RBI’s mandate to tokenize card transactions is coming into effect from 1st October, 2022. The main goal of this regulation is to control online frauds through additional layer of safety and enable smooth user transactions. Users who do not wish to create a token will have to manually enter their card details whenever they make an online card transaction from 1st of October, 2022.

With this initiative, neither the merchant nor payment aggregators will hold the card details related to consumer. User card details such as 16-digit card number, name, expiry date, and CVV are masked with a unique code called a token, and processing of a tokenization request is done with the consent of the cardholder through Additional Factor of Authentication (AFA), Customer can also select the use case and setting-up of limits as per his / her preferences.

What is Card Tokenization in 2022?

The tokenized cards will protect against frauds by replacing the actual debit and credit card details with a token during transactions on merchants platforms and apps. From 1st October onwards, every token requestor and merchant will receive a unique token when processing digital transactions. 

There shall be a unique code for each combination of cards, token requestor (i.e., the entity that accepts requests from customers and passes them along to the card network to issue a token) and merchant (token requestor may or may not be the same entity).

What are the security advantages of tokenizing your card information?

Tokenization replaces the old practices of cardholders saving their details on the merchant’s website by manually entering them. The approach saves time for cardholders as they are reserved for future use so that they will not be required to enter them manually. With the help of tokenization, customer card credentials can be protected from fraudulent entities. 

RBI’s tokenization mandate ensures an additional layer of Safety as, “the actual card number, PAN, and other card related data are stored in a secure mode by the authorized card networks, in the form of tokens. Token requestors cannot store any sensitive information, such as the debit and credit card numbers, and any password associated with the token.” Token requestors are also required to get certified for safety and security that confirms to international best practices.

There are several advantages to tokenizing cards

  1. Tokenization will increase card security by making each card uniquely identifiable at each merchant; every cardholder should consider mobile tokenization if they are concerned about the risk of fraud.
  2. Customers can tokenize their cards free of charge, and cardholders may use any authorized card to complete transactions. 
  3. Tokenized cards can be viewed on the merchant portal, and a token must be created every time the card is changed, renewed, reissued, or upgraded.
  4. Card holders using multiple cards will be provided with a portal to manage tokenized cards. Through this portal, cardholders can view/delete the tokens associated with the respective cards.
  5. Consumers can avail tokenization option on any of devices like mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.
  6. Customers can request tokenization for any number of cards and can use any of the cards registered with the token requestor app. While using tokenized cards, customers can also set their limits for transactions.

What are the methods for implementing card tokenization?

  1. Currently, tokenization can only be conducted in India by recognized payment networks such as Visa/Mastercard/Amex/Rupay.
  2. The cardholders can do tokenization of the card with explicit consent through Additional Factor of Authentication (AFA) on merchant’s portal, which accepts customer requests for tokenization and forwards it to the card network.
  3. Tokenized cards can be used successfully to conduct domestic credit or debit card transactions after your card issuing bank approves your token request, according to the card, the token requestor, and the merchant.
  4. Tokenization requests are only registered after receiving explicit customer consent through additional factor authentication (AFA), and not by requiring a checkbox to be selected automatically or by default.

The author writes about fintech, banking, and future of SAAS services. He works as an SEO analyst at Easebuzz, so if you're looking for an account that tracks India's fintech scene, you should check out his Easebuzz blog.