Card tokenisation will the change the way you shop or pay online, and safer too
The Reserve Bank of India (RBI) guidelines which come into effect from October 1, will prevent any online platform and payment gateways from saving any credit card details in their absolute form
Paying for your online shopping and making digital payments, starting this weekend, will be significantly different from what you would have experienced till now. On the face of it, things will remain mostly familiar – you pay for what you buy, with your credit or debit card (if you choose to not use from a plethora of methods including UPI, or unified payments interface). Yet, the underlying technology at play will have evolved. Matured, to tackle modern day nefarious activities better.
The Reserve Bank of India (RBI) guidelines which come into effect from October 1, will prevent any online platform (these will include shopping websites, merchants) and payment gateways from saving any credit card details in their absolute form. Each credit card, on each website, merchant or payment gateway, will be assigned a unique code. This is called a token. It will be generated one time, for each website or platform or app where you use your card.
Scrubbing your card details, unless secured
“Tokenisation refers to replacement of actual card details with an alternate code called the token, which shall be unique for a combination of card, token requestor and device,” according to the RBI. The token requestor, in this case, is the entity which accepts request from a customer, for tokenisation of a card, and moves that along to the issuing card network (that could be Mastercard, Visa, RuPay or American Express) to create a corresponding token.
Also Read: E-commerce giants to resist new norms
The word to keep in mind is tokenisation, the process of assigning a token to each payment mode, and unique to each online entity. This is an additional security layer for your credit and debit cards being used to make payments on online platforms. It means online platforms, including the likes of Amazon, Flipkart, Paytm and Myntra, will no longer be able to save your card details, as they did till now.
Unless you choose to tokenize your card. In which case, the website or app you have tokenised the card for, will only have access to that token, with no further identifiers linking it back to your card or you. When you return to the shop and are ready to make the payment, select this token (instead of a credit card number as you did so far), enter the card details as asked for, complete the two-factor authentication, and the payment loop is complete.
“A secure and tokenised card transaction is safer as the actual card details are not shared and stored with the merchants to perform the transaction. Securing and tokenisation also helps you save the hassle of inputting your complete card details each time,” says HDFC Bank, in the latest guidance ahead of the tokenisation deadline.
How far along are we in the tokenisation journey
The journey will be long, because of the volume of cards in play. According to RBI numbers for August, there are more than 7.8 crore active credit cards in India. The credit card based online shopping for the month stood at ₹67,414 crore, while spendings in physical stores and using point-of-sale terminals was ₹44,943 crore.
Mind you, this is not a mandatory process. If a customer chooses to not have their card tokenised on any platform for making payments, they can still make payments by entering the 16-digit card number as well as card expiry date and CVV number along with the two-factor authentication code (this will be the OTP the bank sends you).
“With Token Hub we are working towards Government’s Digital India vision as we believe this regulation will boost the digital payments ecosystem by making online transactions safer from cyber frauds and thefts,” says Manas Mishra, Chief Product Officer, PayU, a digital payments platform.
PayU says they have tokenized more than 50 million card details. They also point out that the success rate for transactions made with tokenised cards, compared with those that aren’t, is as much as 7% more.
Online payments platform PhonePe confirms that 14 million credit and debit cards in use on the platform, have been tokenized. The company had integrated the tokenisation option within the checkout flow, in December last year, for Visa, Mastercard and RuPay cards. Paytm, which is continuing to build on its superapp aspirations, says 52.3 million cards issued on the same three networks have been tokenized on the platform.
“For customers, their card details are saved only by the issuer banks and card networks, minimizing the risk of data leakage and transaction fraud. For merchants, safer transactions translate to consumer confidence in using cards on online platforms, thereby helping merchants witness growth in overall transactions,” says Deep Agrawal, Head of Payments at PhonePe, in a statement.
Paytm’s observations about transaction success rates and the relation to tokenisation are similar to PayU’s. “This brings with it faster checkouts, as well as success rates that are at par or higher compared to saved cards,” a Paytm spokesperson said.
