After allowing users to link credit cards with UPI, India’s central bank RBI is now ready to enforce card tokenization in India. Amid all this, many users are wondering what exactly is card tokenization and why apps and websites are suggesting users to secure their credit and debit cards, as per RBI’s new guidelines. So to clear all your doubts, we bring an explainer of what is card tokenization and why you should opt-in. We have also mentioned the need for card tokenization in a country like India, along with its advantages and disadvantages. On that note, let’s learn about RBI’s new guidelines for card tokenization in detail.
Credit/ Debit Card Tokenization in India: Explained (2022)
In this article, we have discussed and explained everything about RBI’s card tokenization effort and what it entails for consumers in India. You can learn about the pros and cons of card tokenization, the need for card masking, and more. Expand the table below and move to any section you want.
What is Card Tokenization?
Since at least 2019, the RBI has been pushing the payments industry in India to adopt card tokenization in order to protect and enhance the security of online card transactions. But what exactly is card tokenization and how does it work? Well, let me explain with an example.
When you purchase something from e-commerce websites like Amazon or Flipkart using your credit or debit card, you enter the card number, your name, expiry date, and CVV. All these details are highly private and confidential, and you wouldn’t want them to fall into the wrong hands. Now, in case you choose to save your card details on an app or website, you’re basically allowing the app or website to store the card details (except for CVV) on their cloud servers.
And if you keep up with the happenings in the finance industry, we have seen many data breaches of late. Popular Indian websites and digital payments apps were hacked and card details were dumped in plain text on the dark web. The MobiKwik and Domino’s India data leaks are still fresh in our memory. So, as you can tell, if you save your private card details on cloud servers of several such online apps and websites, your data becomes prone to data breaches and leaks.
While some websites may have the highest security in place to protect your card details, some of them might not be complying with the global standards of security. For malicious actors, having your card details spread over multiple servers with a varied level of security opens up more avenues for hacking. The RBI now wants to change the digital payments situation and standardize the security of all online card transactions with something called “tokenization”.
Basically, when you choose to save your card details on an app or website (called merchants), as per RBI guidelines, a token is generated against your card and saved on the merchant’s cloud servers. Here, your private card details are not shared with the app or website. The token is a unique, encrypted code that points to your card. This way, merchants will not have access to your private card details and thus, your card will be protected from online data breaches.
card tokenization is a mechanism introduced by the RBI to protect domestic card transactions
Apart from that, the onus to protect your card details will no longer be on merchants — apps, websites, payment processors like RazorPay, or banks. To sum up, card tokenization is a mechanism introduced by the RBI to protect domestic card transactions using random strings of tokens instead of sharing your private card details. As for how it works, move to the next section.
How Does Card Tokenization Work?
The way card tokenization work is simple. When you choose to tokenize a card, the card network (e.g. Visa, MasterCard, etc.) issues the token with the consent of the bank and shares it with the merchant. For instance, if you save an SBI Visa debit card on Paytm as per RBI’s guidelines, then Visa will generate the token, taking consent from SBI, and will share the token with Paytm. To find all the authorized card networks in India, click on this link.
If you choose to save the same credit or debit card on another app, say Amazon, then a new token will be generated, and it will be shared with Amazon. Even for the same card, the token will be different depending on the merchant (also called requestor) and device. It means the tokens are unique and discrete, which is good from a security point of view.
The Need for Card Tokenization in India
As mentioned above, the frequent data breaches, leaks, and hacks in the digital era have forced the RBI to come up with card tokenization. Not to mention, apps, websites, payment processors, and all the intermediaries having different standards of security pose a threat to our digital security. Credit and debit card tokenization will eliminate the burden of security on merchants and intermediaries. Moreover, it will standardize the security protocol across all channels. For convenience, users are increasingly saving their card details on websites and apps so card tokenization will really help in securing credit and debit cards on the web.
