The deadline for tokenisation guidelines was earlier set as July 1, but it was extended by three months to September 30. Most of the large merchants have already complied with the RBI's CoF tokenisation norms.
A number of entities, including merchants in an online payment chain, store card data, citing convenience and comfort to cardholders. While this practice does bring some convenience, the storing of card details with multiple entities raises the risk of data being misused.
Tokenisation
As per the RBI, tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as identified device).
This token — representing the customer's card data — is saved in the merchant’s payment system and processes the transaction.
Benefit of tokenisation
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
How can the tokenisation be carried?
The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
Can tokenisation be enabled through a smart watch or such other devices?
The feature of tokenisation is available on consumer devices like mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.
Impact on customers
Entities or platforms won't be able to store the card credentials of a shopper in any form. For instance, when customers shop on an e-commerce site for the first time, they are asked to feed the 16-digit debit card number and then the CVV code. However, when they buy another item from the same platform, they can see that the site has already stored the 16-digit card number and they just have to put in the CVV and then the OTP is generated by the bank to make the purchase.
With the new RBI order, a shopper will have to put in their entire card details when they shop for something. Once customers start purchasing an item, the merchant will initiate tokenisation and ask for consent to tokenise the card. Once consent is given, the merchant will send the request to the card network.
The card network will create a token, which will act as a proxy card number and send it back to the merchant. The merchant will save this token for future transactions. Now, they will be required to enter CVV and OTP like before to give approval.
