As by Reserve Bank of India term of office effective October 1, 2022, actual map number, CVV and expiration date and any other sensitive card related information cannot be stored by merchants or payment aggregators/gateways for processing online transactions. Users must have their credit/debit cards tokenized.
Tokenization refers to the replacement of an actual or credit/debit card number with another code called the “Token”. Once created, this tokenized card information will be used instead of an actual card number for future online purchases initiated or requested by the cardholder. A tokenized card transaction is considered more secure as the actual card details are not shared/stored with merchants to complete the transaction.
Is the tokenization directive applicable to credit and debit cards?
Yes. From October 1, 2022, debit and credit cards must be tokenized. The customer does not have to pay any fees to use the card tokenization service, it is absolutely free.
What are the benefits of tokenization
The actual card data, token and other relevant details are stored in a secure encrypted mode by the card issuing bank and/or authorized card networks. Token Seekers/Merchants cannot store the full card number or any other card details.
How can tokenization be done
Step 1: The cardholder can get the tokenization of the card by initiating a request on any e-commerce website/app where they want to make the transaction.
2nd step: The Token website/app will forward the request directly to the bank that issued the applicable credit card or to Visa/Mastercard/American Expresswith the consent of the card-issuing bank.
Step 3: The party receiving the request from the token requester will issue a token corresponding to the combination of card, token requester and merchant. This means that once tokenized, the customer will see the last 4 digits of the card on the merchant page.
Will card tokenization have to be done at each merchant
Yes. A token must be unique for the card at a specific merchant. If the customer intends to have a card registered at different merchants (e-commerce/apps), tokens must be created at all merchants. Additionally, customers must complete this process for all cards they hold. As mentioned earlier, the token is unique for a combination of card and merchant. A customer can request tokenization of any number of cards when they want to make a transaction.
How users can manage their tokenized cards
The bank will provide a portal for cardholders to view and manage tokenized cards. Cardholders can view/delete tokens for respective cards through this portal. Customers can also call the Phone Banking service to request management of tokenized cards
Will tokenization impact the POS transactions the cardholder performs at merchant outlets?
No. Tokenization is only required to complete online transactions.
Who can perform tokenization and detokenization?
Tokenization and detokenization can only be done by the card issuer Bank or Visa/Mastercard/American Express which are called authorized card networks.
How the registration process for a tokenization request works
The registration of a tokenization request is done only with the explicit consent of the customer via Additional authentication factor (AFA), not through forced/default/automatic selection of checkbox, radio button, etc. Customers will also have the choice to select the use case and set limits.