RBI’s Card Tokenization Policy: Pros and Cons
Card tokenization has many advantages. To begin with, your card details will not be shared with the merchant — be it an app or a website. Apart from that, payment processors and other parties will not be able to access any of your private card details. With a uniquely generated code, your card transactions will be carried out without worrying about card fraud.
Besides that, you will be at ease while saving cards on e-commerce websites knowing that only the token is shared with the merchant. Also, card networks claim that it will reduce false claims as transactions done using card tokenization will suggest high-grade security.
As for the disadvantages of card tokenization, I don’t think there are any as far as the end-user is concerned. Sure, merchants and payment processors need to incorporate the RBI guidelines, but besides that, it’s a win-win situation for consumers.
What Changes for Customers?
For consumers, it changes nothing. Yes, you don’t need to go the extra mile to tokenize your card through a bank or an app. Much like you perform a normal transaction, go on and do it. Make sure to enable the “Secure your card” or “Save as per RBI guidelines” checkbox in the pop-up you see during checkout on apps like Amazon India, Zomato, Swiggy, Blinkit, and others. This will issue the token against your card, and it will be shared with the merchant automatically.
Henceforth, your card details will be deleted from the merchant’s cloud server and only the token will be stored along with the last 4 digits of the card and your name for end-user identification. From now on, you simply need to enter the CVV and authorize the transaction using OTP. As you can see, card tokenization has more to do with the backend of the payment infrastructure rather than the end-user.
Why Do I Have to Re-enter Card Details for Each Transaction?
To make it clear, you don’t need to re-enter card details for each transaction, if you choose to tokenize the card. The whole point of tokenization is to secure saved cards on apps and websites with a global standard of security. With tokenization, the saved cards will be stored with card networks (and not merchants). Only a token will be shared with the merchant to identify and validate the card during a transaction.
In case, you choose to opt out of tokenization then the card will not be saved on the app or website since RBI has prohibited merchants from saving card details. In such a scenario, you will have to re-enter card details for each transaction. So it’s recommended to tokenize your card for a smooth experience while transacting online.
Card Tokenization Rollout in India
The RBI has been working on card tokenization since 2019 and had decided to enforce it from January 1, 2022. However, due to pushback from merchants and payment processors fearing disruption, RBI extended the tokenization norms to June 30, 2022. Then, RBI again extended the full rollout to July 31, 2022, and now to October 2022.
It seems RBI is now entirely ready for enforcing card tokenization after delaying the rollout for many months. Recent reports suggest that come October 1, 2022, it will become mandatory to tokenize your credit and debit cards if you want to save card details on the app or website. If you don’t do so, your card will be deleted from merchants’ servers. Henceforth, you will have to re-enter card details every time you transact online.
Frequently Asked Questions (FAQ)
What is Card Tokenization in India?
Card Tokenization basically replaces your actual card details with a uniquely generated token for online card transactions. It has been devised to protect your card details from breaches and online leaks.
What is the last date for card tokenization?
As of now, the last date for card tokenization is July 31, 2022. After that, your card details will be removed from merchant servers.
Is it mandatory to tokenize your card?
As per the RBI, it’s still not mandatory to tokenize your card. You can choose to tokenize your credit and debit cards at your own will.
How to tokenize credit and debit cards?
Simply enable the checkbox for “Secure your card” or “Save card as per RBI guidelines” and complete the transaction on any app or website and it will be automatically tokenized. Make sure to perform the transaction on mobile phones or tablets.
Is there any charge to tokenize cards?
No, there are no charges associated with tokenizing a card. You can do it as many times as you want.
Why You Should Go For Card Tokenization in India?
So that was everything you need to know about credit and debit card tokenization in India. In my opinion, it’s an amazing step by the RBI to protect consumers from online frauds and breaches. This will go a long way in securing credit and debit cards on the web. Anyway, that is all from us. If you want to learn about RBI’s Digital Rupee initiative, head to our linked explainer. And if you have any questions, let us know in the comment section below.