved in the card payment transaction chain store actual card details. In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked.”
With respect to merchants’ benefits from tokenisation, according to experts, it creates a level playing field. “With the advent of tokenization, user experience is enhanced and common for all. It creates a level playing field for all players. While large players can invest and create an IT infrastructure to process the card data, tokenisation largely helps small merchants and MSMEs as they will not be denied the superior experience just because of non-affordability. Tokenisation will help in enhancing their consumer confidence in digital payments,” Ramesh Narasimhan, Head of Digital Commerce — India at global digital payments infrastructure company Worldline told Financial Express Online.
Razorpay, NPCI, PayU, Infibeam, PhonePe, Cashfree Payments are among the companies that have launched their tokenisation platforms so far. Visa had last month launched India’s first CoF tokenisation service.
RBI had also said that from January 1, 2022, onwards, no entity in the card transaction or payment chain space other than card issuers and or card networks will store card data while any previously stored data stored will be purged. “Merchants need to make minor adjustments in their payment gateway integration. That’s the only change in tokenisation for them. They have to not store any cards going forward. I don’t see any visible benefit for merchants here,” Reeju Datta, Co-founder, Cashfree Payments told Financial Express Online. However, for tracking transactions and reconciliation purposes, entities can save only the last four digits of the card number and card issuer’s name.
“Tokenisation will help merchants from a data security perspective as you are not storing any customer card data and instead it is a randomised encrypted number. Moreover, if customers have entered incorrect card details, then if there is a token, it can be referred easily rather than asking for card details all the time to save and process CoF transactions,” Mihir Gandhi Partner and Leader, Payments Transformation, PwC India told Financial Express Online.
With lesser chances of incorrect card detail entries, tokenisation also allows for greater convenience in reducing cart abandonment rate and churn especially in the case of merchants seeing high repeat payments.
“Tokenisation will help merchants a lot. The way Samsung Pay or Apple Pay uses tokenisation to protect data and process payments, which are highly secure and fast, now local merchants would be able to get the same experience. This will also bridge the high trust deficit among customers since many small merchants, who were storing card data, were hacked. This had also burdened issuing banks for replacing cards, filing those frauds, etc.,” Vishwas Patel, Chairman, Payments Council of India (PCI) and Executive Director, Infibeam Avenues told Financial Express Online.
Infibeam’s digital payments platform CCAvenue had introduced TokenPay earlier this month to help merchants comply with RBI’s data security norms. The tokenisation solution works across MasterCard, Visa, and Rupay. “We are already at a $50 billion run rate and added nearly 1 million merchants in the last 90 days,” added Patel.
Card tokenisation forayed into India with Samsung’s launch of its Samsung Pay service, which had tokenisation as one of its security layers, back in March 2017 for its device customers to make payments at PoS terminals. As others players looked at entering the space, RBI came out with a circular nearly two years later – in January 2019 with the rules for card tokenisation to improve payments security in India.
Tokenisation also benefits merchants with a better customer experience. For instance, repeat customers coming to the merchant’s portal can simply use their CoF or access one-click checkout directly and won’t have to enter their payment details again.
“Tokenisation can help facilitate a ‘one-click checkout payment experience. Its use cases extend to different business models, including recurring payments, offers, rewards, EMIs, etc. Token systems can simplify Payment Card Industry Data Security Standard (PCI DSS) compliance for merchants as it eliminates the need to store actual card data,” Swaroop Kulkarni, Senior Director of Product, PayU told Financial Express Online.
PayU had last month launches its tokenisation solution PayU Token Hub to offer both network tokens and issuer tokens under a single hub. The solution has been developed as an interoperable plug-n-play solution to enable CoF and device tokenization using a single integration point and is available to all of its 3.5 lakh merchants and 65 issuers. “It will help merchants formulate a holistic omnichannel payments strategy, as it will be extended to device tokenization as well to offer seamless offline and online transactions,” added Kulkarni.
However, merchants will need to make a one-time effort to deploy tokenisation for their customers, which Visa is supporting. “This is a complex task and different players are at varying stages of readiness. There is no change in the processes of chargebacks, disputes, etc., during the migration phase or post implementation,” Shailesh Paul – Head, Merchant Sales & Acquiring and CyberSource, India and South Asia, Visa told Financial Express Online.
According to RBI, the registration for tokenisation requests cannot be done by way of a forced, default, or automatic selection of check box, radio button, etc. Customers would be given the choice of selecting the use case and setting-up of limits. They would also have the option to set and modify per transaction and daily transaction limits for tokenised transactions. Moreover, requests for tokenisation can be for any number of cards.