1. Reads
  2. Deep Dives

RBI's New Rules on "Tokenisation" of Card Data, Explained

Dec 24, 2021 3:51 PM 5 min read

The Reserve Bank of India (RBI) is taking digital payments compliance to a new level, this time with its rules on tokenisation of card data.

In March 2020, the RBI first opined that merchants in the country will not be allowed to save card information in the future. Then in September 2021, it issued new guidelines prohibiting merchants from storing customer card details on their servers w.e.f. January 1st 2022. The details would be stored instead through the adoption of card-on-file (CoF) tokenisation and would be applicable to all domestic online purchases.  

It means that actual credit or debit card details would be replaced with an alternate code or "token" which will be a unique combination of the card, the token requestor and the device (we'll explain the process shortly). Bottom line is that tokenised card transactions are safer and more secure. 

This makes it the second recent regulatory change in the payments space following the amended rules on auto-debit transactions on cards.

Having said that, an overhaul of regulation on this scale is a cumbersome exercise and could take a long time for merchants to adapt to on a functional basis. 

Which is why it wasn't much of a surprise when this morning, the RBI extended the tokenisation deadline to June 30th 2022. 

Will that be enough? And more importantly, how will you and I benefit from this exercise?

What is Tokenisation?

There are two types of payment tokenisation concepts. First one is device tokenisation which the RBI approved in 2019. Under this, if a user has an NFC (Near Field Communication)-powered smartphone, he/she can embed a token in it and pay for transactions (details here). 

The second one is CoF tokenisation which applies to e-commerce transactions. When one uses their credit or debit card, the execution of the transaction is based on the following information:

  • The 16-digit card number
  • The expiry date
  • The CVV
  • The PIN
  • The one-time password (OTP) 

The transaction is successful only if all the above information is entered correctly. But it means that all the information is disclosed, as is, on the system.

What tokensiation does is replace the actual card information with a unique algorithm-generated code which allows the execution of a transaction to happen without the disclosure of card details. Think of it as the "end-to-end encryption" on chat messages which can be readable only by you and the issuer (i.e. the bank) but not the receiver (i.e. the merchant).


What Will the Process Look Like?

After the rules come into effect, users will need to give merchants their consent for tokenisation with an Additional Factor Authentication (AFA). Every time one checks out from an online shopping portal, this is what is likely to happen:

  1. You enter your card details and opt for tokenisation.
  2. Your merchant forwards it to the respective bank or card network (e.g. VISA, Mastercard, RuPay).
  3. A token is generated and sent back to your merchant, with the option to save it for future use.

So, if you're worried about having to enter your card details every single time, there's no reason to because you can select the "saved" token at check-out the next time. The card details will be masked and you will only need to input your CVV and OTP to complete the transaction. 

One token is limited to just one card and one merchant (online portal). As a customer, one can tokenise multiple cards with the same merchant or tokenise the same card with multiple merchants. 


Is This New?

No, it's not. A selected number of entities like Paytm, PhonePe, Myntra, Oyo, Domino's, MakeMyTrip, Grofers, BigBasket etc., have launched their own CoF tokenisation formats in some form already. 

The National Payments Corporation of India (NPCI), the umbrella organisation for operating retail payments and settlement systems, initiated the launch of its token system as well. Similarly, digital payments providers like Visa have partnered with fintech firms like Juspay to launch tokenised services.

Having said that, the services launched as of now are rudimentary in structure and limited in user coverage. A payment integration of this scale in liaison with multiple card networks will take a long time to become oft-used and seamless in reality.


Why a Long Time?

Let's see. Online payments may seem to materialise at the click of a button but there are layers within layers of its implementation. There are at least five entities at play here - the merchant (online portal), the merchant-acquiring bank (usually a fintech partner), the payment network (Visa/Mastercard/Rupay), the payment gateway and the card-issuing bank.  

The merchant-acquiring banks are entities like Razorpay, Worldline etc., who are the initiators of transactions and need to be payment-ready first. But a tech overhaul like this requires a revamp of the systems and can only happen if the systems are capable of handling large volumes of transactions. 

For instance, these are some of the changes in the pipeline. First, the Application Program Interfaces (APIs) which pull the data from databases will have to be amended and implemented in consonance with the networks of the bank, the payment gateway and the merchant. 

Second, the card data, which must be purged from existing databases, is not stored in a single database. It will take some time to dismantle (and then rebuild) the security protocols and redundancies in place which make the system robust. 

Third, all the changes occurring simultaneously through different systems and different networks within such a short span of time will result in limited bandwidth for current transactions to process. In short, the systems are likely to operate at saturation, which is not ideal. 

Fourth, the existing systems which already run on tokenisation will need some time to attain maturity. Although the technology has been out there for a while, every network is at a different stage of adoption and thus, mandating a foolproof and countrywide implementation may compromise the tenacity of the system.

There could be other allied problems related to cancellation and refund on transactions because without the payment data at hand, the merchants may not be able to process them.


Token Rules of Appreciation

Improving customer data security remains paramount in an age where theft of financial data is constantly on the rise.

However, enhancements in security must also come with a guaranteed convenience of card transactions. With alternate modes of payment like UPI, wallets, netbanking and buy-now-pay-later (BNPL) on the rise, the utility of bank-issued cards becomes more questionable. 

Despite that, new card issuance is on the rise as seen below.

This indicates that not only are Indian users more inclined to opt for card payments, but given the expected rise in the volume of card transactions, the tokenisation formats could become increasingly arduous to implement. 

So, RBI's progressive approach towards new technologies with the intent to strengthen payment infrastructure in the country, although meritorious, could run the risk of turning short-sighted, if not implemented perfectly. 

A shorter timeline for the rules to come into effect doesn't bode well for the digital commerce sector in India, especially for the smaller players, who have benefitted from it so far but may not have the resources to put in place a complex system into operation quickly. 

Let's hope the tokenisation project doesn't turn into an example of tokenism in payments governance. 


There's so much happening that simply keeping up can be a task! How about a quick Quiz to help you retain? Subscribe to TRANSFIN. E-O-D and get them started.