From 1 October, online transaction norms for debit and credit cards will change for all users as the Reserve Bank of India's (RBI) card-on-file (CoF) tokenisation norms kicks in.
But what is tokenisation? How will this change your online transactions? And why has it been put in place?
What is tokenisation?
Tokenisation refers to the replacement of information or sensitive digital data with a digitally generated token.
The process helps do away with a customer's card information being stored on any merchant, payment gateway, or third-party platform.
While paying for something online, users will no longer have to punch in the 16 digit number on their card. The operating bank will issue a non-sensitive, equivalent digital token for the transaction.
The tokenisation process will also mask names on the card, expiry dates, and CVV codes, for an added layer of security
Why is the RBI switching to tokenisation?
Like we mentioned, card details and user data are often stored on payment or merchant gateways. It is this data storage on websites that could make the customer's data vulnerable to online phishing and fraud.
Tokenisation is considered to be a safer alternative, as the actual card details are not available to a merchant during a transaction. The customer's card details are only stored with the bank and the authorised card network.
When will the tokenisation process begin?
The process will begin from 1 October.
How do I get a token?
To obtain a token, the cardholder needs to go through a one-time registration process while utilizing their cards on any e-commerce platform. As soon as they enter their card details, it gives consent to create a token, which is then validated by way of authentication through an additional-factor-of-authentication (AFA).
After this, a token is created which can be used for future transactions with the CVV number and an OTP.
The RBI has also told merchants to create a "token reference number" against each token. Only these reference numbers are saved by the merchants. Once a fraud is detected, the same token cannot be used again. Users will have to request a new token.
What if I don't want to tokenise my card?
Customers can choose whether or not to get their card tokenised, according to CNBC TV18. If they not do not want to get their card tokenised, starting from 1 October 2022, cardholders will just have to enter the full card number, CVV, and expiry date of the card for each individual online transaction.
How will the rules affect me if I own a business?
The tokenisation system has been met with mixed reactions. While banks, card companies and large retailers are prepared, smaller merchants may face trouble, as this move could lead to revenue losses in the short-term if they're inadequately prepared.
(With inputs from CNBC TV18.)