The pace of digital payment adoption in India has been witnessing massive growth over the last few years. India is well on its way to becoming a global fintech leader with digital transactions growing 80% in 2020 and Unified Payment Interface transactions up by 70 times in the last four years. However, with the growing rate of digital transactions, financial crime and data breaches have also increased proportionally with digital fraud attempts on financial services rising by 88.5%.
In an effort to curb these rising cases and strengthen data security policies in the country, the Reserve Bank of India (RBI) issued guidelines in March 2020 stating that merchants, payment aggregators, and ecommerce websites will not be allowed to save sensitive card information such as card numbers, CVV codes, and expiration dates. This means that cardholders will have to enter their card details every time they make an online transaction.
The RBI has also released a fresh set of guidelines in September 2021, giving businesses until the end of the year to comply with new regulations and requiring the use of encrypted tokens in the place of actual card information. According to the RBI, “while the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.”
Tokenization explained
Tokenization is the process of replacing card details with a unique set of characters, or a token, that enables payments to be processed without exposing any sensitive card details that could potentially breach the security and privacy of consumers. A token is like an alias, an anonymized set of characters that replaces the original payment credential like a credit card. A token is used instead of the actual card number with a matching expiration date.
This token number is created using an advanced algorithm that maps the actual card number to a corresponding token number. This number is nearly impossible to crack since the original number mapped to the token resides only with the tokenization provider. In a way, tokenization is more secure than encryption, since with tokenization, there is no cryptographic key, only an intelligent mapping that cannot be cracked in the event of an attack.
There are two major types of tokenization that are used in the payment industry.
Device tokenization: Device tokenization is carried out by network providers while the token is saved on a near-field-communication (NFC)-powered mobile device, NFC-powered wearable, or any NFC-powered IoT device. The token can be embedded on these devices and then used for tap and pay transactions.
Card-on-file (CoF) tokenization or PCI tokenization: With this type of tokenization, the card details can be saved when you opt in during your initial online payment and can then be used to conduct card-not-present transactions. Such tokenizations can be performed by merchants, payment aggregators, payment gateways, or networks like Visa and Mastercard.
The RBI focused on the CoF tokenization method in its September 2021 guidelines. Tokens for each combination of card details, token requestor (merchant), and device shall be unique. Card issuers have also been permitted to offer card tokenization services as token service providers (TSPs). This service can only be offered for the cards either issued by or affiliated with the TSP
Securing the payment process
To understand how the CoF tokenization system will make the entire payment process more secure, we need to first understand how card transactions work currently. When you make a purchase online, the merchant takes your card details, and the merchant’s bank initiates the transaction by sending the details to the card network. The card network then sends those details to your card issuer’s bank requesting payment approval. In this process, your card details travel through three stakeholders, and the merchant (with your consent) can also save your card details to facilitate faster transactions in the future.
However, after the RBI’s CoF tokenization guidelines take effect, your card details will be replaced with a token in the very first step. During your initial purchase, the merchant will request the card network to generate a token for your card. This token is used throughout the entire payment chain. Merchants will receive the anonymized number from a token provider and store it in their database.
What do consumers need to do?
It should be noted that the introduction of CoF tokenization, while enhancing customer data security, will ensure customers have the same degree of convenience as before.
The RBI has also clarified that customers won’t have to memorize all of their card details. In a recent statement to the press, the RBI stated, “contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenization arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue.”
This confirms that the payment experience for a customer will not change drastically under the new framework. Customers need to set up a one-time tokenization for each card on the first transaction with each new merchant they transact with. Starting January 2022, when customers make the first payment to any merchant, they will need to give their consent with an additional factor of authentication to tokenize their card. Once done, they can complete the payment as usual by filling in their card’s CVV and a one-time-password. This token will be saved on the merchant’s end for future transactions.
It must be noted that each stakeholder in the payment flow needs to comply with the new tokenization guidelines for the transaction to go through successfully. Even after tokenization is complete, the transaction may fail if a stakeholder has not integrated the required technology to accept or read tokenized cards.
It is also worth mentioning that tokenization can prove to be beneficial in case of fraud or theft. This is because multiple tokens are issued for the same card on different platforms. Even if a website faces a data breach, as mentioned above, it will be nearly impossible to reverse engineer or otherwise discover the actual card number, further ensuring the security of customer card information.
A step towards enhanced data security
As India moves towards implementing the Personal Data Protection Bill (newly titled The Data Protection Bill, 2021), this framework to enhance digital payment security in the country comes at a very opportune time. As fintech advances pick up pace in the country, it is important to weave in security and privacy by design at the earliest stages. Fulfilling the dream of a digital India can only succeed when data security concerns are satisfactorily addressed.
