Using a credit card in the modern digital world insists you make payments for your ease of online shopping, payments to merchants, deals and whatnot via just a few simple clicks on your device. Those clicks use your card details, process the transaction and here your order is done. But what next? Did you just disclose your account details? or maybe you have given your credentials to the payment gateway, making sense you might now think that the gateways can store the data, and the scary part is data breaches and online financial frauds have been increasing. This is where we can improve our transaction system by using tokenisation.
So what is tokenisation?
Token here does not imply any physical form of issued token or any additional asset, rather it is an alternative for credit cardholders to use a computerized code instead of their full card details and proceed with transactions. These codes tend to make contactless card transactions with the help of payment gateways, QR codes or online points of sales.
These codes are build up by merging card details, codes from token requestors and the devices involved. Card details here mean the details of cardholder and device used for a transaction or requesting token codes. The important part of the whole process is the issuing of code by the token requestor, which is the intermediary that will take the request from the customer and execute the token request to card networks.
How will this impact the credit card system?
The old transaction regime followed the algorithm in such a manner where a user punched the card details in the payment gateway for example name of the holder, CVV, expiry date and proceed with the transaction. After the transaction, the payment gateway is used to store the details for any further transactions for user ease. Whenever you use the server again, the payment options will show the previously used card details for making payment. This is generally with all the online payment facilitators like Amazon, Flipkart and other shopping apps, payments apps and other wallets like Paytm, Mobikwik etc.
Dismantling this system of using whole card information for transactions and storing the same, The RBI aims at reducing financial fraud risks with users. The new system with directed rules will follow a specific procedure as mentioned below-
- The cardholder will apply a request for a token code to the token requestor via any device
- The token requestor will proceed with the request and verify the cardholder’s details with banks, then the request will be sent to the card network. Generally, these are known as token service providers(TSP)
- A code with numbers or characters will be generated and send the token code to the user’s device. Only after the user’s permission, the code will be activated.
- Once the user gets the code, he may proceed to use the code with payment gateways or apps and feed the token there instead of card details.
- The token remains the same and is irreversible. The code cannot be changed or erased.
- The RBI has made it regulatory compliance where the token requestor is also not allowed to store the cardholder’s data.
However, the decision for using this tokenisation is still in the hands of the customer. As said the procedure is not compulsory for all but voluntary and encouraged for better online transaction safety.
Authorities involved
The parties involved in the whole renovation of the procedure are mainly RBI, TSP, banks and the end-user. RBI will play a regulatory role in keeping an eye on all the participants and smooth functioning without loopholes. The main entity that will facilitate the tokens will be the TSP’s, majorly the card service providers will be given the authority to issue tokens, some examples can be MasterCard or visa. These firms will be authorized to issue the token and forward requests.
The banks do not participate directly but will play a role in the verification of the customer’s account and hence after the verification, the TSP will proceed with further tokenisation. The end-user decides to either enter into tokenisation or remain a card details user, the whole procedure involves the consent of the user from beginning to end. It can be called a one-time process and thereafter hassle-free transactions with security are ensured as compared to the old regime.
Why tokenisation is initiated?
The first and foremost reason for tokenisation is very obvious, prevention of frauds and data breaches. The data stored on gateways are prone to hacking or slippage, which can cause a huge risk of unauthorized access to sensitive information of customers and even lead to loss of money. Therefore the authentication as done at the primary stage will be easy to recognize and hence when just a mere number is stored on the gateway the risk of cardholder’s other data being wrongly used decreases.
The noticeable advantage is that in case of any loss of physical card, the systems and algorithms are such that tokens can be still safely used and therefore reducing the risk of fraud.
