With the card tokenisation deadline of September 30, 2022 – set by the Reserve Bank of India (RBI) – about to end, you may face inconvenience due to discontinuation of the existing mandates.
As a result, all your standing instructions involving a debit card or credit card will stand cancelled from October 1, 2022, unless you visit the respective sites and follow the tokenisation process to re-register your mandates.
“Tokenisation is essential to protect cardholders from the risk of the card data being leaked out from the merchant’s database. Merchants are now mandated to use card tokenisation instead of carrying the entire card information in their database. If merchants do not adhere to the card tokenisation, they will be forced to obtain the card information from the customer each time they use the merchant portal. This will cause inconvenience to the customer and may lead to lost customers for the merchants,” said Balaji Jagannathan, Co-founder and Director, Paycorp.io.
Although mandates for recurring payments like SIP (Systematic Investment Plan), EMI (Equated Monthly Instalment), etc are mostly given directly from bank accounts, there are also provisions of using debit cards for the same, which would get hampered if tokenisation is not done.
“In case of repeated transactions such as SIPs, if tokenisation is not complied with, merchants will have to approach the payer for card information, each time the payment becomes due. The SIP investment providers may start losing customers due to friction in payments,” said Jagannathan.
Is tokenisation must?
“The RBI has made card tokenisation mandatory in view of security concerns that arise during purchases with a merchant, since the saved card details can be hacked and leaked from the merchant’s website. Anyone can generate a token for a transaction with a merchant by selecting card options as payment method and opting for ‘secure your card as per RBI guidelines’. Once the customer enters the OTP received on his device on the bank page, the card details are processed for token generation as well as transaction authorisation. The merchant stores the token against the customer’s mobile number / email instead of the card details. Next time when they visit the same merchant, the last four digits of the saved card are shown to help them recognise the card for doing the payment,” said Pramod Kathuria, Founder & CEO, Easiloan.
“This has advantages for all stakeholders in the ecosystem since every time the customer wants to make a transaction, they won’t have to punch their card details and also reduces concerns over security of details owing to exposure to third party websites. Overall, it facilitates speedy and secure transactions,” he added.
How will it help customers transact securely?
“As per RBI guidelines, with effect from 1st of October, 2022, neither businesses nor payment aggregators can save customer card details on their platforms. The card details can only be saved by the card networks or issuing banks. Tokenisation replaces sensitive card information like card number, card expiry with a cryptographically generated random string, referred to as the card token. Once a card is tokenised, the generated card token can be used for processing payments as a substitute to card details, thus eliminating risk of loss of sensitive card information while making card payments,” said Akash Sinha, CEO & Co-Founder, Cashfree Payments.
“In the new card tokenisation scenario, customers would be minimally impacted. They will be required to enter their card details the first time for issuance of a token. Thereafter, the merchant will trigger the tokenisation process at no cost or effort to the customer. Although, like with every new development, there may be few initial teething issues that customers may face, in the long run this process will go far in ensuring that their personal sensitive data is protected and ecommerce transactions as a whole are made safer,” he added.
What are the benefits of card tokenisation?
“Recent RBI reports state that cyber security threats and payments frauds are at an all-time high with more than Rs 1.38 trillion worth of bank frauds in FY2021. With the rise of such threats and fraud, tokenisation provides higher payment security as it restricts the storage of sensitive card data, making the payment ecosystem more robust and secure. It further decreases merchant liability as the merchant no longer has to stay compliant with various regulations related to card storage,” said Sinha.
“As sensitive card data is replaced by a cryptographically generated random string, which we refer to as the card token, it eliminates the issue of data breach due to server hacking. This substantially reduces the chances of cyber-attacks,” he added.
“Finally and most importantly, it makes it easier for customers to make online transactions as tokenisation speeds up online payment processing. In the absence of a card, the token helps the customer complete their transaction, making the process even simpler than before. Further, in case customers lose their credit cards, a token for online payment can be re-issued absolutely free of cost without changing the PAN. So, essentially, the customer gets an additional layer of security without any fee,” Sinha further said.