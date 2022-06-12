Card-tokenisation, which come into effect from July 1, will change the way customers conduct card transactions. For security and privacy reasons, the Reserve Bank of India (RBI) had mandated merchants to purge the card data of the customers by June 30, which essentially means for every card purchase, the customer will either have to manually key in the card data or give a standard instruction to the merchant to do a card-on-file tokenisation of the card, thereby completing the transaction using the token generated.

Notably, the RBI had initially set the deadline for card-on-file tokenisation for January 1, which was extended to July 1 following the demand from payment companies and industry bodies that stated that they need more time to change the technology system to accomodate tokenisation.

What does debit, credit card tokenisation entail?

After card-tokenisation comes into force on July 1, no stakeholder involved in a card transaction will have direct access to the card data of the customer except the card issuer and card network. The merchant will not be able to store the card data of the customers and they will have to mask the data. Under the new rule, the customer will request for a token from the app provided by the merchant. Following the request, the card network with the consent of the card issuer will generate a token which will be unique for all the participants involved in the transaction.

How this works in a typical online purchase scenario is, before a transaction is initiated, the merchant will set up tokenisation and send the request to the card network to create a token after taking the customer's consent. The 16-digit number, which will act as a proxy to the card-number will be sent back to the merchant, who will save this number for all transactions. The customer will also have to key in their CVV and OTP for every transaction. The same process applies for any number of cards to be used by the same customer.

Card-tokenisation is not mandatory and in case the customer doesn't want to get the card tokenised, the same card number will have to entered every time an online purchase is done using the card.

The face of card transactions post July 1

The RBI informed that post July 1, the credit and debit card numbers with the merchants will be purged and they will have no direct access to the card numbers as before. In practice, this translates into, every time the customer will make an online transaction using a card, the card data will have to be manually typed if the consent for card-tokenisation has not been given. In case of customers who have subscribed to tokenise their card data, for every transation they will have to enter the card token followed by the CVV and OTP number to complete the transaction.

Image: ANI, PTI