The Reserve Bank of India (RBI) has announced that it will tokenise transactions made through debit, credit and prepaid cards with a view to improving the security of payment systems in the country. "This permission extends to all use cases/channels or token storage mechanisms (cloud, secure element, trusted execution environment, etc.) For the present, this facility shall be offered through mobile phones/tablets only. Its extension to other devices will be examined later based on experience gained," the RBI guidelines state.
What is tokenisation?
Tokenisation refers to a process in which sensitive card details get masked through a unique token issued by the bank. Now, instead of the actual card details, this token is used to perform card transactions in contactless mode at Point of Sale (POS) terminals, QR code payments, in-app payments, etc.
What kind of changes can be expected?
In the new system, nothing changes as far as the customer is concerned as you will still be swiping your debit/credit card. However, in this process, no merchant can store your original debit or credit card number.
In place of the 16-digit number on your card, a randomly generated token ID issued by your bank will be utilised. Furthermore, the 16-digit token which masks your actual card number, will keep changing with each transaction, thus making it difficult for any third party to know your actual debit or credit card number.
Customers shopping online will also be providing the generated token number instead of the actual card number.
RBI has, however, clarified that Additional Factor of Authentication (AFA)/ PIN entry will be applicable for tokenised card transactions as well. This service is expected to be delivered free of cost as per the directions of the top banking regulator.
"Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network," the guidelines state.
In which scenario will it be particularly useful?
Many of us have multiple apps downloaded on our phone ranging from food delivery apps to ecommerce apps. The ‘save card details’ feature is one which is offered by most of these apps and many users have it enabled. In case of a data breach, these card details are most susceptible to be leaked and misused. However, tokenisation masks the actual card details and hence minimises the risk. "Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions," the RBI said.