What is tokenisation? 

Come July, when you make online payments through your credit card (or debit cards), it will be mandatory to enter your card details in full, that is, your card number, CVV and authenticate with OTP. But if you don’t want to go through this hassle each time, you can opt to create a token. The process is called card-on-file tokenisation (CoFT).  

How does this work?  

When you enter the card details to process the payment, the payment gateway will check with you if you want to create a token. If yes, it would forward the request to the card network – Visa, MasterCard, Rupay, Amex or Diner’s Club. However, the person who can authorise the token is the bank that has issued the card. The card issuer, upon verification of the user’s credentials, will allow the token to be issued and the card network issues the token. This is shared with the user. Every token is unique to the payment gateway or the merchant, card network and the card.

A user can create multiple tokens using a card and the usage limit applicable for the card will remain the same despite having various tokens. Therefore, if you have stored your card details across five merchants – say for ordering food, online shopping, booking movie tickets, OTT platforms and paying for utilities, you have the convenience of generating 5–6 tokens for each app. If you are unsubscribing from an app, you can contact the card issuer to cancel the token, and this is called de-tokenisation.  

Also read
Uday Kotak, Managing Director and CEO, Kotak Mahindra Bank

Kotak Mahindra Bank’s succession plan to be closely watched: Analysts

Natee Meepian

Sundaram Home Finance raises deposit rates

Is tokenisation mandatory and would it allow the flexibility of a card? 

It is not mandatory. A merchant cannot force the user to create a token. It needs explicit consent and an additional factor of authentication like an OTP or PIN to generate a token. Those not wanting to create a token can type the card details each time while making the payment. But a token is like using a card without using it. You can set limits for each token, including daily transaction limits. Likewise, you can renew your token just like you would do with the card. Card issuers cannot charge a fee for issuing tokens. However, interest charges, taxes and fees, including renewal fee applicable on the card, will remain. Tokens can be generated for credit and debit cards.

Why is it important? 

If you have a token for making payments on Netflix, it cannot be used in the Swiggy app. This level of data protection is the highlight of CoFT. With online fraud increasing, if a website is hacked, details of credit and debit cards stored in its server are vulnerable to data theft. The RBI’s objective is to prevent such compromises.  

When does it take effect? 

From July 1, merchants and payment gateways cannot store details of their users’ credit or debit cards. In effect, tokenisation comes into play from July. In fact, it was proposed in May 2020 and a deadline of December 31, 2021, was first set for its adoption. After strong representations from card issuers and merchants, the RBI extended the deadline to June 30, 2022. But even now, for auto debits or recurring payment through credit cards, merchants cannot store the card details. This came into force on January 1, 2022. So, OTT subscriptions must be renewed every month by punching in card details.  

Are the stakeholders ready for this change? 

Reports suggest that 75 per cent of card users have opted to save their card details with payment gateways as it offers ease of transactions. It takes 5–8 seconds for a payment to go through. So, similar to the initial stir seen after curbs were imposed on auto debits, a similar outcome is anticipated when the new norms kick in. While the concerned entities haven’ t objected to CoFT’s roll-out on June 30, their level of preparedness isn’t clear yet. 

Related Topics
comment COMMENT NOW