Update: The Reserve Bank of India (RBI) has postponed the implementation of mandatory card transaction tokenization until July 1 after the industry requested more time to comply with the latest data security rules. Tokenization was to start from January 1, 2022.
The country’s central bank, the Reserve Bank of India (RBI), in an effort to ensure security and reduce fraud in the online card payment ecosystem, has banned merchants from recording card information on their system. Instead, the RBI mandated the use of “crypto tokens” to complete transactions. The new rules come into force on January 1, 2022.
Tokenization will ensure that the transaction takes place without the cardholder’s account information being disclosed to the merchant or any of the intermediaries.
It was not a change that happened overnight. RBI first issued guidelines in March 2020 prohibiting merchants from recording card information on their system. He repeated the same in September 2021 and gave establishments time until December 31, 2021 to comply with the new rules, and also offered them the option to tokenize.
Tokenization: this is how it will work
So what is this tokenization? In RBI’s own words, “tokenization refers to replacing the actual details of the card with an alternate code called the token.” It will be unique for a combination of card and merchant.
RBI is moving towards this because a tokenized card transaction is considered to be more secure. The point is, the actual card details are not shared with the merchant while the transaction is being processed.
The tokensiation process is simple:
You purchase an item and at the time of payment you must agree to the tokenization of your debit or credit card. (Note that you can choose, if you wish, not to leave your card tokenized.)
After your approval, the merchant sends a tokenization request to the card network, which will create a 16-digit token for the particular card number and send it back to the merchant.
Once created, tokenized card details will be used instead of an actual card number for your online purchases. Of course, you have to approve the transaction with the OPT and CVV numbers. Once created, you can use the same token for the same card with the same merchant any number of times.
But you have to create new tokens for different traders, and also if you happen to use a different card.
As a reminder, the UPI (Unified Payments Interface) already uses tokenization to secure transactions.
Tokenization is not mandatory
As we said, you can turn off tokenization and instead choose to provide your card details for each transaction (as merchants cannot save the details).
In addition, the new guidelines do not apply to international transactions. Currently, only Visa and Mastercard backed cards can be tokenized on major e-commerce platforms.
Some traders welcomed the new rule, while another group did not welcome it. This final section considers the tokensiation route to be a problem.
There is already a considerable wave of opinion against the RBI’s mandate on recurring payments which went into effect from October. According to her, if you are using recurring transactions using debit / credit cards and UPIs, then you need to perform one-time extra factor authentication for smooth automatic debit transactions. Otherwise, you must authorize the payment every month.