Debit, Credit Card Tokenisation from October 1: New Rules, How to Tokenise & Key Details

The Reserve Bank of India has mandated debit card and credit card tokenisation rules to come into effect from October 1, 2022. This means merchants, payment gateways and e-commerce platforms can no longer save the card information of their customers. Businesses that are following this practice will have to remove them and implement tokenisation. So, let us talk about what exactly is ‘card tokenisation’ and how is it beneficial for the consumers:

What is Tokenisation?

As stated by the RBI, Card-on-file Tokenisation (CoFT) refers to the replacement of actual card details into an alternate code, namely “token”, which is unique for a combination of cards, token requestor and device. Here, a token requestor is an entity that accepts a request for tokenisation from the customer and passes it to the card network.

In simpler words, for any debit or credit card, the 16-digit card number is replaced with a unique value, referred to as a token. Hence, instead of the entire card details, only the code will be shared with the merchant. Therefore, customers don’t need to fear that their card details will be saved on the internet. The RBI has directed payment networks to implement card tokenisation in order to improve the safety and security of card transactions. Payment processors like PayU and Razorpay already have implemented the tokenisation feature in their systems.

Is Tokenisation Mandatory?

No, tokenisation is not mandatory, it is solely a cardholder’s choice whether he/ she wants to opt for tokenisation. However, customers, who don’t opt for tokenisation, need to enter their card details for every time they want to make a transaction. Also, the customers have to give their consent through Additional Factor of Authentication (AFA) to allow payment networks to implement tokenisation.

Why Tokenisation is Safer?

Over the past few years, there have been several instances where merchant websites were hacked and user’s debit card and credit card details were leaked. When your card details are stored online with an e-commerce platform, it puts you at the risk of fraud, in case the platform’s security measures are inadequate. This is the problem that RBI is trying to eliminate with tokenisation.

So far, if you wish to save your card for future transactions, you could do so and only CVV and OTP authentication would be required at the time of making payment. However, as said above, this is risky. Tokenisation is considered to be safer as the actual card details are masked by the ‘token’ and are not shared with the merchant during card transactions. Under tokenisation, the card details are replaced by a code, that is unique for each card and each merchant and allows cardholders to make transactions without sharing their credit or debit card details. It provides an additional layer of security by encrypting the card details into a token.

How to carry out Tokenisation?

The card tokenisation process is quite easy. Merchants like Amazon, Swiggy and more have already been requesting their customers to complete the process for safer transactions. Cardholders can follow the below-mentioned steps to implement tokenisation:

Step 1: Visit any preferred merchant’s website or app for shopping, payments or any other activity to initiate a transaction.

Step 2: At the time of checkout, enter the card details, including name, expiry date and CVV.

Step 3: Check the check box “Save your card details” or “Save card as per RBI guidelines” to process the tokenisation.

Step 4: Enter the OTP received on your registered mobile number to implement tokenisation. Now, the details will be tokenised and the merchant cannot save your card details.

What happens if you don’t tokenise your card?

Tokenisation is free of charge and is not mandatory but if a cardholder doesn’t opt for tokenisation, then the card details saved at any merchant’s website/ app will be removed and the cardholder will have to enter details each time he/she wants to make a payment.