Card payments need tokenisation in 2022; all your queries answered

The convenient card payments are set for a major overhaul at the beginning of the next year. Banking regulator Reserve Bank of India (RBI) had earlier this year prohibited all entities involved in the card transaction process from storing actual card data – including the entire card number, the CVV code and the date of expiry. These will be replaced by tokens instead, which will be unique for every combination of card, merchants and devices.

Card tokenisation, as the substitution of card details with tokens is called, is primarily meant to protect crucial user data from data leaks and frauds. The process begins with users raising requests for generating tokens against their card details. Several platforms, including Zomato and Uber, have already started prompting their users to “secure” their cards to continue using them from January 1, 2022, onwards.

However, the transition to card tokenisation might not be a smooth one. While most major stakeholders are ready for the switchover, some small and medium players are yet to complete the prerequisites for tokenisation. Customers, merchants and financial institutions are likely to face some disruption during the initial days, says Tanya Naik, head of online business at transaction technology provider Pine Labs.

In this piece, we decode what card tokenisation is, how customers can generate tokens to secure their cards, the process thereafter and more:

What is card tokenisation?

As the RBI puts it, tokenisation refers to replacement of actual card details with an alternate code, monikered the “token”. This token will be a unique 16-digit code representing a combination of card, a token requestor, and a registered device.

A token requestor is an entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token.

Customers can also reverse the process by converting their tokens back to actual card details, through a process called de-tokenisation.

Notably, tokenisation is not mandatory, but not availing of this feature will also leave customers without the security cover that comes with hiding card details.

Will you need to memorise the 16-digit token for every transaction?

No, you will only need to consent to generate a token, which can then be used for a subsequent transaction to a particular merchant using the same card through a registered device.

“The customer just needs to provide consent to get the card enrolled for a saved card functionality. Apart from the ‘consent’ the customer experience doesn’t change, it flows as a regular transaction where the customer needs to enter the OTP and proceed for a successful completion from the transaction,” says Tanya Naik of Pine Labs. “This transaction flow remains the same for a repeat transaction too.”

The only change that the customer might observe will be on the checkout screen, where the last 4 digits of the card will be displayed and not the BIN (first 6 digits).

What devices can be used for card tokenisation?

Customers can tokenise their cards for transactions via mobile phones or tablet computers only. Smart-watches or other smart devices that support digital payments have not been included in the ambit of card tokenisation yet.

Who can tokenise or de-tokenise cards?

Only authorised card networks, approved by the RBI to operate in India can perform card tokenisation or de-tokenisation.

What use cases does card tokenisation cover?

Card tokenisation has been approved for all use cases, including contactless card transactions, payments through QR codes, app, etc. This means paying through a contactless PoS terminal or in-app payments to aggregators will have to follow card tokenisation from January 1, 2022, onwards.

Customers can easily register or revoke card tokens for any of their preferred use cases, and even set transaction limits for respective channels.

Will card payments face any issues with the rollout of tokenisation?

“We expect significant disruptions across the ecosystem – customers, merchants and financial institutions – during the initial days. While certain players have migrated to the norm, a vast majority of ecosystem enablers (be it issuers, payment gateways, networks, payment aggregators) are still not ready to support this change,” says Naik of Pine Labs.

As initial teething problems subside, the framework is expected to get more streamlined, with solutions like recently launched Plural Tokenizer by Pine Labs coming into use by merchants and other stakeholders working together to iron out the kinks.