The country’s central bank, the RBI (Reserve Bank of India), with a view to ensuring security and reducing fraud from the card-based online payment ecosystem, has disallowed merchants from saving card information on their system. Instead, the RBI has mandated the use of ‘encrypted tokens’ to carry out the transactions. The new rules come into effect from January 1, 2022.
Tokenisation will ensure that the transaction takes place without the cardholder’s account information being disclosed to either the merchant or any of the intermediaries.
It is not a change that has come about overnight. RBI first issued guidelines in March 2020 barring merchants from saving card information on their system. It reiterated the same in September 2021 and gave establishments time till December 31, 2021 to comply with the new rules, and also offered them the option to tokenise.
RBI is moving towards this as a tokenised card transaction is considered safer. The thing is the actual card details are not shared with the merchant during the processing of the transaction.
The process of tokensiation is simple:
You buy an item and at the time of payment you have to give your consent for tokenisation of your debit or credit card. (It is worth mentioning that you can choose, if you wish, to not let your card tokenised.)
Upon your approval, the merchant sends a tokenisation request to the card network, which will create a 16-digit token for the particular card number and send it back to the merchant.
Once created, the tokenised card details will be used in place of an actual card number for your online purchases. Of course, you have to approve the transaction with OPT and CVV number. Once created, you can use the same token for the same card with the same merchant any number of time.
But you have to create new tokens for different merchants, and also if you happen to use a different card.
For the record, the UPI (Unified Payments Interface) already uses tokenisation to secure transactions.