RBI card tokenisation scheme Flashcards
Why in News?
The Reserve Bank of India (RBI) guidelines which come into effect from October 1, will prevent any online platform and payment gateways from saving any credit card details in their absolute form.
The Reserve Bank of India (RBI) had extended the timeline for tokenisation of debit and credit cards by three months till 30th September, 2022 to avoid disruption and inconvenience to cardholders after previously extending it from December 2021 to June 2022.
After 30th September, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the CoF (Card-on-File data or storage of actual card data) and any such data stored previously will be done away with.
What is Tokenisation and Card-on-File?
Tokenisation: It refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
As of now, about 19.5 crore tokens have been created. Opting for CoFT (creating tokens) is voluntary for the cardholders.
Card-on-File: A CoF transaction is a transaction where a cardholder has authorised a merchant to store the cardholder’s Mastercard or Visa payment details.
The cardholder then authorises that same merchant to bill the cardholder’s stored Mastercard or Visa account.
E-commerce companies and airlines and supermarket chains normally store card details in their system.
Why is Tokenisation of Cards Required?
Many entities involved in an online card transaction chain store card data like card number and expiry date — Card-on-File (CoF) for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen or misused.
There have been instances where such data stored by merchants have been compromised.
Many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.
In addition to tokenisation, industry stakeholders may devise alternate mechanisms to handle any use case, including recurring e-mandates and EMI option or post-transaction activity, including chargeback handling, dispute resolution, reward or loyalty programme, that currently involves storage of CoF data by entities other than card issuers and card networks.
detail
https://www.drishtiias.com/images/uploads/1640342784_Card_on_File_Tokenisation_Drishti_IAS_E
How far along are we in the tokenisation journey
The journey will be long, because of the volume of cards in play. According to RBI numbers for August, there are more than 7.8 crore active credit cards in India. The credit card based online shopping for the month stood at ₹67,414 crore, while spendings in physical stores and using point-of-sale terminals was ₹44,943 crore.
Mind you, this is not a mandatory process. If a customer chooses to not have their card tokenised on any platform for making payments, they can still make payments by entering the 16-digit card number as well as card expiry date and CVV number along with the two-factor authentication code (this will be the OTP the bank sends you).
Online payment platforms
“With Token Hub we are working towards Government’s Digital India vision as we believe this regulation will boost the digital payments ecosystem by making online transactions safer from cyber frauds and thefts,” says Manas Mishra, Chief Product Officer, PayU, a digital payments platform.
PayU says they have tokenized more than 50 million card details. They also point out that the success rate for transactions made with tokenised cards, compared with those that aren’t, is as much as 7% more.
Online payments platform PhonePe confirms that 14 million credit and debit cards in use on the platform, have been tokenized. The company had integrated the tokenisation option within the checkout flow, in December last year, for Visa, Mastercard and RuPay cards. Paytm, which is continuing to build on its superapp aspirations, says 52.3 million cards issued on the same three networks have been tokenized on the platform.
Paytm’s observations about transaction success rates and the relation to tokenisation are similar to PayU’s. “This brings with it faster checkouts, as well as success rates that are at par or higher compared to saved cards,” a Paytm spokesperson said.
Shielding your payment tools from being breached
The policy was first introduced by the RBI in January 2019 and has since seen multiple inclusions within the scope. One of these is the expansion of tokenisation availability from just mobile devices, to include laptops, desktops, wearables such as smartwatches and Internet of Things (IoT) devices such as smart displays.
Till now, the way you made payments across the width of the internet is punch in your credit or debit card details (or select them from a pre-saved list, if you’ve been there before), enter the CVV, the one-time password (OTP) shared by the bank and completed the payment.
methods being deployed
HDFC Bank, for instance, has created a separate website, the link for which is shared every time a new token is created (best would be to bookmark this URL). This, instead of integrating the same functionality within the HDFC MyCards application for smartphones.
SBI, on its part, wants the user to call customer care to have a token deleted. “You can delete tokens by directly going to the merchant’s website/app and deleting the card associated with the token from your payment preferences. Alternatively, you can also call SBI Card’s helpline to request for deletion,” they say.
Standard Chartered seems to be following a similar method. “Card holders can place request for delete, suspend, resume of tokens through the contact centre team,” their guidelines suggest.