With the Reserve Bank of India (RBI)'s deadline for card tokenisation ending on 30th September (unless it is extended again), many debit and credit card-holders are worried about making payments online after 1st October. As per RBI's framework for card-on-file (CoF) tokenisation (CoFT), card-holders can create tokens or a unique alternate code instead of card details, which the merchants can store to process transactions in future. However, creating tokens is voluntary for card-holders, and those who do not wish to create a token can continue to transact by entering card details manually at the time of the transaction, RBI clarified.
At present, many entities, including e-commerce players and merchants, store card data like card numbers and expiry dates, citing the convenience and comfort of the card-holder for future transactions. While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen/ misused.
According to RBI, there have been instances where such data stored by merchants have been compromised. "Given the fact that many jurisdictions do not mandate additional factor of authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to card-holders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data."
Tokenisation is the process of replacing a card's 16-digit number on the debit or credit card with a unique alternate card number, or token, which is unique for a combination of card, token requestor (merchant) and device. Tokens can be used for online transactions, mobile point-of-sale (PoS) transactions or in-app transactions. No personal information that can be directly accessed is stored on the token.
To create a token under the CoFT framework, the card-holder has to undergo a one-time registration process for each card at every online or e-commerce merchant's website or mobile application, entering the card details and giving consent to create a token.
This consent is validated by way of authentication through an additional factor of authentication (AFA). Afterwards, a token is created for the card and online or e-commerce merchant. This token, however, cannot be used for payment at any other merchant.
For future transactions performed at the same merchant website or mobile application, the card-holder can identify the card with the last four digits during the checkout process. In short, the card-holder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online or e-commerce merchants. For every online or e-commerce merchant where the card is tokenised, a specific token needs to be created.
Also, remember, if needed, you can delete the token by directly going to the merchant's website or app and deleting the card associated with the token from your payment preferences.
How To Create a Token for Your Debit or Credit Card?
1. Open the online application or website for buying groceries, paying bills or ordering food and initiate a transaction.
2. While checking out, select your credit or debit card and provide card verification value (CVV).
3. Select the check box 'secure your card' or 'save card as per RBI guidelines'.
4. Enter the one-time passcode (OTP) received on your mobile number registered with the card-provider.
5. Your card details will be saved. You will receive a message mentioning the token code from your card-provider. The next time, you just need to identify your card from its last four digits and carry on with the transaction without remembering the token code.