In order to protect debit and card users from frauds, the Reserve Bank of India (RBI) is encouraging cardholders to tokenise their cards. It will replace the actual card details with an alternate code which will be specific to the card and online merchant. Tokenisation will be an additional layer of security for all online transactions.
At present, details of cards such as card number, expiry date are stored with the merchants involved in an online transaction or in cloud systems known as card-on-file (CoF), citing cardholder convenience and comfort for undertaking transactions. However, such a practice increases the risk of the card data being misused. Also, many jurisdictions do not mandate an additional factor of authentication, and stolen data can result in unauthorised transactions.
The RBI had mandated that after December 31, 2021, entities other than card networks and card issuers cannot store data. The deadline was extended to June 30,2022 which was further extended to September 30, 2022.
How to tokenise
To create a token, the cardholder has to do a one-time registration for each card at every online merchant’s website or mobile application by entering the card details and giving consent for creating a token. The consent will be validated through an additional factor of authentication and then the token will be created. It will be specific to the card and the online merchant. The same token cannot be used for another online merchant. A card can be tokenised at any number of online merchants and for every online merchant, a specific token will be created.
Once the token for a specific online merchant is created,the cardholder can identify the card with the last four digits during the checkout process. The cardholder will not have to remember or enter the token for future transactions. The tokenisation process will be done without any charges.
Opting for CoF tokenisation is voluntary for the cardholders and those who do not wish to create a token can transact by entering card details manually at the time of checkout transaction.
For transaction tracking and / or reconciliation purposes, entities can store limited data—last four digits of actual card number and card issuer’s name—in compliance with the applicable standards.
Moreover, card issuers will have to ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage.
Dispute resolution process will have to be put in place by the card network for tokenised card transactions.
Also, card networks will have to ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorised activity within the tokenisation process. Based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor.