Tokenisation of debit, credit cards by September; here's what it means for users

New Delhi [India], August 23 : The Reserve Bank of India (RBI) has made it mandatory for all credit and debit card data used in online, point-of-sale, and in-app transactions to be replaced with unique tokens by September 30 this year. This added layer of security by way of tokenisation is expected to enhance users' digital payment experience.
The deadline was extended by three months starting July so that the additional time period may be utilised by the industry in facilitating all stakeholders to be ready for handling tokenised transactions. On June 24, RBI said about 19.5 crore tokens were created.
The extension was also given for creating public awareness about the process of creating tokens and using them to undertake transactions.
Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in future.
While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen or misused and there have been instances where such data stored by merchants have been compromised.
"Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data," RBI had earlier said.
In reaction, the RBI initially mandated that after December 31, 2021, entities other than card networks and card issuers cannot store card data.


As per the RBI, tokenisation refers to the replacement of actual card details with an alternate code called the "token".
Following are some of the frequently asked questions about card tokenisation:


A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during the processing of the transaction.


-The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.


- Tokenisation can be performed only by the authorised card network and the list of authorised entities is available on the RBI website.


- The customer need not pay any charges for availing of this service.


- Tokenisation has been allowed through mobile phones and/or tablets for all use cases/channels (e.g., contactless card transactions, payments through QR codes, apps etc.)


- No, a customer can choose whether or not to let his / her card tokenised. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction.