Tokenization of credit and debit cards for safe online shopping from Jan: Here’s how the process works

From January 1, 2022, the way you use your credit or debit cards while shopping on Amazon, Flipkart, BigBasket, Myntra, etc., will change. You would no longer be required to save your 16-digit card number and the card expiry date on the merchant’s website. As per the new rules set by the Reserve Bank of India (RBI), the only way that you can conveniently make a card payment repeatedly is through a new process called ‘tokenisation.’

What is card tokenisation?

When you shop online or even book tickets on travel portals, you tend to save your credit card details in those websites. So, you just don’t need to remember your card details each time you shop. Just enter the CVV and you check out in a matter of seconds.

But that was risky. If your online site or travel portal gets hacked, your card details could be leaked. Besides, you may have also saved your card details on some website years ago and forgotten all about that. “There is a high chance some of the merchants will not know how to store secure card information,” says Harshil Mathur, CEO and Co-Founder at Razorpay.

Enter tokenisation. This is a process of converting your card details into a unique token that is specific to your card and only to one merchant at a time. This code masks the true details of your card, without which no one can misuse your card. This token can be saved on the online portal’s server.

The new tokenization rule that comes into effect from January 1 prohibits all online shopping portals from saving your card numbers, CVV, expiry date etc. on their servers. So, you either make a token before you buy an item and save that token on the particular website (for future use) or enter your card details every time you buy stuff off the internet.

“In the past, there have been instances of data leaks from merchant websites; digital transactions are also growing significantly, requiring added safety. So, this is a precautionary step mandated by the regulator to enhance card data security,” says Reeju Datta, Co-founder at Cashfree Payment.

How does this card tokenisation work?

At check-out time on an online shopping portal, enter your card details and opt for tokenisation. Your merchant forwards it to the respective bank or the card networks (VISA, Rupay, Mastercard, etc). A token is generated and sent back to your merchant, which then saves it for you. Now, the next time you come back to shop, just select this saved token at check-out time. You will see the same masked card details and last four digits of your card number. You will need to enter your CVV and complete the transaction. Tokenisation is not mandatory, but it makes it easier to shop repeatedly.

“As a customer, you don’t need to remember the token. The end-customer experience is not changing while making the payment,” says Jagdish Kumar, VP Products and Solutions-Digital Commerce at Worldline India.

Is the tokenization service free?

Yes, tokenisation of card is absolutely free, and can be availed by anyone. Currently, tokenisation is applicable only to domestic cards. International cards are not covered by this guideline. You can request for tokenisation on any number of cards to perform a transaction. “If a merchant has not integrated with the card network and bank issuing the cards by December 31, you will have to enter the card details every time, as you cannot store your card details in the token format,” says Manas Mishra, Chief Product Officer at PayU.

Recently, HDFC Bank sent SMS to its cardholders which reads, “Effective 1st January, 2022, your HDFC Bank card details saved on merchant website/app will get deleted by the merchants as per the RBI mandate for enhanced card security. To pay each time, enter full card details or opt for tokenisation.” We expect other banks to roll out similar communications for their customers in coming days.

Does a card have different tokens for different merchants?

One token is limited to just one card and one merchant (online portal). For instance, if you have, say, an ICICI Bank credit card tokenised on Amazon, then, this same card will have a different token on Flipkart. However, as a customer you don’t need to know or remember the token linked with the card. You can tokenise multiple cards with the same merchant, or tokenise the same card with multiple merchants.

What is the best way to manage my tokens?

If you have multiple cards and like to shop online frequently, there’s a better way to manage your tokens. Say, you want to remove some tokens you had got long ago from a specific website. Mathur of Razorpay says that an issuer bank will now provide a dedicated portal (on its own bank’s website) to manage tokenised cards. In simple words, your dashboard would now show you a list of your cards and where (merchants) you have tokenized them. Delete the tokenised cards of websites you do not use frequently.


Related posts