In a bid to enhance the security of transaction card data, RBI is emphasising tokenisation and has asked all businesses and payment gateways to remove sensitive customer data and card information on their websites and systems to bolster data security and use encrypted tokens to carry transactions. RBI has ordered all companies to comply with this rule strictly from 1st January 2022.
Why the emphasis on tokenisation?
Several businesses in India save their card payment transaction details in the system. In addition to storing card information, many e-commerce and D2C companies force their customer to store card details, making them susceptible to cyberattacks resulting in the theft of card information. Stolen card data of users is highly valuable in the darknet marketplace that is further used to carry out illegal bank transactions without the individual’s knowledge.
What is tokenisation?
Tokenisation provides its users an added layer of security by replacing the card details with a unique code or token which is a string of randomly generated numbers by an algorithm. Thus, allowing online purchases to go through without compromising on the card details. The tokens generated by the algorithm are unique for every debit or credit card and merchant platform where the card is used.
These token numbers even if cracked will not leave out any meaningful information to the cyberattackers.
In conventional online card payments, a successful transaction takes place based on information like the 16-digit card number, the card expiry date, the CVV as well as the one-time password or transaction PIN.
On the other hand in tokenisation, each number is unique for each combination of cards, devices, and token requestor. For a transaction to happen, the merchant or any shop owner initiates a tokenisation request to the card network that creates a proxy token to the card number and sends it back to the merchant. For initiating a transaction to a different merchant or from a different card, tokenisation is to be done again.
Tokenisation provides its users an added layer of security by replacing the card details with a unique code or token which is a string of randomly generated numbers by an algorithm.
How are different fintech platforms reacting to tokenisation?
Razorpay has launched ‘Razorpay TokenHQ’ a multi-network Card-on-File (CoF) Tokenisation solution accessible to all businesses. Merchants using different payment gateways can tokenise cards using Razorpay’s tokenisation solution and route payments using their existing payment partnerships. Using Razorpay TokenHQ businesses will be able to create, process, delete and modify tokens for online card payment with customer’s consent at zero cost and effort.
Much to the likes of Razorpay, Walmart-backed digital payment firm PhonePe has launched PhonePe SafeCard- a tokenisation solution where merchant partners can create, process, delete and modify tokens for online card payments with customers’ consent on their platforms via a simple Application programming interface (API) integration. This saves time and effort also eliminates the need to integrate with multiple card networks.
PayU also announced its unique tokenisation solution ‘PayU Token Hub which will enable businesses to comply with RBIs latest guidelines for online card data storage also allowing issuing banks to generate their tokens.
How will it impact the existing online e-commerce and online businesses?
This new move from RBI is a progressive step towards safeguarding the vital card information and will benefit businesses with a smooth customer payment experience as repeat customers can simply use their CoF or access one-click checkout directly without going through the hassle of entering payment details again. However, the deadline given for businesses for transitioning to tokenisation is abrupt that will subsequently impact small and medium payment operators to go out of business which is already reeling under RBI’s new rule of recurring payments where transactions will be carried out only after the customer gives a green signal, in turn, affecting the continuity of business.
This sudden move will immensely impact around 5 million customers who frequently shop online by storing their card details and might result in customers switching to UPI-based payments or cash-on-delivery payment mode.
For e-commerce and D2C companies, tokenisation can impact cashback and equated monthly installments (EMIs) that customers pay through stored cards for purchases and buy-now-pay-later options. This would mean pushing customers for a UPI payment for products of smaller ticket sizes.