Blog

The Reserve Bank of India (RBI) on Friday (June 24) said that about 19.5 Cr card tokens have been issued in the country so far and called on the general public to tokenise their cards.

“The Reserve Bank encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” the RBI said.

The central bank, however, added that opting for tokenisation of cards is not mandatory. 

“Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction,” the central bank said in a statement.

It highlighted the risks of frauds with customers while sharing their card details with online platforms. “…availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc., have been compromised,” the RBI said.

The RBI also said that lack of tokenisation mechanism on cards with no additional factor of authentication (AFA) can leave them vulnerable to fraudsters and monetary loss. 

The central bank also said that it is working with industry stakeholders to address the issues highlighted by them to avoid any disruption to cardholders by the switch to tokenisation. 

The advisory came on the day when RBI extended the deadline for card tokenisation and storage of card data by three months till September 30, 2022. This is the third instance of deferment of the deadline for the implementation of the new guidelines.

What Is Tokenisation?

Tokenisation refers to the replacement of actual card details with an alternate code, called a token. This will ensure that a user’s card details are not shared with the merchants.

Under the RBI’s guidelines for tokenisation and card storage, payment aggregators, merchants and payment gateways will have to purge the customers’ card data stored with them.

Under the new framework, a cardholder will have to undergo a one-time registration process for each card at every online platform and give consent to create a token . 

“This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant,” the central bank explained.

For future transactions performed at the same merchant website/ mobile application, the cardholder can identify the card with the last four digits during the checkout process. However, a token generated at a particular online channel cannot be used anywhere else. 

Is The Payment Ecosystem Ready For Tokenisation?

The RBI on Friday noted that token-based transactions are yet to gain traction across the country and called for encouraging their use. 

The central bank directed the industry stakeholders to use the extension period for the tokenisation deadline to beef up their systems to handle such transactions and to implement an alternate mechanism to handle all post-transaction activities. It also urged the industry to create awareness among the public to promote the usage of token-based transactions.

A host of fintech players and payment aggregators have switched to token-based transactions.  From Google to PhonePe and from Razorpay to PayU, many platforms have made a move to the new system. 

Interestingly, the RBI, in its ‘Payments Vision 2025’, said that it aims to ensure that debit card usage surpasses credit card usage in terms of value by 2025. It is also targeting a 3X increase in the number of digital transactions in the country by 2025.

However, many merchants are jittery about the move to the new system.