When we shop online, say on Amazon or Flipkart, we make payments using our debit / credit card. We normally enter the card details, including card number, name, expiry date and the three-digit CVV. To make it more convenient for repeat purchases, sellers/merchants ask us for our one-time permission to store the card details on their server. If you give permission, the data is securely stored on their servers, with encryption and masking technology. Now, if their security measures are inadequate or broken into by a hacker, your entire data, including card numbers, CVV, etc, is vulnerable and susceptible to misuse which could lead to a loss up to the value of your card limit. Tokenisation is primarily designed to prevent such online or digital breaches.
HOW?
At the Merchant End
- Since October2022, the Reserve Bank of India (RBI) has mandated that merchants will not save the customers’ card numbers on their servers. Instead, they will just store a generated token number for each credit card that they want to be used frequently on their servers.
- What it means is that a random token number will be generated by the system which will be stored at the merchant end.
- This token number will be a unique number—a combination of the credit card number and the merchant. So, for example, if you are shopping on Amazon, your card will be tokenised and a unique token number will be generated.
- This token number can only be used to make purchases with that card on Amazon. It cannot be used on any other merchant’s website. Hence, a different, unique, token number will be generated each for Flipkart, Rediff or any other shopping site.
- Your actual card details will be held safe in a secure token vault.
- This process will eliminate the possibility of hacking at the merchant end and, even if the data is hacked, all that the hacker will receive will be a token number which will be unusable anywhere else; hence, it will be of no use to the hacker.
- Thus, essentially, your card will have multiple tokens, based on the number of merchants you have tokenised your card with.
For the User
- As far as the user is concerned, the next time you pay online for something using your debit or credit card, you will be asked if you wish to ‘Save Card as per RBI guidelines’ or ‘Secure your Card’. If you respond positively, you will immediately get an OTP (one-time password) on the mobile number linked to your card. Once you enter the OTP on the merchant’s site, your card will be automatically tokenised. It is as simple as that!
- You will not have to remember your token number, nor will it be displayed to you.
- However, you will still see the last four digits of your card at the merchant checkout page.
- You can request tokenisation of any number of cards at a merchant website.
- Whenever your card is renewed, reissued or upgraded, you will have to visit the merchant page and create a fresh token by following the same instructions.
- Each card that you have, including add-on cards will need to be tokenised, since each card has a unique card number.
- If you wish to delete the token number already generated at a merchant website, you just need to disable that card at the merchant’s website / app and your token number will be automatically deleted.
- If your card has not been tokenised, it will be automatically removed from apps and websites and you will be required to fill in all your card details every time you transact on that merchant’s platform.
Security
Tokenised transactions are more secure, since the generated tokens are normally not reversible. In encrypted transactions, the process is reversible by decryption using a unique key and decryption is mostly necessary to complete each transaction. It is, therefore, felt that tokenisation is relatively more secure than encryption.
Thus, from now on, you can transact online confidently, with the assurance that your transactions are more secure than before.
Happy shopping for this festive season!
keep up the good work.
I thank Ms Dalal for this website.