Tokenisation: New credit, debit card rules to kick in from Oct 1

The new rules related to store credit and debit card details and tokenisation will kick in from October 1, 2022. Following that, your credit or debit card history on any merchant platform will be automatically deleted.

As per the RBI directives, all entities, except card issuers and card networks, will purge the card data before October 1, 2022. The RBI has given two options for cardholders while making any payment in future -- either enter full card details each time you make a payment or opt for tokenisation.

Opting for tokenisation is voluntary for cardholders. Those who do not want to create a token can continue to transact as before, but they’ll have to enter card details manually each time they carry out a transaction.

What is tokenisation?

As per the RBI, cardholders can create “tokens” (a unique alternate code) in place of card details; these tokens can then be stored by the merchants for processing transactions in future. Thus, tokenisation removes the need to store card details with merchants and provides the same level of convenience to cardholders.

Why 'tokenisation' is necessary?

So far, entities, including merchants, involved in an online card transaction chain, store card data like card number, expiry date, etc., citing cardholder's convenience for future transactions. While this practice is convenient, the availability of card details with multiple entities increases the risk of card data being stolen or misused.

In the past, too, there have been many instances where such data stored by merchants, etc., have been compromised. Many jurisdictions do not mandate additional factor of authentication for approving card transactions, and in such cases, stolen data may fall into the hands of fraudsters.

How to create a token?

To create a token, the cardholder will do a one-time registration for each card, at every online or e-commerce merchant’s website or mobile app, by entering card details and giving consent for creating a token.

The consent is validated by way of authentication through an Additional Factor of Authentication or AFA. Thereafter, a token is created, which is specific to the card and online merchant, which means it can't be used for payment at any other merchant.

For future transactions at the same merchant platform, the cardholder just needs to enter the last four digits instead of remembering the entire card details. A credit or debit card can be tokenised at any number of online or e-commerce merchants. For each of them, a specific token will be created.

Notably, the industry stakeholders have highlighted some issues related to the implementation of the tokenisation framework. Also, a number of transactions processed using tokens are yet to gain traction across all categories of merchants.

The Merchant Payments Alliance of India (MPAI), which is a group of merchants accepting digital payments including Microsoft, Netflix, Spotify, Zoom, and Disney+Hotstar, among others, is of the view that the RBI should first fully resolve their concerns and ensure merchants are ready before rolling out the service.