The Reserve Bank of India’s (RBI’s) card-on-file tokenisation rule is all set to kick in from October 1. It mandates that merchants, ecommerce websites and apps, and other service providers will no longer be allowed to store customers’ card data on their servers.
So, what happens now? Here is everything you need to know as a card (debit or credit) holder in India.
What is tokenisation?
Every time we make an online payment via a debit or a credit card, the system asks us to enter our card details, expiry date, CVV, and so on. Then, an OTP is generated and upon adding that, the payment is completed.
Now, instead of filling out these card details, which are stored in the merchant’s system, all you would need is an “encrypted token”, unique for each user. In simpler terms, a token is a replacement for all of your actual card details.
Why is this being done?
Simply put, data protection. Every time we enter our card details, the data is stored by the entities (merchants, payment gateways, payment aggregators) involved in an online card transaction for convenience.
Needless to say, saving this kind of crucial information increases the risk of card data being stolen or misused.
With unique tokens, no merchant will be able to store anything during the transaction process.
How can I generate a token?
Step 1: Visit any ecommerce or merchant website or app
Step 2: At checkout, choose your payment method, and enter you card details (debit/credit) as usual.
Step 3: You will see an option of “Secure your card as per RBI guidelines” or “Tokenize your card as per RBI guidelines”. Select this option and continue with the payment.
Step 4: Enter OTP sent to your mobile phone or email by your bank and complete the transaction.
Step 5: Your token will be generated and saved instead of the actual details of your card.
When you visit the same website or application again, the last four digits of your saved card will be displayed to help you identify your card for doing the payment.
Are there any extra charges?
No.
Is this mandatory?
No. You can continue to make online transactions like before by entering card details manually. But you will have to repeat this every time as the merchant site will not be able to store your card details anymore.
Do I need to remember my token details?
No. The tokens will be saved on the merchant platform. You will have to just check the last four digits of the saved cards to make the payment again.
Will there be a single token for all transactions?
No. Tokens will be unique for every vendor, even if you are using the same card for all transactions. For each new merchant, you will receive a new unique token, which means you will have multiple tokens based on the number of merchants you visit.
For instance, if you used an Axis Bank card and got that tokenised on Flipkart, the same card will have a different token on Myntra.
What if I don’t get my card tokenised before October 1?
Nothing will happen since it is not mandatory. But you will have to enter your card details manually every time you make a transaction online. Having said that, one must do this for personal data security.
Who can perform tokenisation?
Tokenisation can be performed only by the authorised card network. A list of authorised entities is available on RBI’s website.
Can I manage/delete my tokens?
Yes. You can simply delete the token on the merchant website/app and delete the card associated with the token for the payment option.
You can also call on your bank’s customer care helpline to request the same. The tokenisation-related complaints will be dealt with by the banks (card issuers).
HDFC Bank has created a separate website, the link for which is shared every time a new token is created. SBI and Standard Chartered want the user to call customer care to have a token deleted while American Express has added the option to manage tokens within the existing online account.
What if my card is renewed/reissued?
In that case, you will have to create a fresh token.