At the interaction with the media after the last monetary policy in September, Reserve Bank of India (RBI) Deputy Governor T Rabi Shankar said the much-awaited tokenisation of debit and credit card details would commence on October 1 “even though there may be laggards unwilling to comply with the regulations”.
According to Shankar, 350 million tokens have so far been created, and 40 per cent of the online card transactions, valued at about Rs63,000 crore, were already tokenised.
What is tokenisation? Why do we need this?
In a casino, money is exchanged for tokens at the casino cage, the gaming tables, or at a cashier station. The tokens are interchangeable with money at the casino and have no value outside of the casino even though the cabbies and waiters in gambling towns may accept them as tips.
This is a different token.
When we buy anything online, using our credit and debit cards, we have two choices. One, we key in all details on the merchant’s web platform each time we buy things without storing our card details. Two, we save the card details and allow them to store it.
A few merchants offer choices to the customers but typically for those who shop frequently, the card details are stored. And, some of the online markets don’t give any choice to the buyer — whether we want it or not, the details are stored.
When we buy things directly from shops, using our cards through the swipe-and-pay method, no information is stored.
Who can have access to the card details? The banks, which issue the cards; the credit card networks such as Visa, Mastercard, American Express, RuPay, Diners Club; and, of course, the card users themselves.
The merchants and the payment aggregators, too, have access to card details and therein lies the problem. The information stored with them — name of the buyer, card details as well as the buyer’s spending habit — run the risk of being hacked and available on the dark web. They are more fraud-prone than banks and credit card networks.
The outstanding credit card base in August was 77.99 million and that of debit cards, 934.86 million.
The dark web, also called dark net, is a part of the internet that isn’t indexed by search engines and can be accessed only through the use of an anonymising browser called Tor. One can buy card data and spending habits of the card holders from the dark web.
(For laypersons, the terms “deep web” and “dark web” could be synonymous but they are different. Deep web refers to anything on the internet that is not indexed and, therefore, accessible through a search engine like Google. Its content includes anything behind a paywall or which requires sign-in credentials. In contrast, the dark web is a secret network that exists underground, not accessible through traditional search engines.)
For every transaction, the moment a customer puts the CVV (card verification value) number at a merchant’s site, it goes to the card-issuing bank through a payment aggregator. Once the bank clears it, the transaction is complete.
The networks do the so-called switching or carry the transaction from the acquiring bank (the bank which owns the point of sale or PoS machine of the merchant) to the card-issuing bank and then give approval or decline the transaction; they don’t store the CVV number.
One way of eliminating the risk and ensuring safety of customers from data theft is reducing the number of places where such information is stored. While the banks, card networks and card holders must store the information, merchants and payment aggregators don’t necessarily need to.
Here comes tokenisation. It replaces the details of debit/credit cards such as 16-digit number, name, expiry dates and codes stored for future payments with a token for use on a merchant’s website for transactions.
The RBI made the first move on tokenisation in January 2019.
In March 2020, it released the guidelines for the payment aggregators and payment gateways. The norms, which kicked in in July that year, prohibited them from storing card databases of the customers.
Some of the online markets wanted the regulator to reconsider it as they feared a big impact on customers’ payment experience on their platforms. Shifting from a single-click payment to entering the card details for every transaction is indeed tedious and time-consuming. It was a choice between customer protection and convenience. The RBI preferred the first as it felt that the points of storage can reduce vulnerability of digital customers from frauds and cyberattacks.
For consumers, nothing has changed as the token is just replacing the card details. The merchants do not have the card details anymore and hence, if their sites are hacked, at best the hacker gets the token. And since each merchant creates a unique token for each customer, it cannot be used anywhere else.
The card holder can get the card tokenised by initiating a request on the app provided by the merchant. The merchant, in turn, will forward the request to the card network which, with the consent of the card issuer, will issue the token free.
The feature of tokenisation is available on mobile phones, tablets, laptops, desktops, wearables such as wrist watches and bands, IoT or Internet of Things devices, et al.
For the customers, it is not mandatory.
They also have the option to register and deregister their cards for tokenisation.
The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of an automatic selection of the check box. The customers are also given a choice of selecting its use and setting up of limits, which can be modified. They can even set daily limits for tokenised card transactions.
Nowhere in the world this experiment for customer protection has been carried out. The two-factor authentication is also unique. The first stage of any online transaction is writing the card details on the merchant’s payment gateway and then a one-time password (OTP) is sent to the mobile phone of the customer, which also needs to be keyed in to complete the purchase. The two-factor authentication process is mandatory for every payment above Rs5,000. Many feel that while it enhances the security of transactions it inhibits spending and the smallest merchants are affected.
From October 2021, it was also made mandatory for customers to give consent for every recurring payment of over Rs5,000, and a two-factor authentication process every time a payment is to be made replacing the auto-debit rules that were in vogue. For payments up to Rs5,000, customers now need to re-authenticate any standing instructions for recurring payments without the AFA.
Until recently, even if one was doing an online transaction once in a while, or the so-called guest transaction, the merchants used to save the data, after checkout, at least for six months — often without the customer’s consent. Why did they do it? In case any customer wants to return the goods purchased and/or for dispute resolution. The RBI has recently cut down the time to four days.
The writer, a consulting editor with Business Standard, is an author and senior adviser to Jana Small Finance Bank Ltd
His latest book: Pandemonium: The Great Indian Banking Tragedy