As of September 30, 2022, the Reserve Bank of India (RBI) has mandated that all credit and debit card data used in online, point-of-sale, and in-app transactions be replaced with unique tokens. The additional layer of security provided by tokenisation is expected to improve users’ digital payment experiences.
The deadline has been extended several times in the last two years at the request of stakeholders, most recently by three months beginning in July, so that the industry can use the extra time to ensure that all stakeholders are ready to handle tokenized transactions.
On September 30, the RBI announced that approximately 35 crore cards had been tokenized and that the system was ready for the new regulations, which will take effect on October 1. According to data previously shared by the RBI, the number of tokenized cards has increased from 19.5 crore tokens created in June.
The extension was also granted to raise public awareness about the process of creating tokens and using them for illicit transactions.
Many entities, including merchants, involved in an online card transaction chain currently store card data such as card number, expiry date, and so on [Card-on-File (CoF)], citing cardholder convenience and comfort for future transactions.
“Because many jurisdictions do not require an additional factor of authentication (AFA) for card transactions, stolen data in the hands of fraudsters may result in unauthorized transactions and monetary loss to cardholders.”
“Social engineering techniques can be used to perpetrate fraud using such data within India as well,” RBI previously stated.
What exactly is tokenization?
Tokenization, according to the RBI, is the replacement of actual card details with an alternate code known as the “token.”
Some of the most frequently asked questions about card tokenization are as follows:
What are the advantages of tokenization?
A tokenized card transaction is considered safer because the actual card details are not shared with the merchant during transaction processing.
How is tokenization accomplished?
The cardholder can have the card tokenized by making a request through the token requestor’s app. The token requestor will forward the request to the card network, which will issue a token corresponding to the combination of the card, the token requestor, and the device with the consent of the card issuer.
Who is capable of tokenization?
Only authorised card networks can perform tokenization, and a list of authorised entities is available on the RBI website.
What are the use cases where tokenisation is permitted?
Tokenization has been enabled for all use cases/channels via mobile phones and tablets (eg contactless card transaction, payment through QR codes, apps, etc.)
Is card tokenization required for a customer?
No, a customer has the option of allowing his or her card to be tokenized. Those who do not want to create a token can continue to transact as before by entering card information manually during the transaction.