'Tokenization' is currently the payments buzzword due to increased attention on digital wallets...
While technology is advancing at an unprecedented rate, frauds are on the rise, too, especially involving debit and credit cards. However, understanding the seriousness of the situation, The Reserve Bank of India has prohibited merchants, payment aggregators, and online merchants from storing sensitive card information on their databases, effective from October 01, 2022. In addition, the RBI is encouraging Indians to tokenize their cards to ensure better security and reduce fraud.
If you're wondering what tokenizing cards means for the customers and merchants, read along. This blog discusses everything from what tokenization is to the guidelines issued by RBI in relation to tokenization, how tokenization improves security, and how it impacts customers and merchants.
What is Tokenization?
Every debit or credit card has a unique 15 or 16-digit number that consumers share with the merchant for purchasing products/services on the internet. This number is referred to as PAN or Primary Account Number, which is immensely valuable, especially to fraudsters.
Usually, these PANs were stored with the payment aggregator, online merchant, or wallet, always at the risk of being stolen. After all, if the hackers/scammers get access to this number, they can use it for making illicit purchases unless the credit card limit exceeds or the bank account empties.
That's when tokenization comes into the picture. It's the process of replacing the primary account number with a unique token (set of characters) which only the card network can retain. This way, businesses can be PCI compliant while reducing the risk of fraudulent transactions.
How can the Tokenization be Carried Out?
The cardholder or the consumer can initiate a request for tokenization, usually on their mobile banking application or the one provided by the token requestor. After that, the request is sent to the card network (Visa, Mastercard, etc.). And once they have consent from the card issuer, a network token can be issued.
What are Network Tokens?
Network tokens are the unique payment credentials that replace the actual credit or debit card number making online purchases more secure. However, every card's network token varies from one business to another. For instance, if customer A purchases from business B and has token T, when he purchases from business B1, the token will be T1.
What are the New Guidelines Introduced by RBI?
Here's what the new guidelines introduced by RBI entail:
- Payment aggregators must use network tokens for payment processing instead of the actual debit or credit card number. This protects the customers' privacy in case hackers try to steal the card number data or the card itself.
- The payment aggregators should also offer an explicit option to the customers if they want to remove their tokens from the merchant platform.
- Explicit consent from the cardholder must be obtained for storing the card details and using the same for recurring payments.
- Every aggregator or merchant must follow RBI-mandate, such as performing 3D secure authentication before saving the card details on their platform.
How can the New RBI Guidelines Benefits Merchants
One obvious benefit of tokenizing credit and debit card information is that merchants can reduce the risk of data theft and card fraud to a minimum. This can help reduce chargebacks, payment declines, and even interchange fees. Moreover, network tokenization might shift the liability for the chargebacks to the issuer instead of the merchant.
Substantial Financial Impact
You can expect a substantial financial benefit if you're a merchant that processes a massive volume of transactions daily. How? Well, with network tokenization, your payment interchange fee will reduce. And the more transactions you process daily, the benefit will only add up.
Merchants only have a little involvement when it comes to issuing tokens. Once the card brand generates the token, it's their responsibility to make the necessary updates if the customers' card information changes. This way, merchants can offer a better user experience to the customers by ensuring that all transactions go through without putting in much effort.
Is it Mandatory to Tokenize your Cards?
While the RBI has recommended consumers tokenize their debit or credit cards for their good, it's not mandatory. It's entirely up to the consumer whether they want to tokenize their cards or not. And if they don't, they'll have to enter all the details, such as CVV, expiration date, and full card number, to process payments.
However, retailers, payment aggregators, or merchants cannot store card information such as full PAN, expiry date, CVV, and other sensitive details. You'll have to use tokenization and convert the sensitive information to network tokens to be able to process payment like regular.
To who do RBI Tokenization Regulations Apply To?
RBI tokenization regulations are to be mandatorily followed by:
- The businesses based in India catering to customers within India using domestic debit or credit cards.
- Merchants or businesses operating from outside India but have customers with credit/debit cards issued in India.
The inability to follow the RBI tokenization regulations will lead to security non-compliance, which can further attract legal action against the merchant or online retailer.
Will Merchants be Charged for Tokenization?
Customers can tokenize any number of cards as they wish without paying anything. And the same goes for merchants. Tokenization is handled by card issuers such as Visa, MasterCard, RuPay, etc. So, it is believed that merchants won't be liable to pay anything for tokenization.
What do Merchants Need to do to Comply with Regulations?
Complying with the new RBI regulations is fairly easy. Here's what merchants need to do:
- You must delete all the existing cardholder information from their database and replace it with network tokens.
- You must get explicit customer consent before you save the card details. As a merchant, you must ensure that your payment gateway does that.
- A PayNow link must be configured in customer emails so they can pay any pending invoices as a one-off payment in case recurring payments fail.
- If you're experiencing more payment failures after complying with the regulations, you can contact your payment gateway to rectify the issue.
ConclusionWhile tokenization seems like quite a chore both for the customers and the merchants, it's a welcome initiative by the RBI to fight card-related frauds. Therefore, as a merchant, you must comply with all the guidelines or regulations set out by the RBI. This way, you can stay functional as a business and protect your customers from debit/credit card fraud.
Anta Pattabiraman is the co-founder and CEO of Inai, a global payment stack simplifying native payments within a single integration. Over the last 5 years, he has worked with 200+ businesses ranging from SMEs to Bigtechs.