Making online payments safer – Here’s how to tokenise your card

• Tokenisation is nothing but giving your sensitive information a secret identity.
  
  
• When you tokenise something, like a debit or credit card, you replace the actual details with a unique digital token.
  
  
• To make it more convenient to the customers, RBI has recently announced card-on-file tokenisation or CoF.

Many of us would have seen Amitabh Bacchan on television telling us that by tokenising our cards we can make our online transactions more secure and alo get freed from the hassle of entering our card details every time we make a purchase. In fact, many websites will ask you to save your card details which you may not be comfortable with. Tokenisaiton is the answer.

“Tokenisation simply refers to the replacement of actual card details with an alternate code called the 'token'. It is used for recurring payments or in cases where merchants have stored the card details for providing faster checkout experience,” says Rahul Jain, CFO, NTT DATA Payment Services India.

RBI’s initiative on tokenisation is targeted towards the disablement of card storage at the payment service providers' and merchants' end to ensure better security.

“Simply put, tokenisation is nothing but giving your sensitive information a secret identity. When you tokenise something, like a debit or credit card, you replace the actual details with a unique digital token, which is further used while making online transactions, making it secure,” says Gaurav Chopra, founder and CEO of IndiaLends, a digital lending marketplace.

Steps to tokenise your card

We will look at the steps to tokenise your card.

1. To purchase any products or services and to initiate a transaction, a customer visits e-commerce or a merchant's website. Then select the preferred card options as the payment method and enter all the card details
2. In case the website wants the customer to store the card details for a faster checkout experience, there will be an option 'secure your card as per RBI guidelines'. A customer must opt for this option to securely generate a token and have it stored as per RBI guidelines
3. To complete the transaction, a customer will receive a one-time password (OTP) on the mobile device or email from the card issuer company.
4. Once the OTP is entered on the bank page, the card details are sent for token generation as well as transaction authorization
5. Generated token is sent back to the merchant, who then stores the token against the customer identification data eg; mobile number or email address
6. When a customer visits the same e-commerce or merchant website, the last four digits of the saved card are shown which helps them to recognize during the transaction. This means that a customer’s card has been tokenised.
7. A new token is generated for every merchant website where the card details are required to be stored.The token is now ready for use in subsequent recurring or express checkout payment transactions by consumers on the merchant platform.

Source: NTT DATA Payment Services India

When you tokemise your card, your card information is not stored by the merchant website. “The genuine payment details of the customer are securely stored by their bank in a protected token vault. Upon receiving the token from the credit card issuer and confirming its match with the account number, the bank verifies the transaction,” says Akash Sinha, CEO and co-founder, Cashfree Payments, a payments and banking platform.

Card on file tokenisation

“Meanwhile, to make it more convenient to the customers, RBI has recently announced that card-on-file tokenisation (CoF) can now be generated directly at the issuer bank level,” says Jain. This will allow users to generate tokens through their bank’s app or website.

Currently, it is not mandatory to tokenise the cards. A customer can choose whether to or not to tokenise his/her card. A customer can continue to transact as before by entering card details manually at the time of initiating the transaction if he/she does not wish to create a token.