The Reserve Bank of India (RBI) has pushed the deadline for tokenisation of card transactions from July to October 2022.
In March 2020, the apex bank had announced new rules for tokenisation of card data in order to make online transactions made using debit and credit cards more secure. Accordingly, the RBI had asked banks to adhere to the guidelines beginning 1 January 2022, which was subsequently extended to July 2022, and now to October 2022.
So, what are the new rules? Why has the deadline been changed? Here’s everything you need to know.
What is tokenisation of debit and credit cards?
Under the tokenisation initiative, all companies are required to delete all existing cardholder information they have and replace it with a unique ‘token’ or code.
This means that merchants will not be allowed to save your card information once the policy is implemented. According to the RBI, this will prevent any misuse of cards by fraudsters, thus making online transactions more secure.
How do I create a token for my card?
The cardholder has to undergo a one-time registration process for each card, at every online merchant’s website, by entering the card details and giving consent to create a token during checkout.
A token is generated for a particular card at a single website. You will be required to undergo this process for a different card and/or website.
Here's how to generate your token:
Step 1 – Visit any e-commerce/merchant website to make a purchase and start a transaction
Step 2 – During the check-out, select your preferred bank's credit/debit card as payment method and enter all details
Step 3 – Select the option to “secure your card” or “save card as per RBI guidelines”
Step 4 – Fill in the OTP sent on your mobile or email by the card company and finish the transaction
Step 5 – Your token has been generated and saved instead of your actual card details
You can recognise the card by its last four digits and use the same token for that website for any future transaction.
Why has the deadline been pushed?
The industry had raised certain technical issues concerning guest checkout transactions – or the ones made by a consumer on a website without registering on the website.
Transactions using tokens have also not gained speed with merchants of all categories, said the RBI in a statement.
“These issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the RBI has announced extension of the said timeline of 30 June 2022 by three more months, i.e., to 30 September 2022."RBI Press Statement
Meanwhile, the industry will focus on ensuring:
All stakeholders be ready to conduct tokenised transactions
More tokenised transactions are conducted
Implementing alternate mechanisms to manage all post-transaction activities related to guest checkout transactions
Public awareness about creating and using tokens for card transactions
What are the benefits of tokenisation?
The central bank said that many entities involved in the card payment transaction chain store actual card details (also known as card-on-file or CoF) of its users.
In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.
In the recent past, there were incidents where card data stored by some merchants has been compromised/leaked. Tokenisation aims to put a stop to this as the merchant websites will only have an alternative code – one that will be unique and randomly generated instead of the actual cardholder information.
Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
Is using the token system mandatory?
A card user does not need to use the token system mandatorily.
If the customer chooses not to use tokens, they will be required to enter their card details manually every time they conduct a card transaction on an e-commerce/merchant website.
Will I be charged for the tokenisation process?
The tokenisation process is free of charge and is applicable only for domestic card transactions.
What if you have multiple cards?
As mentioned by the RBI, you have to create separate tokens for each card you own.
In a statement, the ICICI bank said, “Bank will provide a portal to the cardholders to view and manage the tokenised cards. Cardholders can view/delete tokens for the respective cards through this portal. Customers can also call the phone banking service to place a request to manage tokenised cards."