As per the tokenisation directives of the RBI, merchants and payment aggregators need to delete credit and debit card details and replace them with tokens. The apex bank had recently announced the extension of the deadline for tokenisation to September 30, 2022.
Tokenisation will make transactions on your debit and credit cards safer and more convenient. It will also protect your card details from online fraudsters and enhance cardholders’ experience when they transact online.
Unsafe online practices prompted the central bank to devise new rules to protect consumers. Credit card data such as number, CVV and card expiry date is often stored on the merchants’ databases for ease of payment. But this data is fraught with security risks. In the past, the data stored on some websites have been breached and leaked into the public domain. Once that happens, cards may be fraudulently used, and their owners may suffer financial losses. Hence the apex bank issued directives that no entity except card issuers or networks will be allowed to store debit or credit card details. Data already stored needs to be removed.
If all these new directives have confused you about how to tokenise your debit and credit cards, here are six steps you can follow to generate tokens.
Step 1. Visit any e-commerce/ merchant website or mobile app to purchase something and start a payment transaction.
Step 2. During check-out, enter details of your debit or credit card. Alternatively, select your preferred bank’s card saved earlier as a payment method and enter other details.
Step 3. Select the option “secure your card as per RBI guidelines” or “tokenise your card as per RBI guidelines”.
Step 4. Give consent to create a token. Enter the OTP sent to your mobile phone or email by your bank, and complete the transaction. Generate token.
Step 5. Your token has been generated and saved instead of the actual details of your card.
Step 6. When you visit the same website or application again, the last four digits of your saved card are displayed to help you identify your card for doing the payment.
Commenting on the same, Murari Sridharan, Chief Technology Officer, BankBazaar.com, explains, “As there is no card data being saved anywhere except by the card network and issuer, chances of card data being lost or stolen are reduced. You can also view the list of merchants with whom you have registered a token and de-register any such token in future via your issuer’s app or internet banking. Suppose you do not intend to shop on a site later or do not wish for a recurring payment associated with your account to be renewed. In that case, you can delete the associated token. If your card is renewed or replaced, you will have to explicitly consent to link it with the merchants with whom you registered the card earlier. All this adds up to additional security.”
The card issuer will ensure customers can easily report the loss of an identified device or any other event that may expose their tokens to unauthorised usage. The card network will put in place a system to immediately de-activate such tokens and associated keys in case of their exposure to unauthorised usage.
According to the RBI, card issuers will ensure an easy way for customers to report the loss of an identified device or any other event that may expose tokens to unauthorised usage.