RBI has once again extended the deadline of tokenization of credit cards from June 30 to September 30, 2022. The central bank has extended the deadline multiple times now.
Tokenization of cards helps make your credit and debit card transactions more secure. But what is the need?
It is common for us to store your card details on websites/third party applications that we use frequently. One reason: Convenience. You don’t want to enter card details every time you transact. So far so good. However, if there is a data breach on application servers and your card details are compromised, then we have a problem. Yes, there are additional security layers such as CVV and OTP that these apps don’t store. Still, you don’t want anyone to have unauthorized access to your card details.
For this reason, RBI has disallowed storing credit card details by third party application providers. Hence, once fully implemented, Amazon and Flipkart won’t be able to store your card details. In that case, how will you do repeat transactions? Would you have to enter card details each time you transact? Fortunately, no but how?
Enter Tokenization of Cards.
What is Tokenization?
Device-based Tokenization
Through tokenization, you replace your credit card with a token. A token is an identifier issued by the card network (Visa, Mastercard, Amex, Rupay) and is unique for a combination of
- Card (debit/credit)
- Token requestor (any payment app)
- Device
The following chart from Wikipedia clearly explains how this works.
To begin, the token requestor (payment app) forwards your tokenization request to the card network (Visa, Mastercard, American Express, NPCI for Rupay). After verification, the card network issues a token which is unique to the card, token requestor (payment app) and the device. The token requestor can store the token in its records and this token can be used for future payments. The payment app on your mobile/tablet does not store the card details.
The above process is called Device-based tokenization. Essentially, with the above process, your phone becomes a payment device. And while making payments through cards, the card details are neither stored on your phone nor shared with the merchant. Only the token is stored and shared.
Card-on-File (CoF) Tokenization
Device-based tokenization is fine, but we are more interested in Card-on-File (CoF) tokenization because that’s what you need to do for repeat transactions. CoF Tokenization works very similar to Device-on-File tokenization. The token is unique for a combination of
- Card
- Token Requestor (TSPs) (can be card issuer. For Device-based tokenization, only card networks could do it)
- Merchant (Amazon, Flipkart, Big Basket)
Let’s say you have 3 credit cards. 2 from HDFC Bank and the 1 from ICICI Bank. And let’s you have 2 mobiles.
You will have a unique token for each of the following combinations.
- Token 1: ICICI Bank Card, Issuer, Amazon
- Token 2: ICICI Bank Card, Issuer, Flipkart
- Token 3: HDFC Bank Card 1, Issuer, Amazon
- Token 4: HDFC Bank Card 1, Issuer, Flipkart
- Token 5: HDFC Bank Card 2, Issuer, Amazon
- Token 6: HDFC Bank Card 2, Issuer, Flipkart
Clearly, if you want to transact on other apps without re-entering your card details, you will have even more tokens.
How to manage so many tokens? Don’t worry you don’t have to memorize these tokens. The respective apps (Amazon/Flipkart) will take care of this and store with them. Once you tokenize your card, the payment process should be seamless as it is currently. You just need to select the token and complete the payment after verification. 2-factor authentication will still apply (CVV and OTP).
How Does the Tokenization Help?
You don’t have to worry even if there is a data breach on the servers of the merchant (Amazon, Flipkart etc.) Well, you have to worry less.
In case of data breach, the fraudsters can still steal the token. However, they won’t be able to extract your card details from the token. And yes, the token can only be used on the same merchant. For instance, Token 1 can’t be used on Flipkart. Add to this your additional factors of authentication (CVV and OTP).
You might ask, unless CVV and OTP are compromised, you are anyways safe. And merchants don’t store CVV and can’t store OTP. Right but there are risks. For instance, overseas websites won’t require OTP (just CVV is enough). Thus, one level of security is gone.
As I understand, your credit/debit card can be cloned with the rest of the details and can be used for card-present transactions (Near Field Communication) where CVV, Credit card PIN or OTP are not required. CVV is printed on the card. PINs can be observed when you enter on the swiping machine. Hence, not too difficult to ascertain for a charlatan.
Tokenization is an additional security feature. While tokenization does not guarantee that frauds won’t happen, it ensures that mere data breach won’t compromise your card details. And the tricksters won’t be able to find your card details from the token.
Also note, when a data breach happens, it is not just your card details that are compromised. Other personal information such as name, address, email, and mobile numbers may also be compromised. The attackers can seek additional information (say CVV) required to transact on your credit/debit card through fishing or any other means. Tokenization makes their job a bit more difficult. Despite the data breach, they won’t have credit card details.
By the way, you always have an option to NOT tokenize your credit/debit card on a particular application. However, since the app can no longer store card details, you will have to re-enter your card details for every purchase. And that is an inconvenience if you are a frequent user.
Will Amazon and Flipkart Know My Card Details?
No, they can’t store your card details. These apps can only store tokens. These apps cannot find your credit/debit card details from the token. Detokenization, the process to convert a token to card details, is only possible at the card network (Visa, Master card, American Express, Rupay) or TSPs (your card issuer in case of CoF-Tokenisation).
Additional Reading
- RBI: FAQs: Tokenization of cards
- RBI Circular: Tokenization — Card Transactions (January 2019)
- RBI Circular: Tokenization — Card Transactions: Extension of Scope of Permitted Devices (August 25, 2021)
- RBI Circular: Tokenization — Card Transactions: Permitting Card-on-file Tokenization services (CoFT services) September 7, 2021