TOKENISATION: CODIFYING YOUR CREDIT CARD DETAILS FOR SAFETY
As the Reserve Bank of India (RBI) extends the deadline for card tokenisation by another three months to 30 September 2022, we look at many aspects of tokenisation of the data on credit/debit cards, and the significance of the whole exercise
But before we delve into the importance of tokenisation, we must understand what is tokenisation. Every time a consumer makes online transactions, details of the cards such as card number, expiry date, etc get stored with the merchant.
Tokenisation replaces actual card details with an alternate code called the “token”.
A token is piece of data that is used in place of another important and more valuable data. It is like poker chips in place of cash on the poker table.
In case of credit/debit cards, a token would be unique for a combination of card, token requestor (the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device.
PURPOSE OF TOKENISATION
DETAILS OF CREDIT/DEBIT CARD USERS STORED WITH THE MERCHANT OUTLETS ARE NOT SAFE AS DATA CAN BE MISUSED IF THEY FALL INTO THE HANDS OF WRONG PEOPLE. TOKENISED DATA IS UNDECIPHERABLE AND IRREVERSIBLE.
Now, why would RBI start on such a big exercise that require, among other things all merchant outlets and business entities that have details of credit/debit card owners to delete all the data.
Well, the purpose of this whole exercise is to protect credit/debit card users from frauds
Details of credit/debit card users stored with the merchant outlets is not safe as data can be misused if they fall into the hands of wrong people. Tokenised data is undecipherable and irreversible.
Actual card data, token and other relevant details are stored in a secure mode by authorised card networks. Token requestor cannot store card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices or globally accepted standards.
Tokenisation can be used for contactless card transactions, payment through QR codes, apps etc.
HOW IS TOKENISATION CARRIED OUT?
To create a token, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token.
One can get his/her card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
One can initiate the tokenisation process only through mobile phones and tablets. The whole process does not incus any cost and a user can tokenise the data of his/her cards without paying any fee.
It is not mandatory for users to tokenise the card details for any transaction. They can register or de-register their cards for the process of tokenisation.
One can tokenise any numbers of cards and even set limits for quantum of transaction for which can tokenise their cards.
RESPONSIBILITIES OF CARD ISSUERS AND CARD NETWORKS
Under the rules laid down by the RBI, only authorised card networks can perform tokenisation or de-tokenisation. (The list of authorised card networks is available on the RBI website)
Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers.
As for the responsibilities of card issuers are concerned, they should address the issues raised by the users including the loss of devices. Card issuers can deny tokenisation requests by a token requestor based on their risk perception.