Card tokenization: What it means, and why you should care
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data
With the RBI issuing a final circular making card (CC/DC) tokenization mandatory from January 1, 2022, many are wondering why and how card tokenization is going to help. For starters, tokenisation will alleviate security concerns in online transactions. But, tokenisation may also deter cardholders from making low-value online card payments in near term. Here is a detailed look.
What is card tokenization
Card tokenization is a process of substituting sensitive customer data (such as card number, CVV, etc.) with an algorithmically generated token (encrypted) by a token service provider, which could be the card issuer or payment networks. The token flows through the payment system in a secured way without disclosing the customer details or allowing the payment intermediaries (merchants, payment aggregators) to store customer data. This is mainly to ensure customer data safety/security and curb rising instances of fraud/hacks. Any previously stored data (card-on-file) by merchants/payment gateways will have to be erased.
Tokenization as a security enhancement measure is used in many countries, including North America, Asia and selectively in India also. HDFC Bank, ICICI Bank and SBI Cards already have the card tokenization system in place for online transactions, while few players have device-based tokenization (SBI Cards with Samsung) for contactless NFC payments. Instead of creating/using own token generating engine, using the payment networks’ (Visa/Mastercard) engine will be far more cost-efficient and technologically advanced and will have merchant acceptability.
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged, as per RBI.
For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.
Besides, the Reserve Bank of India (RBI) has announced two enhancements to the extant framework on card tokenisation services:
1. The device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well, and
2. Card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA).
The above enhancements are expected to reinforce the safety and security of card data while continuing the convenience in card transactions, RBI says.
Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details [also known as Card-on-File (CoF)].
In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised / leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
Reserve Bank had, therefore, stipulated in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. This would minimise vulnerable points in the system. On a request from the industry, the deadline was extended to end-December 2021, as a one-time measure. RBI has been in regular consultation with the industry to facilitate the transition.
It may be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now. Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue.
Based on the interactions conducted, Emkay Global Financial Services is of the view that the card tokenization will be a near-term irritant but long-term positive. It will alleviate security concerns for online transactions, may deter cardholders from making low-value online card payments.
Card tokenization is mainly for online transactions, for which, effective January 1, 2022, customers will have to key-in the card number for the first time (as the stored number will be erased) and complete the transaction via a two-factor authentication. At the back-end, a token would be generated by the merchant with the card issuer/network partner, based on which the transaction will be completed, according to Emkay.
Next time the customer will see the card payment option with the last four digits of the card and the payment will be completed smoothly as used to happen earlier. However, operational details are still not out, including validity, number of tokens per merchant, refreshment rate, etc.
Emkay Global believes that the mandatory tokenization of cards and resultant customer inconvenience in the initial phase may deter cardholders from making low-value online card payments and may push them to other payment modes such as UPI and wallets. However, it would alleviate security concerns in online transactions; thus, it will be a long-term positive for the card industry. That said, card companies will have to engage and educate customers while ensuring a smooth tokenization process to protect their share in the payments business.
As per industry reports, the digital payment/lending space is likely to expand (digital payments to reach USD95tn by FY25E from USD30tn and gross merchandise value of ‘buy-now-pay-later’ to reach USD45-50bn from USD3-3.5bn), thereby providing enough space for all the players to grow. However, regulatory (RBI, NPCI & so on) support and oversight will also be required for orderly growth of the payment/lending space. Thus, the participants (for e.g. card companies) will have to be adaptive and innovative to grow and generate/sustain profitability in the long run.