Update: The Reserve Bank of India (RBI) has deferred the implementation of mandatory tokenisation of card transactions to July 1 after the industry sought more time to comply with the latest data safety rules. The tokenisation was to kick in from January 1, 2022.
The country's central bank, the RBI (Reserve Bank of India), with a view to ensuring security and reducing fraud from the card-based online payment ecosystem, has disallowed merchants from saving card information on their system. Instead, the RBI has mandated the use of 'encrypted tokens' to carry out the transactions. The new rules come into effect from January 1, 2022.
Tokenisation will ensure that the transaction takes place without the cardholder’s account information being disclosed to either the merchant or any of the intermediaries.
It is not a change that has come about overnight. RBI first issued guidelines in March 2020 barring merchants from saving card information on their system. It reiterated the same in September 2021 and gave establishments time till December 31, 2021 to comply with the new rules, and also offered them the option to tokenise.
- Is India set to ban cryptocurrencies? It's a bit unclear for now
- Teenage hacker used SIM-swapping to steal millions in cryptocurrency
Tokenisation: This is how it will work
So what is this tokenisation? In RBI's own words, "tokenisation refers to replacement of actual card details with an alternate code called the token." This will be unique for a combination of card and the merchant.
RBI is moving towards this as a tokenised card transaction is considered safer. The thing is the actual card details are not shared with the merchant during the processing of the transaction.
The process of tokensiation is simple:
You buy an item and at the time of payment you have to give your consent for tokenisation of your debit or credit card. (It is worth mentioning that you can choose, if you wish, to not let your card tokenised.)
Upon your approval, the merchant sends a tokenisation request to the card network, which will create a 16-digit token for the particular card number and send it back to the merchant.
Once created, the tokenised card details will be used in place of an actual card number for your online purchases. Of course, you have to approve the transaction with OPT and CVV number. Once created, you can use the same token for the same card with the same merchant any number of time.
But you have to create new tokens for different merchants, and also if you happen to use a different card.
For the record, the UPI (Unified Payments Interface) already uses tokenisation to secure transactions.
Tokenisation is not mandatory
As we said, you can opt out of tokenisation and instead choose to go through providing details of your card for each and every single transaction (as merchants are precluded from saving the details).
Also, the new guidelines don't apply to international transactions. As of now, only Visa and Mastercard-backed cards can be tokenised on leading e-commerce platforms.
A section of the merchants have welcomed the new rule, while another group has not taken kindly to it. The latter section feels the tokensiation route is a hassle.
There is already a considerable groundswell of opinion against the RBI's mandate on recurring payments that came into effect from October. According to it, if you make use of recurring transactions using debit/credit cards and UPI, then you must undertake a one-time additional factor authentication for smooth auto-debit transactions. Or else, you have to authorise payment every month.
Want to know about the latest happenings in tech? Follow TechRadar India on Twitter, Facebook and Instagram
