Why tokenisation is set to be next big game changer in payment ecosystem

With effect from October 1, as per RBI guidelines, neither businesses nor payment aggregators can save customer card details on their platforms. The card details can now be saved only by card networks or issuing banks.

Tokenisation replaces sensitive card information like card number and card expiry date with a cryptographically generated random string, referred to as 'card token'. Once a card is tokenised, the generated card token can be used for processing payments as a substitute for card details, eliminating the risk of loss of sensitive card information while making card payments.

Under the new norm, merchants can only store the last four digits of the customer card data. They will need to delete any customer card data they may have saved. They will also need to have a contract with a token requester. For ease of operations, most merchants may choose their payment aggregator to act as their token requester. However, there is another option that merchants may choose—they can become token requesters themselves. This option is ideally viable for huge enterprises and MNCs as becoming a token requester entails contracting with all major card companies separately.

Industry players are ready and have welcomed the move.

“The overall outlook regarding industry’s preparedness for tokenisation seems positive. Merchants, especially those who operate on a larger scale, have shown particular readiness in this respect, which can be attributed to the approaching festive season. We have observed a significant growth in the number of merchants, across industries, who have adopted the mechanism. Also, all 100 per cent Cashfree Payments merchants interested in offering ‘save cards’ as a feature have integrated Cashfree’s tokenization solution ‘Token Vault’. Earlier this year, we were among the first few tokenisation solution providers to offer the feature of interoperability across payment gateways. It helps businesses that use multiple payment gateways to process tokenised card transactions across any payment gateway and card network of their choice. This has added to the appreciative response of our merchants to our Token Vault solution,” remarked Akash Sinha, CEO and co-founder, Cashfree Payments.

Experts point out that digital transactions have taken over the entire payment ecosystem. One of the concerns accompanying this rapid growth is safety and security of data, in terms of the sensitive card information provided by users. “Tokenisation is the right move by the RBI as through tokenisation one’s sensitive card information can be replaced with a non-sensitive uniquely generated code called ‘Token’. Tokenisation comes in as the right move to keep customer data safety as the priority. It also ensures quick checkouts and convenient card management for the end user,” observed Vikas Garg, co-founder & CEO, Paytail.

Industry experts say tokenisation as a process will help consumers protect their card details from being misused, and will enable smooth user transactions. Businesses and merchants that are involved in online card transactions, usually store sensitive card information like the number and expiry date known as card-on-file (CoF). With tokenisation, details such as 16-digit card numbers, names, expiry dates, and codes are masked with a unique code called a token. The token is neither shared with merchants nor with the banks.

“Reserve Bank of India (RBI) has permitted authorised card payment networks like Mastercard, VISA, RuPay to offer card tokenisation services to consumers requesting for it. Users who do not wish to create a token will have to manually enter their card details whenever they make a digital transaction. We as a payment aggregator are totally in sync with this initiative and believe that this will help in adding an extra layer of security to digital businesses,” pointed out Amit Kumar, chief technology officer and executive director, Easebuzz.

He explains that while entering card details, users receive an option to secure the card. Once approved, the user will receive an OTP on mobile or e-mail. “Token is only generated once the user enters the OTP. Once tokenised, the merchant can store the token against the consumer data i.e, mobile number or email. In no other possible way can a merchant or bank hold card details of a consumer other than tokens. The card details of the customer are only shared on the tokenisation server, token vault, rather than the merchants’ e-commerce website server. Once tokenised, customers can expect fast, easy, and safe online service in terms of data security,” Kumar told THE WEEK.

Many firms are ready with the services around tokenisation. For instance, Worldline India is ready with the tokenisation service for the past two months, and traffic for most of the big merchants has been enabled for tokenisation. “We have not received any complaints or issues from any of our merchants and hence the migration is in progress. We should be able to finish the enablement of tokenisation flow for all our merchants, well before the deadline. We have also built sufficient redundancy and have designed the solution with scalability in mind, and hence we are completely ready from all perspectives,” said Jagdish Kumar, senior vice president – Products and Solutions, Worldline India.

Kumar points out that the process of token will help end users with secured payments. “Card vaulting by way of tokenisation will take the card security to the next level across the payments ecosystem, as the sensitive data will be managed only by schemes and issuers. It in fact lends higher credibility to seamless and secure payments experience. Additional development and changes are required in all existing platforms, in order to support tokenisation flows, and appropriate addition in infrastructure is also required depending on the scale and volume of traffic handled by the specific aggregator and payment gateway,” he said.