Tokenization is an anonymized set of characters against the original payment credential like a credit card
RBI recently changed tokenization guidelines due to which online stores can no longer store tokens
Tokens will also make recurring payments extremely safe by allowing payment providers to save cards using tokenization solutions
With ever growing digital payments online, offline using multiple payment methods across form factors is making our lives easier with frictionless fast payments, have we wondered how is the security implemented while making our checkout experience easier.
Payment data security is a critical part of individual security, who knew the answer would lie in a seemingly simple switching of numbers? That’s tokenization, put in the simplest of terms. Tokenization is nothing but an alias – an anonymized set of characters against the original payment credential like a credit card– where a token reference is used instead of actual card number with matching expiry date. This token number is irreversible, created using an advanced algorithm that has the intelligence to map the actual card value corresponding to the token number which is impossible to crack since the original number mapped to the pseudo number exists only with the tokenization provider.
So, is it like encryption? Not in many ways. Primarily, encrypted data can be decrypted using a cryptographic key. However, with tokenization, there is no such key, only an intelligent mapping that cannot be cracked in case of a breach.
Sounds simple enough? It’s actually a highly complicated and layered process with several forms which involve several players and protocols. Here are the 3 main types of tokenization that occur in today’s payment landscape.
Types Of Tokenization
Card-on-File Tokenization or PCI Tokenization –With this kind of Tokenization, the card number or UPI handle can be saved when you opt in during your payment online for recurring payments. E.g. your favorite marketplaces/OTT subscriptions where you do not enter your payment credentials every time. With this, you can carry out card-not-present transactions. Such tokenization can be carried out by the merchant, payment aggregators, payment gateways or networks like Visa and Mastercard to meet the PCI DSS guidelines. All tokenization options may not be present in all regions, example in India there are restrictions imposed by RBI on the entities which can store/tokenize the payment credentials.
Globally popular OTT platforms and marketplaces like Netflix or Amazon could tokenize your sensitive data. In any case, will still be able to see the last 4 digits of your card, butany other party will only see the tokenized digits. While globally merchants or marketplaces use their proprietary token mechanism with gradual adoption towards network based tokenization.
Device Tokenization – Device tokenization is still at a nascent stage in India yet, waiting for mass adoption. This tokenization is carried out by network providers while the token is saved on the mobile device e.g. Samsung Pay, Apple Pay, Android Pay etc. using NFC or SE technology. With recent RBI approval on device tokenization additional form factors like watch, wrist bands, IOTs can also be used as a substitute for actual card making it very convenient while adding security for the customer
RBI And The Guidelines Of Tokenization
Cashless transactions have seen prolific growth over the last few years, especially after the pandemic outbreak. Eyeing the growing risk of data breach, the RBI recently changed the guidelines on tokenization. Now, online stores(merchants, payment aggregators etc.) cannot store tokens even if they are PCI compliant. Even if platforms use tokenization, the Card-On- File tokenization will be provided by a network or issuer based solution. Merchants will simply receive the anonymized number from a token provider and store it in their database. As RBI gets stricter, it only bodes well for end-consumers, who are now more secure than ever before while making online payments. Such strict measures are important against hackers, who are becoming more sophisticated with every attack. And, this is good news, since tokenization is fitting a wealth of use-cases day after day.
Tokenization And Recurring Payments
As more and more people embrace online shopping for everyday items, entertainment, and numerous other services, recurring payments are on the rise. A highly regulated tokenization landscape, where it is simple for payment providers to save cards using approved tokenization solution on their database, will allow repeat transactions to become much safer and simpler.
For instance, currently, if you have a Netflix subscription, money is deducted monthly from your account and you receive a notification for the transaction post payment is done. As tokenization makes transactions safer with RBI guidelines clubbed with recurring payment guidelines you will receive a notification before the money is deducted and you will have an option to opt-out of the payment and end your subscription in a hassle-free manner. Or, you can simply approve it and get on with your life!
And this is just the beginning. With the technology and protocol in place, recurring payments will be embedded within IoT-enabled consumer products. For example, the refrigerator of the future will be able to use embedded tokens to order bread and milk every week according to your needs. Similarly, embedded tokens placed in car number plates will be able to automatically initiate transactions when you pass through a drive-through facility or a toll point.
All users will need to do is wave a wearable such as a band or a ring to approve transactions and it’s done! The future is full of possibilities. An interesting example of this was the NFC enabled Visa payment ‘ring’ with tokenized card embedded that was provided to the Visa athletes in the Rio Olympics. This ceramic ring was a payment tech breakthrough that allowed the players to make payments by simply waving their rings without having to reach into their wallets. This is where we’re heading, and tokenization will make this possible.
Ensuring Interoperability Through Crucial Integrations
The aforementioned scenarios point towards a need for service providers who facilitate an ecosystem since it involves the complex integration of several industry players. Thankfully, cutting-edge pay-tech companies are stepping up to provide these services to banks and ecommerce partners. These companies are working with industry players in a fungible manner to increase security for end-users.
In future, users will be able to make 10 payments without even looking at their phone within seconds. India will securely tokenize, consumer convenience will skyrocket sales and revenues will increase for merchants, and banks will see more transactions along with it. It is simply a win-win ecosystem for all. Service providers will also be able to provide value-added services and monetize this service, further boosting its merit in the pay-tech landscape. Faster, simpler, and safer transactions are on the horizon, championed by tokenization.