How should cardholders tokenize the card as per RBI rules?

RBI has made tokenization of cards mandatory for recurring payments. While this was to go live on 01st of July, the effective date has bene postponed by 3 months. However, most banks have already started the process of tokenizing recurring payments. Here is what you need to know about tokenization as a concept, as a process and the steps involved.

What do we understand by tokenization?

Tokenisation essentially replaces the actual card details (like card number, CVV code, name etc) with an alternate code called the “token”. This token will be unique for a combination of card, token requestor (entity that accepts request from the customer for tokenisation of a card and passes it on to the card network for issuing corresponding token) and the identified device. Just as a card can be tokenized, the card can also be de-tokenized, meaning you revert back to storing the original card details only.

The biggest benefit of tokenization is the higher security since your card information like name, card number, CVV number etc don’t have to pass each time over a public pathway. This reduces the chances of your details getting hacked and misuses by others. More importantly, even the merchant in this case does not have any access to your card details.

Process of tokenization of cards

Here is how debit cards and credit cards can be tokenized for regular payments. To begin with, the card holder must request to get the card tokenised. This request can be initiated on the app provided by the token requestor. The token requestor then forwards the request to the card network which, with the due consent of the card issuer, will issue a token that corresponds to the combination of card, token requestor and the device. Tokenization is a totally free service offered and there are no charges that are entailed.

 

Currently, tokenization can only be done through mobile phones, tablets etc. Smart watches and such wearables are yet to compatible with tokenization. The tokenization is valid for a variety of transactions and, inter alia, includes contactless card transactions, payments through QR (quick response) codes, use of apps etc. Always make it a point only to go through your authorized card network for tokenization and do not accept any third party offering this service, since they are quite often not authorized.

Safety of card details in tokenization

The participants in card tokenization are a closed user group including the merchant, the merchant’s acquirer, card payment network, token requestor, issuer and customer. In tokenization, the actual card data, token and other details are stored in secure mode by the authorised card networks.

For instance, in tokenization, key details like card number, name or Card CVV cannot be stored. They are encrypted into an alternate code and stored to make it inaccessible to third parties. Customers have the option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.

Let us now turn to the process of tokenization. The registration for a tokenisation request is done only with explicit customer consent using Additional Factor of Authentication (AFA). RBI has barred tokenization request by way of default / automatic selection of check box, radio button etc. Customer will also be given options and they must explicitly choose the option. Customers have the option to set and modify per transaction and daily transaction limits for tokenised card transactions.

The customer can either select the card / cards to be tokenized or they can even choose to tokenize transactions across all cards held by them. That brings us to one last question as to whether card tokenization requests can be refused? The answer is that it can be refused.

For instance, based on risk perception, card issuers may decide whether to allow cards issued by them to be registered by a token requestor. That discretion is available to the issuer of the cards.