Explained: How tokenisation is enabled, its impact on card transactions

The Reserve Bank of India (RBI) has permitted authorised card payment networks to offer card tokenisation services to consumers requesting it, in an effort to improve safety and security of card transactions. Nikhat Hetavkar explains the whole idea of tokenisation, how it is enabled, its impact on card transactions and related security guidelines.
 
What are the basic tenets of tokenisation?
 
Tokenisation acts as an additional layer of security as it masks sensitive card data such as the 16-digit account number, expiry date and security code. It creates a set of numbers called ‘token’, which is used to substitute one's card information. This ensures one's card information is not disclosed to the website or merchant one is transacting with. Tokens can be device-specific, retailer-specific or even use case-specific.  The RBI has specified that the ‘token’ needs to be unique for every combination of card, token requestor and device.

 

What kind of transactions is it available for?
 
Tokenisation is available for all type of card transactions including contactless transactions, in-app payments, QR code-based payments and token storage mechanisms. Tokenisation takes the security of a physical EMV (Europay, MasterCard, Visa) chip and applies it to non-card environments such as mobile, online and proximity payments. Payments experts said that tokenisation was a necessary step due to the rapidly growing mobile payments in the country and major card companies actively pushing contactless payments.
 
Will tokenisation make card transactions more secure?
 
Tokenisation will help to prevent fraud by offering financial institutions, merchants, and third party payment providers, such as digital wallet operators, a secure way to enable mobile and online payments without sharing sensitive account information. Tokens don’t carry the consumer’s primary account number, reducing risk in storing tokens on mobile devices, online merchants, and in cloud-based mobile apps. Connected devices and risk-based authentication would make it easier to detect frauds. Tokenisation also makes it more difficult for hackers to gain access to cardholder data. Earlier, card numbers were stored in databases and exchanged freely over networks. With tokenisation, the sensitive data of all kinds including bank transactions, loan applications, and stock trading are substituted with tokens. However, the security level of the app and the customer’s mobile itself also needs to be taken into consideration, say experts.

 
How would this help the payments industry?
 
Tokenisation could play a huge role in building customer comfort for the new forms of payments due to reduction in frauds, thus propelling digital payments. Tokenisation will generate greater daily use-cases for contactless payments and reduce hesitation in storing card information with mobile wallet apps. Customers have been wary of such transactions but tokenisation can help in overcoming this hesitation
 
How can a customer request for the facility?
 
To enable tokenisation, a customer can use a third party (token requester) app such as the UPI app, a bank app or a mobile wallet app. At present, the facility shall be offered through mobile phones and tablets only. The central bank is expected to examine the extension to other devices based later.

 
Tokenisation requires explicit consent on the part of the customer through additional factor of authentication. It cannot be undertaken by way of a forced or default or automatic selection of check box, radio button etc. Customers cannot be charged for availing the tokenisation service. Customers will have the option to register or deregister their card for a particular purpose and also the option to set and modify per transaction and daily transaction limit for such transactions. The customer shall be free to use any card registered with the token requestor app for performing a transaction. Tokens tied to lost or stolen mobile devices, can be instantly reissued — without the need to change the consumer’s primary account number or reissue the plastic card.

 
Who is responsible for the security of tokenised transactions?
 
The central bank has placed the ultimate responsibility for the card tokenisation services rendered on the authorised card networks. Adequate safeguards shall be put in place to ensure that the primary account number cannot be found out from the token and vice versa by anyone except the card network. Actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail. Card networks shall also get the token requestor, card issuers or acquirers, their service providers and any other entity involved in the payment transaction chain, certified for processing tokenised card transactions.