Amazon. BigBasket. Myntra. Digital has become one of the most favored and convenient ways of availing services and buying products. A rise in the digital payment ecosystem in such a situation was inevitable and the idea of not carrying cash with you has started to seem normal to people. But this has created an opportunity for malicious parties to take advantage of the poor security infrastructure and practices followed by banks, merchants, and other intermediaries. These growing online frauds and cyberattacks have created some hurdles in the adoption of digital payments and have compelled regulators to put checks and balances to address issues of cybercrime and financial fraud. The Reserve Bank of India aims to reduce such activity in the payment ecosystem through policy change and wants to add an extra layer of security to the sensitive financial information of individuals through Card-on-File (CoF) tokenization. Though the industry players in a joint letter cited operation challenges in implementing the framework, and therefore, the RBI has extended the deadline for implementation of tokenization by three months, to 30th September 2022. After that, all card information saved with merchants needs to be “purged”.
However, many users are unaware of how card tokenization works and why it is needed.
In this article, we talk about the implications of CoF Tokenization. Not only how it is set to disrupt the payment ecosystem by making transactions more convenient but also how it protects a user’s data.
Need for Tokenization
Due to the increased frequency of online transactions, credit and debit card information is transferred millions of times a day. For each transaction, cardholder information and extra payment details are needed which are sensitive in nature. Many people even save their card information with merchants for ease of use in the future, creating a massive pool of sensitive financial data. This creates a fertile ground for malicious elements to gain access to people’s sensitive financial data if a payment merchant/intermediary gets hacked. In May 2022 RazorPay became a target of such an attack where hackers stole 7.3 crores through their portal over 3 months. In 2020, a data breach at Amazon and Swiggy’s payment processor Juspay compromised the data of 3.5 crore customers. To secure this data and protect not just customers but banks and merchants, RBI has prohibited saving credit and debit card details on any “internal servers”. Therefore, as a safer and more convenient alternative, card tokenization has been mandated.
What is card tokenization?
It is the process of substituting the existing sensitive card data with a string of unique code, known as a token. The implementation of tokenization is done through the Additional Factor of Authentication (AFA) by a customer. The token is specific to your card and the merchant it has been generated for and cannot be used for any other merchant. And while making payments online, sensitive data is masked. Unlike encryption, tokens are undecipherable and irreversible adding yet another layer of security. A properly built and implemented tokenization platform can prevent the exposure of sensitive data, stopping attackers from accessing any type of usable information.
These tokens can be saved on online portals and used by merchants to access, retrieve and maintain card information and for the smooth functioning of internal systems. Currently, it is not mandatory for merchants to adopt these guidelines, but if they choose to not implement them, customers will have to enter card details manually every time they wish to make a transaction. The guidelines are only applicable to domestic cards and not to international ones.
Benefits of tokenization
Designed and implemented to curb online frauds and hacks, tokenization brings along the following benefits
- Enhanced Safety and security
It is more reliable and secure than other forms of payments. Tokens generated will be unique to the card and the merchant it has been generated for, increasing the security of card transactions. It eliminates the risk of storing card details on the online servers of the payment merchant and ensures uncompromised storage on the merchant site. With tokenization, there is no information available to steal when the inevitable breach happens, virtually eliminating the risk of data theft.
If the card is replaced, renewed, reissued, or upgraded a new token has to be generated again to keep using the payment gateway.
- Ease of Use
Once your card details have been saved in the form of a token by the merchant, you do not have to worry about manually entering the entire details of your card every time you want to initiate a transaction. The issuing banks may even provide a portal to manage all your tokens from multiple merchants in a single place.
- No “false” declines
Many times, legitimate online transactions are declined on the ground of the transaction looks like a fraud. With tokenization, that problem will end as the usage of tokens provides security of the highest order.
- Flexibility if payment
You will no longer have to carry a physical card as you can virtually store them on your smartphones and even use them through NFC-enabled smartphones.
The digital payment ecosystem is growing every day with more people choosing online payments over cash. This rapid shift to digital payments requires security, stability, and reliability alongside convenience and speed. Card tokenization can therefore be seen as an essential step in the direction, as it will help reaffirm consumer faith in online transactions and build the trust of millions of users across the country. It will also protect businesses from data breaches and act as a protective layer in the digital payment ecosystem and safeguard both the consumers and merchants. Tokenization will also help in expanding the digital payment infrastructure among small businesses that shifted online due to Covid-19. The tokenization framework helps safeguard digital payments and provide a seamless way to pay for millions of credit and debit card users in the country. The enhanced security measures should increase consumer trust and further bolster digital adoption and the growth of the digital economy.