Once payments are tokenised, the buyer will not have to enter his credit card details at an e-commerce site | Photo: iStock
The Reserve Bank of India (RBI), through its circular dated January 8, has permitted card networks to undertake tokenisation in their transactions. At present, this facility has been permitted for payments through mobile phones and tablets only. It will be extended to other usages and devices later. The ultimate responsibility for card tokenisation services will rest with the authorised card networks.
Let us first try to understand the risks that users face when they carry out online transactions at present. Suppose that a customer makes a purchase at an e-commerce website. He may provide his credit card number and other details. As added precaution, he enters a one-time password (OTP) sent to his registered mobile number. "One issue with the existing online payment mechanism is that it is susceptible to what is known as man-in-the-middle attacks," says Mukul Shrivastava, partner, forensic and integrity services, EY India. These attacks can be launched by someone who has access either to the customer's computer, or to the e-commerce website's database. To avoid entering credit card details repeatedly, most frequent users store their details on the e-tailer's web site. If its database gets hacked, credit card details are stolen and are misused.
Once payments are tokenised, the buyer will not have to enter his credit card details at an e-commerce site. Instead, the system will generate a completely random number - the token - using an algorithm. It will be complex, unique, and almost impossible for anyone other than the payment processor to decipher. Even if a token is stolen, it will be useless to the hacker for two reasons: One, because he will not be able to decipher it, and two, because a token can be used for one transaction only. "Once tokenisation is done, the actual card number is never exposed to external parties. Only the token is used for any communication. It helps remove sensitive data from business systems, thereby preventing card frauds," says Ramaswamy Venkatachalam, managing director-India, FIS, a provider of banking and payments technology. For tokenisation to work, a payment gateway is required that stores sensitive data and generates the token.
Tokenisation is also used by online merchants that offer one-click checkout options, and by mobile payment services like Samsung Pay, Apple Pay, and Android Pay.
RBI has stipulated that a third party (and not the card provider or bank) will generate tokens. They will be vetted by the credit card provider, and will be subjected to several audits and controls.
Once experience has been gained from the use of tokens on mobile phones and mobile apps, its usage could be expanded for other purposes. For instance, at some point of time, you may be able to make payments for your metro rides directly from your credit card by waving it at a reader installed at the entrance.
Card users should, however, not let their guard down completely as tokenisation will not protect them from some types of frauds. If someone takes pictures of both sides of your card, he could obtain a lot of information and misuse it. Moreover, if the card provider gets hacked, then card users could still get into trouble. Thus, tokenisation will only protect data from getting stolen and misused in transit.
RBI has said the cost of tokenisation should not fall on end users. Once this service gets rolled out, users should take full advantage of it. “My advice is that if you make online payments, make 100 per cent of them through the tokenised route,” says Shrivastava.