Card Tokenisation: All you need to know as a business or a consumer
A recent RBI circular said, “With effect from January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data. Any such data stored previously will be purged,” It has also extended tokenisation of Card-on-File (CoF) transactions (where card details used to be stored by merchants) and directed the merchants not to store card details in their systems from January 1, 2022. A CoF transaction is one in which a cardholder has authorized a merchant or business to store his or her Mastercard or Visa or Rupay payment details, and to charge the stored account.
While the RBI guidelines prohibit storage of debit/credit card details, businesses can continue to provide their end customers the same saved card experience in the form of ‘tokens’.
What is tokenisation?
Tokenisation refers to replacement of card details with an alternative code called a ‘token’. The token is a unique combination of card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device.
Why is tokenisation needed?
Saved card data, if not securely stored, can be vulnerable to data breaches. Tokenisation reduces the chances of fraud arising from sharing card details. It provides users an added layer of security by converting sensitive cardholder data to a string of randomly generated numbers known as a token.
How does tokenisation work?
The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device. RBI has allowed tokenisation through mobile phones or tablets for all use cases and channels like contactless card transactions, payments through QR codes and apps.
The tokens are generated by payment networks such as Visa, MasterCard and Rupay which act as Token Service Providers (TSPs). These networks provide the tokens to digital payment or e-commerce platforms so that they can be used during transactions instead of the customer’s credit card details.
For example, when a PhonePe user enters her card details, PhonePe asks one of these TSPs for a token. The TSPs will first request verification of the data from the user’s bank. When the data has been verified, a code is generated and sent to the user’s device. Once the unique token has been generated, it remains permanently linked to the customer’s device and cannot be replaced. Thus, each time a customer uses his or her device to make a payment, the platform will be able to authorise the transaction by simply sharing the token, without having to reveal the customer’s actual data.
How does PhonePe help customers with tokenisation?
- Customers can securely save their cards issued by all 3 major networks (Visa, Mastercard and Rupay) minimizing any chance of transactional fraud.
- Customers will not have to enter their 16-digit card number for every transaction on the PhonePe app and across lakhs of PhonePe (online and physical) merchants.
How does PhonePe help businesses with tokenisation?
PhonePe launched its tokenisation solution called ‘PhonePe SafeCard’ recently. It enables online businesses and their end customers to experience the convenience of saved card transactions with added security. It is compliant with the recent RBI guidelines.
- All a cardholder needs to do is to provide a one-time consent via OTP and undertake a transaction to tokenize his/her debit and/or credit card for the first time. This feature will enable cardholders to utilise saved card details for seamless transactions across the PhonePe ecosystem.
- PhonePe SafeCard enables businesses to offer tokenisation on their own platforms via a simple application programming interface (API) integration. With this solution, businesses can create, process, delete and modify tokens for online card payments with a customer’s consent. It enhances customer experience and saves businesses significant time and effort.
- PhonePe is the first payments platform to tokenise cards on all 3 major payment networks — Visa, Mastercard & Rupay. It helps businesses save significant time and effort by removing the need to integrate with multiple card networks while complying with RBI guidelines.
Why should businesses opt for PhonePe SafeCard?
Here’s how PhonePe SafeCard offers businesses an edge:
- It gives businesses a headstart over competition by utilising access to millions of PhonePe customers’ tokenized cards. PhonePe also takes care of any additional authentication for users, if needed.
- It enables a smooth and hassle-free experience for customers through login and payments with additional features.
- Merchants get a dedicated and secured vault in a PCI-DSS (Payment Card Industry — Data Security Standard) compliant environment. Transactions on the merchant platform can be processed using any payment gateway chosen by the business, while they have the flexibility to process transactions with the payment gateway of their choice.
PhonePe is working actively with its large base of online businesses to help them elevate customer experience by adopting PhonePe SafeCard.