While these are big numbers, they are akin to a drop in the ocean. Every retailer, website and payment gateway will need to assign tokens to every card being used, after user consent. That itself will take some time, as users often wouldn’t use all cards in their wallet, in the space of a few days.
Shielding your payment tools from being breached
The policy was first introduced by the RBI in January 2019 and has since seen multiple inclusions within the scope. One of these is the expansion of tokenisation availability from just mobile devices, to include laptops, desktops, wearables such as smartwatches and Internet of Things (IoT) devices such as smart displays.
Till now, the way you made payments across the width of the internet is punch in your credit or debit card details (or select them from a pre-saved list, if you’ve been there before), enter the CVV, the one-time password (OTP) shared by the bank and completed the payment.
That also meant shopping websites, platforms and just about any app had the details of your credit or debit card – at least the card number, type of card and card issuer network. This was therefore vulnerable to hacking and data breaches.
RBI’s and the government’s attempt are to add a layer of protection against such phishing, hacking and data breach attacks, which online platforms quite regularly face.
Guessing payment details: all too easy?
According to online security management platform UpGuard, some of the biggest data breaches on web platforms have included card details as a necessary ingredient. The Equifax data breach (September 2017; 147 million credit card numbers) and Capital One (March 2019; 100 million card applications) are some of the biggest in history.
Data breaches aren’t the only headache for regulators to try and tackle, by being a step ahead of the attempts.
“Database breaches aren’t the only way to get hacked payment card details anymore. Increasingly, the card numbers sold on the dark web are brute forced,” according to online security firm Nord Security (you probably know them best for the NordVPN software).
With brute force attacks, computer software designed for these tasks begins a guessing game by randomly assigning number combinations to find the actual card number. While most platforms have a limit to clamp down on guessing attempts (Mastercard’s system, for instance, steps in after 10 such incorrect guesses), many don’t.
“Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, but there are ways to get around this,” they add.
One token for each card, for each platform
This is where things get a bit complicated, and perhaps overwhelming, if the card user isn’t entirely clued to the requirements. Let us explain this with an example. Assuming you are using a HDFC Infinia Mastercard credit card for shopping on Amazon. At some point during the transaction, you’ll be asked for consent to tokenize it (you can even say no, and proceed). If you agree, your card details on Amazon will be tokenized and the actual card details scrubbed from Amazon’s systems.
Now, you want to use the same HDFC Infinia Mastercard credit card on Myntra, to buy some new apparel perhaps, the token created on Amazon will not work here. The same process needs to be followed (it is a one-time process only) for a unique token for your card on Myntra. And so on, for each website, platform or app, that demands your credit card details.
“Tokens can be used for online transactions, mobile point-of-sale transactions or in-app transactions. This token contains no personal information that can be directly accessed and keeps changing making it the most secure method to complete payments,” according to SBI Card’s tokenisation guidelines.
Managing tokens: a potential ordeal?
For every website or app, for every card you have, creating or managing these tokens can potentially become a nightmare. The regulations clearly put the onus on card issuing banks and financial institutions to provide users with access to the tokens generated for their cards, with the ability to cancel or delete any of them.
The methods being deployed may slightly differ.
HDFC Bank, for instance, has created a separate website, the link for which is shared every time a new token is created (best would be to bookmark this URL). This, instead of integrating the same functionality within the HDFC MyCards application for smartphones.
SBI, on its part, wants the user to call customer care to have a token deleted. “You can delete tokens by directly going to the merchant’s website/app and deleting the card associated with the token from your payment preferences. Alternatively, you can also call SBI Card’s helpline to request for deletion,” they say.
Standard Chartered seems to be following a similar method. “Card holders can place request for delete, suspend, resume of tokens through the contact centre team,” their guidelines suggest.
American Express has added the option to manage tokens within the existing online account for all credit and charge card holders.
It may be a while before all banks and card issuers deliver the convenience of integrating the token management system within the larger online banking and card management accounts. In the meantime, if you do need to delete a token on any app or website, you may be better off directly heading to them and deleting it from your account there.