RBI is encouraging cardholders to tokenize their cards: Here’s all you need to know about it

• In a bid to make online card transactions more secure, the Reserve Bank of India is encouraging consumers to tokenize their cards.
• The central bank has directed payment aggregators, wallets and online merchants to not store any sensitive card-related consumer data.
• As per the mandate, cardholders can create ‘tokens or a unique alternate code’ instead of entering their card details.
• Tokenization would come into effect on October 01, 2022.

When you buy something online, you share your credit card or debit card information with the e-commerce platform. This highly sensitive data, which is now stored by the platform, is vulnerable to data theft or leakage.

In an effort to make card transactions more secure, India’s central bank, the Reserve Bank of India, has been encouraging cardholders to tokenize their cards.

Simply put, tokenization is the process of substitution. It replaces sensitive data with unique identification numbers that retain all the essential information about the data without compromising its security.

Imagine walking into a gaming zone or casino, where you pay with actual money in exchange for plastic coins, which hold no value outside the gaming zone’s premises. You can play Pac-man or win your favourite toys in a vending machine only with that token or coin.

Similarly, with card tokenization, the idea is to mask card numbers and protect sensitive consumer data with tokens containing randomised numbers and alphabets.

Currently, many businesses and merchants that are involved in an online card transaction chain store sensitive card information like its number, expiry date, etc, which is known as card-on-file (CoF), to enable smoother transactions in the future.

However, the availability of card details with multiple entities increases the risk of your card data being stolen/misused.

As per RBI’s new mandate, tokenization will replace sensitive payment credentials such as 16-digit plastic card numbers, names, expiry dates, and codes with a unique alternate card number, or ‘token.’

Merchants and fintech platforms cannot store your card details anymore, as per RBI. They can enable transactions through tokens, which won’t expose your confidential data but will add another layer of security.

"India needs more secure online payment standards as there is an increase in digital payments. The future data protection standards that are presently being considered can eventually work with tokenization. It is a fundamental shift in the ecosystem that requires a large investment from stakeholders in the payment industry, banks, and card networks to adopt and adhere in full," Ravi Battula, VP - merchant acquiring business), Wibmo – a PayU company, told Business Insider India.

As of June 24, about 19.5 crore tokens had been created.

How can you create a token for your card?

Domestic plastic card users can create tokens for their credit and debit cards free of charge through any e-commerce platform or merchant website.

Step 1: Visit any e-commerce/merchant website to shop your products and initiate a transaction.

Step 2: As you select your payment mode, look for your preferred bank’s credit/debit card as the payment method and enter all details.

Step 3: You will find a checkbox that says “secure your card” or “save card as per RBI guidelines”.

Step 4: You will receive an OTP on your mobile or email from your bank or card company to finish the transaction.

Step 5 – And voila, your token will be generated and saved instead of your sensitive card data.

In the future, you can make your purchase by simply recognising the last 4 digits of your plastic card.

This token, however, cannot be used for payment at any other e-commerce website.

You can create various tokens on different e-commerce sites.

Is it mandatory to tokenize your cards?

No, as of August 01, the government has not made it mandatory for consumers to adopt tokenization.

Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.

As per RBI’s directive, by September 30, 2022 all stakeholders are advised to be ready for handling tokenized transactions, implement alternate mechanisms and create public awareness about the process of creating tokens and using them to undertake transactions.